GDPR doesn't explicitly require penetration testing, but Article 32 mandates 'a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.' This is widely interpreted by data protection authorities as requiring periodic security testing including penetration testing. Article 35's Data Protection Impact Assessment also implies security testing for high-risk processing. Organisations that suffer a breach and cannot demonstrate regular security testing face significantly higher regulatory scrutiny and potential penalties.
Compliance
GDPR and Penetration Testing: What the Regulation Actually Requires para empresas hispanohablantes
GDPR doesn't explicitly mandate penetration testing, but Articles 32 and 35 strongly imply it. What you need to know. Guidance for ES market.