GDPR: Security and privacy by design

published on May 2, 2018

As the deadline of May 25th approaches for the enforcement of the General Data Protection Regulation across Europe, we get often the question what does it mean for the technology and products serving millions of customers across Europe? How to achieve GDPR compliance? What does it mean security and privacy by design?

To start with, there is a certain confusion in the market about the meaning of GDPR. The regulation stands for General (all markets, all verticals, all EU countries, analog and digital) Data Protection (note “protection” rather than “privacy”) Regulation (regulated, enforced and with penalties).

Taking into consideration this wider context of the regulation, the link between privacy and security, from technology point of view, is defined by the term Data Protection. The implementation of several mitigation measures in the digital world are required for protecting digital data. Both, from technical and organizational point of view: best practices, governance and data protection policies are an important part of it (code of conduct). Clear identification of the parties involved on data capture and data process are relevant for managing risk and the accountability of those parties.

According to the Identity Theft Resource Center, nearly 60% of the data breaches occurred due to hacking, skimming or phishing attacks, compared to a merely 10% by any other type of data breaches in 2016. With the business and the health markets being most affected.

While data breaches and cyber security are nothing new, the direct impact on the data privacy (in the event of a data breach) changes the dynamic of the technical requirements. This is not about security anymore. It becomes an issue of data protection and its consequences on data privacy.

The GDPR contemplates the certification (article 42) as a way to addressing compliance. Having the ability to demonstrate the prevention of unauthorized access to data, programs and devices, the logging and encryption mechanisms, among other components, by an independent certified 3th party as part of a security evaluation, it can make the difference between meeting compliance or accepting the risk.


For all our customers with products which we have been evaluated on for instance Common Criteria EAL2/3/4 and above we can offer an impact assessment on specific GDPR security related vulnerabilities and possible risk that are not covered by the “standard” used Protection Profiles. 


If you want to know more about GDPR compliance, what it means for your products and how Brightsight can help you, get in touch with us today.


Written by:

Carlos Serratos

Director Business Development at Brightsight

Get in touch with him for more info:


World’s first PCI PTS version 6.x approved after security evaluation completed by Brightsight

published on 2020.08.13


Brightsight, official GSMA member

published on 2020.07.21


Brightsight congratulates BBPOS on achieving PCI SPoC approval

published on 2020.07.07


Successful evaluation by Brightsight leads to Arm receiving the first high-assurance Common Criteria security certification (EAL6+) for their Cortex-M33 and Cortex-M35P soft IP processors

published on 2020.05.12