Gunter Martin from TUV Rheinland says there is a need for action in the implementation of the EU GDPR and highlights “there is still a lot of catching-up to do on the part of the manufacturers.”
Since 25 May 2018, all companies operating in the European Union have to implement the European General Data Protection Regulation (EU GDPR). Among others, the regulation affects manufacturers and suppliers of products that are connected to the internet and that communicate independently via the internet.
Now, users of so-called IoT products are in a better position than before to take action against misuse or mishandling of their personal data. According to the experts at TUV Rheinland’s “Center of Excellence (CoE) IoT Privacy”, in which the globally active testing service provider bundles its IoT testing activities for data protection and data security, there is still a need for action in implementing the EU GDPR.
“While providers and users are naturally moving in the same direction when it comes to data security and both sides want to avoid hacker attacks, there is a conflict of interest when it comes to data protection. Providers want to know as much as possible about their customers and users want to protect their privacy,” explains Gunter Martin, Chief Technology Officer at the CoE IoT Privacy at TUV Rheinland.
The EU GDPR, for example, provides for data minimisation: Personal data must be limited to what is necessary for the purposes of processing. “This demand for data minimisation should already be taken into account in the product design. Technically, the device should only be able to supply data that is needed for the agreed purpose and that cannot be collected by other means. Our practice shows that there is still a lot of catching-up to do on the part of the manufacturers,” Martin continues.
The same also applies to password security, encryption and update processes. Gunter Martin is particularly critical with regard to the EU GDPR with regard to the data protection declarations used in some cases. “According to the EU GDPR, the processing of personal data is always subject to a purpose limitation. However, consents are often formulated too comprehensively and allow data to be used for purposes that have nothing to do with the actual application,” says Gunter Martin.
Data protection and trustworthiness of digital systems as well as smart products are crucial for innovation and trust in manufacturers and vendors. “Our services as an independent qualified body can contribute to making digital services and smart products more secure. With our tests of consumer data protection we can create market comparison opportunities that strengthen confidence in manufacturers and at the same time stand for security in the digital world,” says TUV Rheinland expert Gunter Martin.
Since 2017, TUV Rheinland’s CoE IoT Privacy has been globally offering a service package that meets the requirements of end-to-end data protection in the fast-growing Internet of Things (IoT) market. The portfolio includes two innovative data protection certificates. In addition, TUV Rheinland’s “Trust IoT – from Start to Finish” end-to-end solution service can also help manufacturers and system providers meet all professional requirements in terms of compliance, interoperability, functional security, and IT security.
Further information can be found at www.tuv.com/en/iot-privacy.
