General Data Protection Regulation (GDPR)

On May 2018, the General Data Protection Regulation (GDPR) came into force across Europe. European organisations and companies processing data from European sources have to comply with this regulation. This creates a unique opportunity to introduce security and privacy by design as a default capability of products and services in the 21st century. Adopting this approach results in better compliance control for businesses, shifting accountability and embracing the future readiness of the industry. 

The GDPR and ePrivacy Directive focus on protecting personal data and giving control back to the rightful owner of the data. A security evaluation done by a professional, independent third party, like Brightsight, is not only important, but recommended by the legislation (Article 42). Being able to demonstrate state-of-the-art security through an evaluation by a certified laboratory is an effective approach to risk management and provides evidence that can be used as a mitigating factor in case of a data breach. Under GDPR, manufacturers and service providers should ensure that the most secure, proven and well-understood settings are in place, protecting data at rest or in transit. 

The body of technical standards relevant to data protection certifications is rapidly evolving. Various standardisation bodies have included or expanded the development of relevant standards in their work plans, triggered to a large extent by the introduction of the GDPR and growing social awareness of issues like data protection and cyber security. With certification, you keep the core requirements of GDPR certified. This will also help you adapt to other standards. 

The GDPR aims to protect people's personal data by requiring companies to take technical and organisational measures to protect such data, taking into account the risk involved. On the technical side, products can be evaluated from a compliance readiness perspective, with security measures in place to meet GDPR requirements such as:
  • Encryption
  • Secure communications
  • Disposal of residual data
  • Access to data, applications and devices
  • Identification and authentication

Brightsight offers a comprehensive GDPR assessment programme to verify the GDPR compliance of an appliance. Products evaluated under this programme can receive the Brightsight GDPR Certificate. This certificate shows that the developer meets high code-of-conduct standards, as they had their products tested by a professional, independent third party.

GDPR compliance assessment can be done as part of an ongoing evaluation, such as a Common Criteria evaluation. It can also take the form of an independent assessment, separate from any other test or evaluation.
Read the latest GDPR news here

FAQ

Is GDPR only about privacy?

No. GDPR stands for General Data Protection Regulation. This directive covers analogue and digital applications and is aimed at protecting people's personal information. Privacy is one use case of data classification. However, within the scope of this legislation, privacy is the most important use case.

Does the GDPR expect products or services to never suffer data breaches or be fined for other reasons?

The GDPR does not expect that data breaches will never happen. Instead, businesses have an obligation to demonstrate that they took the necessary steps to protect data: encryption, secure communications, password management, etc. They can do this by making use of state-of-the-art technology.

Does GDPR compliance focus only on processes?

No. The GDPR covers technical and organisational measures for protecting data. It makes recommendations for such measures, which products and services are expected to meet.

What is the advantage of a third-party security evaluation?

Security evaluation reports can be used as a mitigating factor for the final fine if the security evaluation was done following the recommendations from a data protection perspective, for all data at rest and in transit. A security evaluation report is also the best format for a manufacturer to demonstrate that they did their due diligence by implementing security features to protect data from breaches, as well as for a business to demonstrate that the products and technology used are adequate for the data risk involved.