GDPR: Security and privacy by design
published on May 2, 2018
As the deadline of May 25th approaches for the enforcement of the General Data Protection Regulation across Europe, we get often the question what does it mean for the technology and products serving millions of customers across Europe? How to achieve GDPR compliance? What does it mean security and privacy by design?
To start with, there is a certain confusion in the market about the meaning of GDPR. The regulation stands for General (all markets, all verticals, all EU countries, analog and digital) Data Protection (note “protection” rather than “privacy”) Regulation (regulated, enforced and with penalties).
Taking into consideration this wider context of the regulation, the link between privacy and security, from technology point of view, is defined by the term Data Protection. The implementation of several mitigation measures in the digital world are required for protecting digital data. Both, from technical and organizational point of view: best practices, governance and data protection policies are an important part of it (code of conduct). Clear identification of the parties involved on data capture and data process are relevant for managing risk and the accountability of those parties.
According to the Identity Theft Resource Center, nearly 60% of the data breaches occurred due to hacking, skimming or phishing attacks, compared to a merely 10% by any other type of data breaches in 2016. With the business and the health markets being most affected.
While data breaches and cyber security are nothing new, the direct impact on the data privacy (in the event of a data breach) changes the dynamic of the technical requirements. This is not about security anymore. It becomes an issue of data protection and its consequences on data privacy.
The GDPR contemplates the certification (article 42) as a way to addressing compliance. Having the ability to demonstrate the prevention of unauthorized access to data, programs and devices, the logging and encryption mechanisms, among other components, by an independent certified 3th party as part of a security evaluation, it can make the difference between meeting compliance or accepting the risk.
For all our customers with products which we have been evaluated on for instance Common Criteria EAL2/3/4 and above we can offer an impact assessment on specific GDPR security related vulnerabilities and possible risk that are not covered by the “standard” used Protection Profiles.
Director Business Development at Brightsight
Get in touch with him for more info: firstname.lastname@example.org