Framework B.10 · GDPR

GDPR Article 32 - testing of effectiveness for personal data.

The General Data Protection Regulation (GDPR) requires controllers and processors to ensure the security of personal data through appropriate technical and organisational measures - and to test the effectiveness of those measures. CyberFortify's web application and API penetration testing services produce the explicit testing-of-effectiveness evidence Article 32(1)(d) requires.

Regulator: EU + UK ICO + national DPAs Article: 32(1)(d) Penalties: Up to 4% of global turnover
Art.32
Security of processing
1(d)
Test effectiveness
72hr
Breach notification
4%
Max penalty
GDPR articles: Art. 5 Principles · Art. 24 Controller responsibility · Art. 25 Privacy by design · Art. 28 Processor obligations · Art. 32 Security of processing · Art. 33 Breach notification · Art. 35 DPIA GDPR articles: Art. 5 Principles · Art. 24 Controller responsibility · Art. 25 Privacy by design · Art. 28 Processor obligations · Art. 32 Security of processing · Art. 33 Breach notification · Art. 35 DPIA
// Executive summary

GDPR Article 32(1)(d) is unique among major data-protection laws in explicitly requiring "a process for regularly testing, assessing and evaluating the effectiveness" of security measures. Penetration testing is the most defensible form of that effectiveness testing.

// 01 What GDPR Article 32 actually requires

// Article 32(1)(d)Testing of effectiveness

"...a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing." Quoted directly from Article 32(1)(d) of Regulation (EU) 2016/679.

This is the regulation's explicit requirement that security measures be tested, not merely implemented. Penetration testing is the most defensible form of effectiveness testing for the technical measures.

GDPR is not a security standard in the way ISO 27001 or SOC 2 are - it is a regulation focused on personal data lawfulness, lifecycle and rights. But Article 32 brings security squarely into the regulatory frame, with effectiveness testing called out explicitly. Together with the 72-hour breach notification window under Article 33 and DPIA obligations under Article 35, Article 32 makes ongoing security testing a regulatory expectation rather than a nice-to-have.

// 02 Article 32 required measures

32(1)(a)

Pseudonymisation & encryption

Encryption at rest and in transit, pseudonymisation where appropriate. Pen testing validates effectiveness of cryptographic controls in production.

32(1)(b)

Confidentiality, integrity, availability, resilience

The CIA-R triad of processing systems and services. Pen testing produces objective evidence on confidentiality and integrity controls.

32(1)(c)

Restoration after incident

Backup, restore, business continuity capability. Tested through tabletop exercises and disaster-recovery drills.

32(1)(d)Pen-test relevant

Testing of effectiveness

"A process for regularly testing, assessing and evaluating effectiveness." Pen testing is the headline form of compliance.

// 03 How CyberFortify pen testing satisfies GDPR

01

Scoping for personal-data processing

Pre-engagement identifies the personal-data flows in scope - the systems where Article 32 applies most directly.

Data mapping
02

Test of preventive controls

Authentication, authorisation, transport encryption, at-rest encryption - the 32(1)(a) and 32(1)(b) measures.

CIA validation
03

Effectiveness reporting

Findings reported with explicit Article 32 cross-references. Effectiveness gaps documented as the regulation requires.

Article 32 cross-ref
04

Free remediation retest

Closing the loop on identified gaps - the demonstrable response Article 32 expects.

Continuous improvement

// 04 Why Article 32 changed the game

Most data-protection regimes describe what good security looks like. GDPR is one of the few that requires you to test whether yours actually works. Penetration testing is how you produce defensible evidence of that testing.

CyberFortify GDPR practice

Penalties under GDPR can reach 4% of global annual turnover or €20 million, whichever is greater. Regulators considering enforcement action look at the documentation trail: was effectiveness testing conducted, were findings remediated, was the evidence retained? A current CyberFortify pen testing report is the strongest defensible artefact in that record.

// 05 Frequently asked questions

Does GDPR require pen testing by name?

Not by name. Article 32(1)(d) requires "regularly testing, assessing and evaluating effectiveness." Penetration testing is the form of effectiveness testing that European Data Protection Board guidance and major DPAs treat as best practice.

How often should I pen test for GDPR?

"Regularly" is not numerically defined. Most CyberFortify customers operating under GDPR test annually for general processing and more frequently for high-risk processing under Article 35 (DPIA-relevant systems).

Does Brexit change anything for UK organisations?

Yes and no. The UK GDPR is functionally equivalent to EU GDPR, with separate UK ICO regulator and the Data Protection Act 2018. CyberFortify reports satisfy both UK GDPR Article 32(1)(d) and EU GDPR Article 32(1)(d).

Ready for a GDPR Article 32-aligned pen test?

Schedule a 30-minute scoping call. CyberFortify will scope personal-data flows, recommend the right offensive testing service and quote a fixed-price engagement - usually within 48 hours.

Schedule scoping call → Back to CyberFortify home →