password, password change, frequency, IT, IT security, security

Almost 3 years ago, the General Data Protection Regulation or GDPR was put into effect. Encripto has prepared an article where we revisit what GDPR is, its relation with security testing and also what could happen if you do not comply with the law.

What is the GDPR?

The GDPR is the Europe’s data privacy and security law that was put into effect on May 25, 2018. It is a strict law that imposes obligations to any organization that collects or processes data related to people in the European Union (EU) and the European Economic Area (EEA).

Stronger rules on data protection mean:

  1. People have more control over their personal data.
  2. Businesses benefit from a level playing field.

In June 2020, the European Commission published an evaluation report on the GDPR.

Security Testing and GDPR

Article 32.1.D of the GDPR requires organisations to implement measures to ensure data security. Organizations should regularly assess applications and critical infrastructure for security vulnerabilities. A security test, such as vulnerability assessment, a penetration test or a red team engagement, is crucial and helps comply with the GDPR.

A vulnerability assessment focuses on width over depth, and is well suited for regular security maintenance. It is also useful as a first step towards increased security in an organization. In a vulnerability assessment automated tools will mainly be used and no vulnerabilities will be exploited. The objective is to efficiently locate known vulnerabilities and misconfigurations.

If you want to simulate a cyber attack and understand the consequences of vulnerabilities being exploited, you should perform a penetration test or a red team engagement. Such tests will tell you whether it is possible to break into the company’s network and achieve specific goals, such as gain unauthorized access to personal data.

Encripto believes that security testing should be done with extensive use of creativity and manual techniques. The goal is to simulate relevant attack scenarios, perpetrated by a professional and motivated attacker with high knowledge.

Security testing can be done from different perspectives. In many cases, a combination of perspectives provides the best results.

  1. External Security Test: Simulates an attack originated from the Internet.
  2. Internal Security Test: Simulates an attack from the internal network.
  3. Wireless Security Test: Simulates an attack from the corporate WIFI, including Bluetooth.
  4. Social Engineering: Manipulates employees in order to gain access to the corporate network.

We recommend that you read our guide for network security testing, where you can find tips related to recommended testing frequency, scope and methodology.

What happens if you do not comply with the law?

Failure to comply with the GDPR can ultimately lead in administrative fines up to 20,000,000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher. The fines are regulated in Article 83 GDPR – General conditions for imposing administrative fines.

Five biggest GDPR fines so far:

  1. Google Inc. – France – 50,000,000 EUR – Insufficient legal basis for data processing.
  2. H&M Hennes & Mauritz – Germany – 35,300,000 EUR – Insufficient legal basis for data processing.
  3. TIM (telecommunications operator) – Italy – 27,800,000 EUR – Insufficient legal basis for data processing.
  4. British Airways – United Kingdom – 22,046,000 EUR – Insufficient technical and organisational measures to ensure information security.
  5. Marriott International Inc. – United Kingdom – 20,450,000 EUR – Insufficient technical and organisational measures to ensure information security.

You can check this database with the fines that have been imposed in different countries for not complying with the GDPR.

In Norway, the Norwegian Data Protection Authority (Datatilsynet) is an independent body set up in 1980 to protect the individual right to privacy. It supervises that authorities, companies, organisations and individuals follow data protection legislation.

Here you can check the fines that have been imposed on entities / companies in Norway.