The GDPR Deadline Has Passed – Now What?

I was listening to Jenny Radcliffe interviewing Sarah Clarke on The Human Factor podcast the other day. (If you haven’t tuned in to this podcast, you are definitely missing out on a magnificently entertaining and educational experience!)

Sarah made an accurate observation about what would happen after the May 25th deadline for GDPR compliance. She said that she was concerned that many folks would lapse into a bit of complacency after the deadline passed. That is not a direct quotation, but the sentiment is the same. The GDPR contains strategic goals, not just tactical approaches to the future.

I have already witnessed how some folks who are on the front lines of infosec are not only ill-advised about the regulation but are also not as well-versed in the regulation as they should be. This is dangerous considering that we are to be part of the process that is supposed to support this far-reaching regulation.

I was on a recent phone call with a pentest vendor who was telling me that the GDPR “absolutely requires” penetration tests on all networks. A quick search of the GDPR for the word “pen” turns up some very useful information, such as the words indePENdent, dePENding, and PENalty but, alas, nothing about a penetration test.

In the vendor’s defense, Article 32 in Section 2 states, “the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security approppriate to the risk, including . . . a process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.”

One could loosely interpret that to indicate penetration testing, but it could also be interpreted more strongly as speaking towards an audit mindset.

I wondered what could be causing this problem, and as (Read more...)