UK GDPR Security Testing Requirements

It is now a legal requirement under UK law for all organisations that process personal data (data related to living individuals) to regularly test the security of their IT infrastructure and applications.

The official guidance from the Information Commissioner's Office (ICO) states:

Are we required to ensure our security measures are effective?

Yes, the UK GDPR specifically requires you to have a process for regularly testing, assessing and evaluating the effectiveness of any measures you put in place. What these tests look like, and how regularly you do them, will depend on your own circumstances. However, it’s important to note that the requirement in the UK GDPR concerns your measures in their entirety, therefore whatever ‘scope’ you choose for this testing should be appropriate to what you are doing, how you are doing it, and the data that you are processing. Technically, you can undertake this through a number of techniques, such as vulnerability scanning and penetration testing.

While the law requires you to conduct regular testing it does not prescribe exactly how often and what kind of testing you must perform - it is up to your organisation and your specific circumstances to ensure that both the regularity as well as type of testing performed is appropriate under the requirements of UK GDPR.

First of all, you need to have a documented risk assessment to demonstrate that you have considered what is appropriate given your business circumstances. Organisations need to demonstrate that a risk assessment has been conducted that took into account all relevant risks and led to implementation of appropriate technical and organisational measures, including particularly risks specified in Article 32:

  • Accidental or unlawful destruction,

  • loss,

  • alteration,

  • unauthorised disclosure of,

  • or access to personal data

  • transmitted, stored or otherwise processed.

Based on your risk assessment you need to implement appropriate technical and organisational measures to address them. The key here is to focus on what is appropriate; note that measures can be technical and/or organisational. Examples of such measures may include:

  • Data security obligations in contracts and service agreements

  • Data security obligations in contracts of employment

  • Strong (two-factor) authentication

  • Security event logging, correlation and monitoring

  • Network, host and Web application firewalls

  • System and data access control, monitoring and reporting

  • Regular or automated deployment of security updates

  • Adoption of secure software development practices such as BSIMM

In any case measures implemented must be appropriate, adequate and effective - and they must be regularly tested. Examples of testing may include:

  • Vulnerability Scanning & Assessment

  • Penetration Testing

  • Independent certification schemes such as ISO 27001 and Cyber Essentials

  • Internal audit

  • In future: GDPR certification schemes

How do you evidence compliance with Article 32? Generally speaking you would need:

  1. Documentation demonstrating an adequate risk assessment not older than 12 months that identifies processes / infrastructure / applications that process personal data,

  2. and documents what technical / organisational measures are/are to be implemented to address relevant risks, including at least the risks specified in Article 32,

  3. Evidence that measures documented as implemented are actually implemented,

  4. Security testing / assessment / evaluation report(s) not older than 12 months with a scope of testing that includes at least the measures documented in the most recent risk assessment, and confirms that the measures are effective or documents action plan to address any measures that were found to be inadequate or ineffective.