TÜV Rheinland Blog - Insights from Asia and Africa

TÜV Rheinland: Need for action in the implementation of the EU GDPR

Posted by TUV Rheinland on May 29, 2019 11:00:00 AM
TUV Rheinland

Demand for data minimization / Security in the digital world with "Trust IoT - from start to finish" as end-to-end solution


Since May 25th, 2018, all companies operating in the European Union have to implement the European General Data Protection Regulation (EU GDPR). Among others, the regulation affects manufacturers and suppliers of products that are connected to the internet and that communicate independently via the internet.

Now, users of so-called IoT products are in a better position than before to take action against misuse or mishandling of their personal data. According to the experts at TÜV Rheinland's "Center of Excellence (CoE) IoT Privacy", in which the globally active testing service provider bundles its IoT testing activities for data protection and data security, there is still a need for action in implementing the EU GDPR.

"While providers and users are naturally moving in the same direction when it comes to data security and both sides want to avoid hacker attacks, there is a conflict of interest when it comes to data protection. Providers want to know as much as possible about their customers and users want to protect their privacy," explains Günter Martin, Chief Technology Officer at the CoE IoT Privacy at TÜV Rheinland.

The EU GDPR, for example, provides for data minimization: Personal data must be limited to what is necessary for the purposes of processing. "This demand for data minimization should already be taken into account in the product design. Technically, the device should only be able to supply data that is needed for the agreed purpose and that cannot be collected by other means. Our practice shows that there is still a lot of catching-up to do on the part of the manufacturers", Martin continues.

The same also applies to password security, encryption and update processes. Günter Martin is particularly critical with regard to the EU GDPR, with regard to the data protection declarations used in some cases. "According to the EU GDPR, the processing of personal data is always subject to a purpose limitation. However, consents are often formulated too comprehensively and allow data to be used for purposes that have nothing to do with the actual application," says Günter Martin.

Security in the digital world: "Trust IoT - from start to finish" as an end-to-end solution

Data protection and trustworthiness of digital systems, as well as smart products, are crucial for innovation and trust in manufacturers and vendors. "Our services as an independent qualified body can contribute to making digital services and smart products more secure. With our tests of consumer data protection we can create market comparison opportunities that strengthen confidence in manufacturers and at the same time stand for security in the digital world", says TÜV Rheinland expert Günter Martin.

Since 2017, TÜV Rheinland's CoE IoT Privacy has been globally offering a service package that meets the requirements of end-to-end data protection in the fast-growing Internet of Things market. The portfolio includes two innovative data protection certificates. In addition, TÜV Rheinland's "Trust IoT - from Start to Finish" end-to-end solution service can also help manufacturers and system providers meet all professional requirements in terms of compliance, interoperability, functional security, and IT security.

Further information can be found at www.tuv.com/en/iot-privacy

Topics: privacy, IoT, AA19_D01_IOTPriv