According to Dr Kuan Hon, director at law firm Fieldfisher, GDPR obligations almost certainly extend to hardware choices, and maintaining up-to-date firmware in a secure state. What does not get much attention as it should is that the GDPR obligation on data controllers regarding ‘data protection by design and by default’ should include ‘security by design and by default’.
This includes choosing and maintaining secure firmware (and software) for devices used to process personal data. Not checking if hardware is secure before procuring it, not configuring it securely (for example, not changing bad default passwords) and not expeditiously patching vulnerabilities in firmware (and other software) used to process personal data. ID Control the European Piracy and Cybersecurity company has chosen firmware and software which is made and carefully selected and made in Europe with a full source code check.