This is not legal advice. It is an explanation of what Article 32 of the GDPR says in plain language, how regulators have interpreted "appropriate technical measures," and what a penetration test provides as documentation. If you need legal advice on GDPR compliance, consult a data protection lawyer.
What Article 32 says
Article 32 of the GDPR requires organisations that process personal data to implement "appropriate technical and organisational measures" to ensure security appropriate to the risk. It lists specific measures including pseudonymisation, encryption, and the "ability to ensure ongoing confidentiality, integrity, availability and resilience of processing systems."
It also specifically mentions "a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing." That last part is relevant to what security assessments are for.
What "appropriate" means in practice
The GDPR does not specify exactly what technical measures an organisation must implement. "Appropriate" is contextual — it depends on the nature of the data processed, the risks involved, and the state of the art. This gives organisations some flexibility, but it also means you need to be able to demonstrate that you have assessed the risk and made deliberate decisions about how to address it.
The Bundesdatenschutzbehörde and other European supervisory authorities have generally interpreted this as requiring organisations to have documented evidence of their risk assessments and the technical controls they have implemented. A pentest report provides documentation that a specific type of risk — exploitable technical vulnerabilities — has been assessed at a point in time.
Where pentests fit and where they do not
A penetration test is evidence that you tested the security of specific systems at a specific point in time. It is not ongoing compliance. GDPR requires regular review; one pentest conducted in 2022 is not sufficient evidence that your systems remain secure in 2026.
What a pentest report does provide: documentation that an independent third party assessed specific systems, found specific vulnerabilities, and provided specific remediation guidance. If a data breach subsequently occurs in an area that was tested and the findings were remediated, that documentation is evidence of good-faith compliance effort. If findings were not remediated, the documentation creates a different kind of record.
The practical implication is that testing and remediation need to be linked. A pentest report that sits in a drawer without resulting in any fixes does not help a compliance case; it may actively hurt one if discovered post-incident.
Frequency of testing
How often to test is a question without a universal answer. The relevant factors are: how frequently systems change (new code, new integrations, configuration changes), what category of data is processed, and what the supervisory authority in your jurisdiction has indicated it considers appropriate. German organisations subject to BSI frameworks may have additional expectations beyond the GDPR baseline.
For organisations processing standard business personal data with systems that change regularly, annual testing of high-risk applications is a reasonable starting point. For organisations processing sensitive categories of data, more frequent testing is defensible and often prudent. This is worth discussing with your data protection officer, not just your security team.