omniture

EU General Data Protection Regulation Takes Effect in 2018 - Spotlight on Cyber-Security Risks of Smart High-Tech Toys

2018-02-01 13:31 2591

HONG KONG, Feb. 1, 2018 /PRNewswire/ -- For the Christmas and New Year holidays that just went by, many parents purchased smart high-tech toys as gifts for their children. Parents from the Millennium generation are more likely to let their children spend more time on the screen than previous generations. Edutainment is now the guiding principle for parents purchasing toys. Parents are willing to spend more money purchasing smart high-tech toys because they believe these toys are more educational and they can join the children in creative activities. Smart high-tech toys include robots controlled by smart phones, dolls with corresponding apps, and bespoke soft toys with interactive functions.

Most parents understand the dangers of letting children use social media and tracking their locations/activities. Many parents instinctively shy away from posting pictures of their children online. This may be a smart move because their activity is being tracked and the data may be used by unscrupulous people. Few parents however pay attention to the warnings on the high-tech toys they purchase. Their children are now being exposed to cyber-security risks at an accelerating pace.

EU General Data Protection Regulation Set to Take Effect

Privacy and data security have always been important issues for the European Union (EU). The "General Data Protection Regulation" (GDPR) that will become mandatory on May 25, 2018, will set rigorous standards for the protection of personal data and privacy. The level and scope of personal data protection will be increased. The new GDPR is applicable globally. All manufacturers, whether they are located within EU borders or not, are subject to the GDPR if their products or services are sold within the EU and involve the storage and processing of EU citizens' personal information.

Here "personal information" refers to the personal data of EU citizens during the data processing, including any known or identifiable citizen (data subject) information. The content protected by the GDPR is quite broad in scope. It covers not only personal identity information such as address, telephone number and identification number but also biometrics and online positioning data such as fingerprints, network IP address, and social network activity logs.

All EU member states will enforce strict regulatory controls once the GDPR takes effect. Companies are subject to massive fines of up to 20 million Euro or 4% of the company's global revenues in that year (whichever is highest) for non-compliance. The Federal Network Agency in Germany banned domestic sales of children's smart watches in 2017. Parents were also encouraged to discard such smart watches immediately. The lack of encryption technology allows hackers to easily break into smart watches and make it possible for unscrupulous people to track a child's location with ease. Once the GDPR takes effect, such products will not only be reported but also fined.

How to avoid breaking the law?

First, vendors should reduce the collection and processing of data subjects' personal information. Personal information unrelated to the declared function must not be used. Product manuals must also detail their functions and the technologies used. For example, if a smart doll only engages in simple conversation with children such as responding when asked about the day's weather or whether the child looks pretty, the doll should not have a monitoring function. Such a function would be a non-essential function.

The law also recommends that vendors provide default privacy settings for products and services. The function for allowing the collection of personal information should be set to disabled by default. The user can decide whether to enable the function or not, and it must meet a certain standard of encryption.

GDPR requires product and service vendors to use a sound environment and service process controls to protect personal information from misuse, from being leaked through hackers, or being illegally shared with unauthorized third-parties. The law recommends testing by independent third-party organizations to determine whether your business complies with GPDR requirements.

Product/Service Testing and Verification

With many years of experience in information security, TUV Rheinland can provide IoT product manufacturers supplying products or services to EU countries with a professional interpretation of the law. Verified IoT products and services are issued certification marks by TUV Rheinland including the IoT product and service privacy protection mark. In accordance with GPDR rules, the product certification standard evaluates the privacy protection of an IoT product based on five levels: hardware and firmware, communications, app, documentation and data usage. Privacy protection certification for IoT services is evaluated against seven dimensions including IT environment (including applications), data protection, organizational management, process, penetration testing, documentation and auditing of service partners. Please do not hesitate to contact our experts at any time.

TUV Rheinland Protected Privacy IoT Product and Service Mark
TUV Rheinland Protected Privacy IoT Product and Service Mark

MEDIA CONTACT: Simon Hung , +852-21921948, simon.hung@tuv.com

Photo - https://photos.prnasia.com/prnh/20180201/2046674-1

Source: TUV Rheinland
collection