Will Santa be delivering GDPR problems for tech companies in 2018?
Santa recently brought my 7-year daughter Annabelle (Belle) a KidiCom Max. This allows Belle exchange messages with family and friends, take photos and videos, play a variety of games with popular characters, safely browse the internet, listen to music and watch their favourite cartoon shows.
She loves it, a lot. I have the VTech KidiConnect app on my phone so we can communicate. This can get a bit annoying as Belle tends to send me bursts of emoticons, pictures, drawings. But in general, it is good fun. Pros – it is a very safe environment. The app is a bit clunky, to say the least, but it is very safe. All contacts must be approved by me before any communication can take place. It occurred to me only after setting up the device on Christmas morning (Belle was putting a lot of pressure on me to get it working) that this could be a GDPR minefield.
VTech is now the controller and processor of my personal data, my wife and my daughters. And my 10-year-old son too (he has the app on his iPad). Are VTech up to speed on GDPR compliance? A quick search on the vetch website (www.vtech.co.uk) does not give much comfort.
I did give my consent, and probably my children's consent too. I do not remember specifically (I was under pressure as it was 0730 on the 25th of December). Interestingly, my 10-year-old is sending pictures (personal data) of himself to his sister via the app on his iPad. I think he might have given consent himself, which is in breach of GDPR as he is under 13 years old. Who knows - do VTech have a paper trail here? My quick analysis highlights the following concerns for the controller and processor:
- Vtech has a presence in the UK and France. Post Brexit – they will have to rely on their French office as their EU base and will be dealing with the French Data Protection regulator.
- The personal data could be hosted outside of Europe (China).
- The personal data is probably also processed in China and the US. The US is covered by Privacy Shield but China is a 3rd country.
- Does Vtech use any sub-processors? If these are in China – are these companies GDPR ready?
- I have done a search for GDPR in VTech's support and got no results. I cannot find a DPO or data privacy who works for VTech (searching via LinkedIn).
- What is the policy for deleting my children’s personal data when they inevitably stop using the toy?
There is a lot of good work here. VTech have produced a method for kids to send messages to their parents and siblings in a closed, safe environment. However, VTech might have neglected privacy in favour of security. They are different things. Parents are prone to get super paranoid when it comes to their kids. They tend to be more concerned about their kid's data over their own. I would like and expect VTech to explain to me what is happening with my kid's data in a clear, simple, specific, unambiguous way. After all – come May 25th this year – it will be the law.
If you are confused and stressed by the GDPR, get in touch with us below: