Penetration Testing and the EU Directive on Data Protection (Directive 1995/46/EC)

The European Commission’s Directive on Data Protection provides protection of the fundamental rights of European Union citizens to privacy with respect to the processing of personal data.

The primary focus is on the acceptable use and protection of personal data. The Directive requires that personal data be collected, stored, modified or distributed only with a citizen’s consent and with full disclosure as to the use of the data. The Directive prohibits the transfer of personal data and information from European organizations to non-European Union nations. It also encompasses the transfer of data and information to organizations that do not adequately protect the safety and privacy of personal data. The Directive essentially requires the transferee business’s country of location to have adequate levels of privacy protection in place as a prerequisite to data transfer.

The United States has developed a Safe Harbor framework for US organizations that are required to comply with this Directive.

Anyone processing personal data must comply with the eight enforceable principles of good practice. The Directive states that that data must be:

• Fairly and lawfully processed
• Processed for limited purposes
• Adequate, relevant and not excessive
• Accurate
• Not kept longer than necessary
• Processed in accordance with the data subject's rights
• Secure
• Not transferred to countries without adequate protection

The sections that pertain to Penetration testing reside in Directive 95/46/EC Section VII – Confidentiality and Security of Processing in particular Sections 17.1.1 and 17.1.2 

Article 17: Security of processing

• Member States shall provide that the controller must implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

  Having regard to the state of the art and the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected.

• The Member States shall provide that the controller must, where processing is carried out on his behalf, choose a processor providing sufficient guarantees in respect of the technical security measures and organizational measures governing the processing to be carried out, and must ensure compliance with those measures.

Penetration testing as it relates to the Directive:

• Assess applications and control systems for vulnerabilities that could result in disclosure of sensitive or private information
• Verify that links to privacy policies exist at appropriate places in applications
• Provide security assessment reports categorized by European Commission’s Directive on Data Protection sections providing details on risk and vulnerabilities

Penetration testing can provide the framework to help you protect your organization and its assets from unauthorized access, alteration and disclosure. Testing can ensure the integrity of controls allowing you to efficiently evaluate technical measures and vulnerabilities that put your controls at risk.

Non-compliance can result in civil penalties with each day of non-compliance constituting a separate violation.