To avoid the cost of non-compliance with GDPR, companies have invested heavily in security program development, but what does that mean for pen testers? During this talk, I'll give an overview of GDPR security requirements and outline 2017's most expensive security enforcement actions. From there, I'll give examples of how pen testers can leverage GDPR to highlight areas of risk to non-technical business units and relate the GDPR Guidelines on Personal data breach notification to specific purple team activities. Expect tips for the red team, blue team, and legal team.