TUV Rheinland’s Global Competence Center for IoT Privacy has announced a new package of services addressing the end-to-end data protection requirements in the rapidly growing Internet of Things (IoT) market. By providing first-of-a-kind protected privacy certificates, it is uniquely positioned with a differentiated set of capabilities. The solution is focused on providing a product and a service certificate which the product manufacturers and system providers can use to demonstrate that they have been audited in accordance with the requirements of the EU GDPR.
New rules for IoT devices
The provisions of the EU GDPR, which also include new legal requirements for data protection in product development (privacy by design), must be implemented by May 25, 2018, following a two-year transitional period. Otherwise, substantial fines and penalties may apply. The EU GDPR applies to manufacturers and suppliers of products that are connected to the Internet and communicate independently over the Internet (known as IoT products), with the stipulation that these products process or store personal data. As an example, this may include a number of smart home products, connected smart toys, or wearable health products like fitness armbands.
Clarity on data protection and data security requirements
“The market for IoT devices is growing at a rapid rate. At the same time, there is a lot of consumer uncertainty surrounding data protection and data security for these devices, which poses a genuine market barrier to manufacturers and system suppliers. Our certificates establish trust in the IoT market for consumers and manufacturers alike,” explains Udo Scalla, Head of Global Competence Center IoT Privacy at TUV Rheinland.
To obtain a Protected Privacy IoT Product certificate, an IoT product has to be fully assessed for privacy requirements. “Our assessment focuses on characteristics that are designed to protect privacy and investigates whether, for example, an existing data memory can be deleted and whether data transmission is encrypted. We can test as many as 50 individual requirements, depending on the complexity of the device. These are all derived from the EU GDPR,” explains Gunter Martin, Solutions Director at TUV Rheinland’s Global Competence Center for IoT Privacy. The assessment required to obtain a Protected Privacy IoT Service certificate is aimed at the service, interface or application (i.e. Web Service) that is connected to a particular IoT device. To enable a device to be managed via an application, data is transferred to and processed by the service provider. “For the service certificates, we test a total 26 categories of requirements. Some of them are very complex and go right up to a penetration test designed to identify security vulnerabilities,” adds TUV Rheinland expert Mr. Martin.
IoT privacy complete solution
TUV Rheinland’s Global Competence Center for IoT Privacy offers individual support on all topics related to protected privacy. “We show worldwide product manufacturers and system suppliers specific ways in which they can start reducing data collection to a defined minimum, and in doing so, strengthen their customers’ trust in IoT products,” states Udo Scalla from TUV Rheinland. The Global Competence Center is just one part of the international testing and consulting services offered by the diverse data protection portfolio of TUV Rheinland. The core aspects of the portfolio include certification for data protection and data security of online applications as well as testing and certification of data protection management for a wide range of companies, including certifications offered to health insurance companies and service providers. Further services include sustainable data protection management in line with the EU GDPR, appointment of external data protection officers (DPO) and installation of enhanced IT security management and threat detection system.