TÜV Rheinland Blog - Insights from Asia and Africa

GDPR Considerations for IoT Manufacturers and Service Providers​

Posted by TUV Rheinland on Oct 9, 2018 5:51:46 PM
TUV Rheinland

LinkedIn-TUV-9Oct-GDPR copy

The recently enforced General Data Protection Regulation (GDPR) applies to all organisations offering goods or services or marketing to individuals in the EU, regardless of company size or where the company or data is located.

In the event of a breach or non-compliance, the GDPR brings fines of up to 20 million Euros or 4% of a company’s annual turnover. The first fines that are enforced will likely be on those brought to the attention of the governing body through data breaches or high numbers of complaints from users. What steps can organisations take to reduce the likelihood of being penalised by these fines?


How to Reduce Fines Brought on by GDPR

First, companies should document the types of data they hold, where it resides, and what it is being used for. Wherever possible, limit the personal data being collected and processed. Organisations should also increase logging and monitoring efforts to notify potential data breaches, and re-mediate gaps.

Finally, companies should address what may cause customer complaints i.e. unable to provide a customer’s data, no process in place for data erasure, etc and fix them as soon as possible. Taking these initial steps will help shrink a company’s GDPR footprint and reduce the burden of compliance.


Considerations for IoT Devices

IoT devices gather, hold, and transmit mass amounts of user data. In order for companies to avoid fines and ensure compliance to the GDPR, manufacturers should consider:

  • Encrypted data transmission from device to gateway
  • Encrypted data transmission from gateway to internet
  • Temporal correctness – sequence number or sequence identification
  • The device is capable for remote updates
  • The device can be reset to factory settings
  • If removable storage devices can be used with the product, the data on them must be stored in an encrypted form
  • If the user can or must register the device with the manufacturer, there must be a simple way of de-registering
  • The device should only save or transmit data when needed to provide the service
  • The device only contains the sensors and other components needed for its function or to provide the service
  • Stationary devices outdoors must have anti-theft protection


Considerations for IoT Service Providers

The GDPR applies not only to companies manufacturing IoT devices, but also companies that offer IoT services as well. Service providers should consider:

  • Individual password-protected access
  • Web application with security mechanism against vulnerabilities of the OWASP (Open Web Application Security Project)
  • Ability to detect data breaches and report it within 72 hours
  • Patch and vulnerably management – the ability to load security updates
  • Earmarking appropriation and consent with prohibition of coupling
  • The user has the right to be “forgotten” – data erasure
  • If the service provider has forwarded the data to 3rd parties, they must notify the 3rd party concerned that such data also has to be deleted
  • It should be possible for the user to control and delete sound and image recordings
  • The user has the right to data portability in a “generally common” (user-friendly) format
  • Physical security for access to hardware resources


Considerations for Seeking of Consent

If used, the following consents should be switch off by default. They may only be used if the user explicitly agrees to:

  • Use of data for personalised advertisements or the sending of personalised advertisements
  • Transmission of diagnosis data to the manufacturer for software improvement
  • Transmission of location
  • Transmission of personalised data to 3rd parties
  • Transmission of speech (speech recognition) or images provided that is not obvious to the user that this transmission is a central function of the device
  • Transmission to a third country for which there is neither an adequacy decision under Article 45 (3) nor suitable guarantees under Article 46 GDPR


Consideration for Certification


Find out more about designing safe and secure Smart Home devices.


For more information, speak with our experts:

Contact us now

Topics: IoT, Certification, GDPR