The General Data Protection Regulation (GDPR) is a law implemented across all countries in the European Union (EU). It governs the collection, storage and processing of personal data and protects all European citizens from having their personal data misused or insecurely held.
GDPR defines the following principles for the collection, storage and use of personal data:
Personal data shall be:
(a) processed lawfully, fairly and in a transparent manner
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
(d) accurate and, where necessary, kept up to date
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
(Information Commissioner’s Office 2018)
GDPR applies to the ‘controllers’ and ‘processors’ of the data:
- The controller is defined as the organisation which holds the data and controls how, where and when personal data is processed; they have the main legal obligation
- The processor is the organisation which acts on the controller’s behalf and performs operations on the data; they have the legal obligation for the security of data
Of course, in some cases, the controller and the processor could be the same organisation.
It should be noted that GDPR does not only apply to organisations operating within the EU. In fact, it also applies to any organisation outside the EU that offers goods or services to individuals within the EU, and which may collect and process personal information of EU citizens.
For example, if a company in Asia is selling goods to a country in Europe and is collecting the customer’s name, contact details and address in order to deliver the goods, it will automatically have legal obligations to comply with GDPR.
GDPR applies only to personal data; it is not concerned with any corporate or other business data.
There are two categories of personal data defined by the regulation:
- Personal data – a wide-ranging definition but basically anything that can be used to identify a person
- Special category data – sensitive personal data (such as genetics, biometrics etc); there are even more restrictions on the collection and use of sensitive data
The regulation not only places strict requirements on the personal data use but also allows significant penalties if the regulation is breached: up to €20 million or 4% of annual global turnover – whichever is higher.
GDPR and the ethical hacker
GDPR has a number of implications on what we do in penetration tests.
Principle (b) specifies that personal data can only be used for the purposes it was collected for. This means that we cannot use the personal data of customers for the penetration test because it is unlikely that the individuals were told that it could be used for security testing.
The same restrictions apply for the employees’ personal data unless the company has an explicit section in their security policy which specifies otherwise. If personal data is used during the penetration test, we have to keep a record of what, when and how it is used.
Principle (f) is of relevance to us when we have extracted personal data as part of the penetration test. The ethical hacker has a legal obligation to ensure the security of the data. A requirement of this principle should be included in the pentesting scope (more on this later).
GDPR and incident responders
Organisations have to report certain types of personal data breaches within 72 hours of discovering them, if it is a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
They also have to report to the relevant supervisory authority if the breach can result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage.
The organisation also has to inform the individuals affected if a breach can result in a high risk to their rights and freedoms. This is relevant to ethical hacking in two ways:
- The ethical hacker might sometimes be involved in investigating cyber security breaches
- If things go wrong during a penetration test and some personal information is leaked, we need to make sure that we comply with GDPR and report it
As GDPR affects any company or organisation holding or processing the personal data of EU citizens, it’s worth familiarising yourself with the regulations in more detail.
Look at the article on GDPR by either following the link under ‘Further reading’ or downloading the PDF at the bottom of the page. Try to assess whether an organisation you are familiar with is complying with the principles of GDPR.
You don’t need to read everything, just get to know the key components of GDPR and identify at least one way in which the organisation is or isn’t compliant. If they aren’t, what do they need to do in order to achieve compliance?
Share your findings in the section below.
As a guide, you might like to spend around 30 minutes doing this task.
Information Commissioner’s Office (2018) Guide to the General Data Protection Regulation (GDPR) [online] available from https://www.gov.uk/government/publications/guide-to-the-general-data-protection-regulation [25 March 2019]
Guide to the General Data Protection Regulation (Gov.UK) – contains public sector information licensed under the Open Government Licence v3.0
© Coventry University. CC BY-NC 4.0