General Data Protection Regulation (GDPR)
On May 2018, the General Data Protection Regulation (GDPR) came into force across Europe. European organisations and companies processing data from European sources have to comply with this regulation. This creates a unique opportunity to introduce security and privacy by design as a default capability of products and services in the 21st century. Adopting this approach results in better compliance control for businesses, shifting accountability and embracing the future readiness of the industry.
The GDPR and ePrivacy Directive focus on protecting personal data and giving control back to the rightful owner of the data. A security evaluation done by a professional, independent third party, like Brightsight, is not only important, but recommended by the legislation (Article 42). Being able to demonstrate state-of-the-art security through an evaluation by a certified laboratory is an effective approach to risk management and provides evidence that can be used as a mitigating factor in case of a data breach. Under GDPR, manufacturers and service providers should ensure that the most secure, proven and well-understood settings are in place, protecting data at rest or in transit.
The body of technical standards relevant to data protection certifications is rapidly evolving. Various standardisation bodies have included or expanded the development of relevant standards in their work plans, triggered to a large extent by the introduction of the GDPR and growing social awareness of issues like data protection and cyber security. With certification, you keep the core requirements of GDPR certified. This will also help you adapt to other standards.
The GDPR aims to protect people's personal data by requiring companies to take technical and organisational measures to protect such data, taking into account the risk involved. On the technical side, products can be evaluated from a compliance readiness perspective, with security measures in place to meet GDPR requirements such as:
- Secure communications
- Disposal of residual data
- Access to data, applications and devices
- Identification and authentication
Brightsight offers a comprehensive GDPR assessment programme to verify the GDPR compliance of an appliance. Products evaluated under this programme can receive the Brightsight GDPR Certificate. This certificate shows that the developer meets high code-of-conduct standards, as they had their products tested by a professional, independent third party.
GDPR compliance assessment can be done as part of an ongoing evaluation, such as a Common Criteria evaluation. It can also take the form of an independent assessment, separate from any other test or evaluation.