GDPR, Security and PenTesting

While GDPR is not the most exciting topic when one is about to launch a system, it remains an important one.

Major breaches are regularly in the press. Undoubtedly most are small and only concern those involved. PenTesting is the process of exposing a website to the types of attack strategies that are in regular use, it provides a risk profile for the site and a discussion starting point.

Being GDPR aware, understanding enough about PenTesting to engage constructively with IT Security specialists changes ones outlook. Worthwhile questions include asking of oneself whether the products being built or in use meet the rudimentary basics or not. Next, asking what exposure the system has - suppose the site was hacked, what data could that breach compromise?  Have any data retention policies been defined?

Finally, but by no means least, the biggest security breach by far, and one which will probably never be equaled showing that the CIA routinely accessed many IT systems across the world was undertaken by a CIA employee using his normal everyday access rights.  Data security includes the prevention of inapproriate internal access to data as well as external access.