A Spotlight on Cybersecurity Risks

EU general data protections in 2018 and their effect on smart toys

Smart, high-tech toys are popular among millennial parents as they are considered good tools to use when it comes to educating children. On the other hand, their growing popularity also raises security and privacy concerns. To protect people’s personal information and ensure their privacy, the European Union (EU) has issued the General Data Protection Regulation (GDPR) which will take effect in May 2018. This regulation will have an impact on all products and services sold within the EU. In this article, Roy Luo, general manager of TÜV Rheinland’s Greater China electrical, will discuss the GDPR and its effect on companies.

During the holidays, many parents purchased smart, high-tech toys as gifts for their children. Millennial parents are more likely to let their children spend more time staring at some sort of screen on an electronic device than previous generations would. ‘Edutainment’ is now the guiding principle for parents purchasing toys. Parents are willing to spend more money as they believe these toys are more educational and creative. Smart, high-tech toys include robots controlled by smart phones, dolls with corresponding apps and bespoke soft toys with interactive functions.

Most parents understand the dangers of letting children use social media and so they track their online activities. Many parents instinctively shy away from posting pictures of their children online. This may be a smart move, since their activity is probably being tracked and the collected data may be used in a harmful manner. However, few parents pay attention to the warnings listed on their recently purchased high-tech toys. Due to this, children are now being exposed to cybersecurity risks at an alarming rate.

EU GDPR is set to take effect
Privacy and data security has always been important issues for the EU. The GDPR, which will become mandatory on 25th May 2018, will set rigorous standards for the protection of a person’s personal data. The scope of personal data protection in the EU will be increased and will also be globally applicable. All manufacturers, whether they are located within or outside the EU’s borders fall under the GDPR if their products or services are sold within the EU and involve the storage and processing of EU citizens’ personal information.

Here, personal information refers to the personal data of EU citizens during data processing that can be used to identify them in any way. The content protected by the GDPR is broad in scope and not only covers personal information such as address, telephone number and identification number, but biometrics and online positioning data as well.

All EU member states will enforce these strict regulatory controls once the GDPR takes effect. Companies who do not are subject to massive fines of up to euro (EUR) 20 million, or 4 per cent of the company’s global yearly revenue (whichever is highest). The fear of personal information being compromised by smart devices is not new. Germany’s Federal Network Agency recently banned domestic sales of children’s smart watches in 2017 and parents were encouraged to discard smart watches immediately. The lack of encryption technology in these smart devices allows hackers to easily break into them and track a person’s location with ease. Once the GDPR takes effect, not only will the products be reported, but the corresponding company will be fined as well.

How to avoid breaking the law?
First, vendors should reduce the collecting and processing of a person’s personal information. Personal information unrelated to the declared function must not be used and if it is necessary to store a person’s information, then its use must be detailed in the product manual and warn the consumer on how it is an essential part of the product. For example, if a smart doll only engages in simple conversation with children, such as responding when asked about today’s weather, the doll should not have the ability to track a person’s location or collect personal information as it would be non-essential to the toy’s purpose.

The law also recommends that vendors provide default privacy settings for their products and services. This function could disable the collection of personal information by default. The user can then decide whether they want to enable the function and if they do then it must meet a certain standard of encryption.

This regulation requires product and service vendors to use a sound environment and service process controls to protect personal information from misuse, from being leaked through hackers, or being illegally shared with unauthorised third-parties. The law recommends testing by independent third-party organisations to determine whether your business complies with GPDR requirements.

Product/Service Testing and Verification
Internet of things (IoT) manufacturers that supply products or services to EU countries must abide by this new law and enforce it. Verified IoT products and services are issued certification marks by a third-party organisation, which includes the IoT product and service privacy protection mark. In accordance with GPDR rules, the product certification standard evaluates the privacy protection of an IoT product based on five levels: hardware and firmware, communications, applications, documentation and data usage. Privacy protection certification for IoT services is evaluated in seven dimensions including the information technology (IT) environment (including applications), data protection, organisational management, service process, penetration testing, documentation and auditing of service partners.

TÜV Rheinland is a global leader in independent inspection services, founded over 140 years ago. The group employs 19,300 people in 69 countries worldwide. Our independent experts stand for quality and safety for people, technology and the environment in nearly all aspects of life. TÜV Rheinland inspects technical equipment, products and services, and oversees projects and processes for companies. Our experts train people in a wide range of careers and industries. Our service scope includes industry and energy; transportation; machinery; electric and non-electric products; food; management systems; and training and consulting.