With roughly 30 % of HP’s installed base still on Windows 10 past its standard support date, users face heightened security risks. The situation triggers GDPR, CCPA and other privacy obligations, prompting regulators and enterprises to accelerate migration or secure extended‑support contracts.
HP’s Windows 10 Legacy Raises Data‑Protection Concerns as Support Ends
HP disclosed that three in ten of its PCs are still running Windows 10, an operating system that left its standard support window in October 2024. While Microsoft continues to offer paid extended‑security updates until October 2025 for business customers, the majority of those machines will soon be without free patches. For users in the European Economic Area (EEA) and California, the loss of timely security fixes creates a direct risk of non‑compliance with the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
Legal basis for the concern
| Regulation | Core requirement | How Windows 10 end‑of‑support threatens compliance |
|---|---|---|
| GDPR Art. 32 (Security of processing) | Controllers must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. | Without free security updates, known vulnerabilities remain unpatched, increasing the likelihood of a breach that could be deemed “insufficient security”. |
| CCPA § 1798.150 (Reasonable security) | Businesses must employ reasonable security procedures to protect personal information. | Out‑of‑date OS versions are considered unreasonable safeguards by the California Attorney General when a breach occurs. |
| NIST SP 800‑53 Rev 5 (US federal guidance) | Controls such as SI‑2 (Flaw Remediation) require timely patching of known vulnerabilities. | Extended‑support contracts may not cover all critical patches, leaving systems out of compliance with federal‑level best practice. |
Regulators in the EU have already signalled that vendor‑imposed software cut‑offs could be treated as a form of “forced obsolescence”, violating the right to repair and the environmental objectives of the European Green Deal. The European Commission’s recent Digital Product Passport proposal explicitly calls for manufacturers to ensure a minimum security‑update lifespan of five years for consumer devices.
Impact on users and companies
1. Heightened breach risk
Security researchers have catalogued over 1,200 critical CVEs for Windows 10 that will no longer receive free patches after October 2025. Enterprises that rely on HP laptops for remote work, especially in regulated sectors such as finance and healthcare, could face substantial fines – up to 4 % of global annual turnover under GDPR – if a breach is traced to an unpatched OS.
2. Financial pressure on IT budgets
HP’s own CFO, Karen Parkhill, framed the lingering Windows 10 base as a “tailwind” for short‑term revenue. However, the cost of extended‑support licences (estimated at $45 per device per year) adds a hidden expense that many mid‑market customers may not have budgeted for. When combined with the need to upgrade hardware to meet Windows 11’s TPM 2.0 and processor requirements, total migration costs can exceed $200 per workstation.
3. Data‑subject rights complications
Under GDPR, data subjects can request rectification or erasure of their personal data. If a breach occurs on an unsupported system, the controller may be unable to demonstrate that they took “reasonable steps” to protect the data, weakening their defence in any supervisory‑authority investigation.
What changes are required
Immediate actions for HP customers
- Audit the OS inventory – Identify every device still on Windows 10 and classify them by risk (e.g., handling of personal data, exposure to the internet).
- Secure extended‑support contracts – For high‑risk machines, purchase Microsoft’s paid Extended Security Updates (ESU) before the October 2025 deadline.
- Implement compensating controls – Deploy network‑level intrusion‑prevention systems, application‑whitelisting, and strict MFA to reduce the attack surface while migration plans are executed.
- Plan hardware refreshes – Align the Windows 11 upgrade with the rollout of TPM 2.0‑enabled devices; consider HP’s AI‑focused “Edge PC” line that ships with pre‑validated hardware.
Longer‑term regulatory compliance steps
- Document the risk‑mitigation strategy in line with GDPR Art. 32 records‑of‑processing requirements. This documentation will be crucial if a supervisory authority audits the organization.
- Review vendor contracts to ensure that any third‑party service providers (including HP) share responsibility for maintaining a secure OS environment.
- Monitor EU and US regulator guidance on forced obsolescence. The European Commission is expected to publish guidance on mandatory security‑update windows later this year, which could impose new obligations on OEMs like HP.
Outlook
HP’s statement that the Windows 10 legacy is a “short‑run opportunity” overlooks the privacy‑risk premium that customers will soon have to pay. As regulators tighten the link between security updates and data‑protection compliance, the financial calculus will shift: the cost of staying on an unsupported OS will likely exceed the expense of a timely hardware refresh.
Enterprises that act now—by securing ESU licences, hardening network defenses, and budgeting for a hardware refresh—will not only avoid potential GDPR or CCPA fines but also demonstrate a proactive stance on the right to repair and environmental sustainability goals championed by the EU.
For further reading on Microsoft’s extended‑support options, see the official Microsoft documentation.
Comments
Please log in or register to join the discussion