TÜV Rheinland: Data Protection with IoT Data Privacy Certificates

New Rules for IoT Devices

The provisions of the EU GDPR, which also include new legal requirements for data protection in product development (privacy by design), must be implemented by May 25, 2018, following a two-year transitional period. Otherwise, substantial fines and penalties may apply. The EU GDPR applies to manufacturers and suppliers of products that are connected to the Internet and communicate independently over the Internet (known as IoT products), with the stipulation that these products process or store personal data. As an example, this may include a number of smart home products, connected smart toys, or wearable health products like fitness armbands.

Clarity on Data Protection and Data Security Requirements

“The market for IoT devices is growing at a rapid rate. At the same time, there is a lot of consumer uncertainty surrounding data protection and data security for these devices, which poses a genuine market barrier to manufacturers and system suppliers. Our certificates establish trust in the IoT market for consumers and manufacturers alike,” explains Udo Scalla, Head of Global Competence Center IoT Privacy at TÜV Rheinland.

To obtain a Protected Privacy IoT Product certificate, an IoT product has to be fully assessed for privacy requirements. “Our assessment focuses on characteristics that are designed to protect privacy and investigates whether, for example, an existing data memory can be deleted and whether data transmission is encrypted. We can test as many as 50 individual requirements, depending on the complexity of the device. These are all derived from the EU GDPR,” explains Günter Martin, Solutions Director at TÜV Rheinland’s Global Competence Center for IoT Privacy. The assessment required to obtain a Protected Privacy IoT Service certificate is aimed at the service, interface or application (i.e. Web Service) that is connected to a particular IoT device. To enable a device to be managed via an application, data is transferred to and processed by the service provider. “For the service certificates, we test a total 26 categories of requirements. Some of them are very complex and go right up to a penetration test designed to identify security vulnerabilities,” adds TÜV Rheinland expert Mr. Martin.

IoT Privacy Complete Solution

TÜV Rheinland’s Global Competence Center for IoT Privacy offers individual support on all topics related to protected privacy. “We show worldwide product manufacturers and system suppliers specific ways in which they can start reducing data collection to a defined minimum, and in doing so, strengthen their customers’ trust in IoT products,” states Udo Scalla from TÜV Rheinland. The Global Competence Center is just one part of the international testing and consulting services offered by the diverse data protection portfolio of TÜV Rheinland. The core aspects of the portfolio include certification for data protection and data security of online applications as well as testing and certification of data protection management for a wide range of companies, including certifications offered to health insurance companies and service providers. Further services include sustainable data protection management in line with the EU GDPR, appointment of external data protection officers (DPO) and installation of enhanced IT security management and threat detection system.

About the business stream ICT & Business Solutions

The business stream’s core business areas include IT services and cyber security, telecommunications solutions and HR services, management consulting, data center services and R&D management. With more than 600 specialists around the world, ICT & Business Solutions provides strategic consulting, design and process optimization through implementation, operation and certification of systems.

For more information, visit www.tuv.com/en/iot-privacy.