The modern penetration testing market has its roots in the so-called ethical hacking industry, born in the late ‘90s. Today, countless vendors of all sizes compete in the rapidly growing global market, while many organizations still perceive penetration testing merely as an optional best practice or a tedious annual exercise imposed by internal security policy. Others rather care about receiving a “clean” penetration testing executive summary to share with customers, partners or investors. In the meanwhile, mandatory penetration testing has become an inherent part of mushrooming personal data protection laws, privacy and cybersecurity regulations, some of which we will briefly review in this article.
Today, the European GDPR is undoubtedly the Northern Star for privacy legislators around the globe. One can easily find reflection of GDPR’s privacy foundations in the Singaporean PDPA, updated and enhanced in February 2021, in the just-enacted Brazilian LGPD, or in the South African POPIA coming into the effect on July 1. These modern privacy laws come from three different continents, but all of them closely resemble GDPR. They provide individuals with enforceable privacy rights and, among other things, impose robust data protection duties upon the covered entities that process personal information. Data security is an inalienable part of privacy and one of the key concerns of individuals who entrust their personal data to third parties.