everyone: older news
GDPR Outlaws Penetration Testing
by Brent Kirkpatrick
(Date Published: 11/1/2018.)
GDPR has specified that E.U. citizens must opt-in to specific uses of their data. This means that if your network contains data belonging to E.U. citizens, each person would have to opt-in to each penetration test.
For those of you who employ penetration testing, you may be trying to find ways to continue while respecting GDPR. Please recall that penetration testing has the goal of obtaining administrative access to systems by means of hacking. In some cases penetration testers even demonstrate that they can exfiltrate data (i.e. by copying data that they were not given permission to access). Both the access to and the exfiltration of data belonging to E.U. citizens is forbidden, even in the context of penetration testing.
The data minimization ideas built into GDPR require that access to personal data is limited to people that need to process the data. Since penetration testers are not necessary for data processing, and presumably the owners of the data were not told about the penetration testing, there is no opportunity for the consent required under GDPR.
Please avoid penetration testing on systems that store data belonging to E.U. citizens.
Please contact us at Intrepid Net Computing if you need solutions to cyberattacks that do not involve penetration testing.
Trojan Hunter (TM). Digital forensics for Trojans at an accessible, fixed price. For any operating system.