Blog: Opinions

When VTech meets the GDPR

Ken Munro 11 Feb 2016


Following my my comments on the BBC yesterday (where I called for a boycott of VTech products) I thought it would useful to point out some coming legislation that will scupper this lawyer-driven dribble in the future: The General Data Protection Regulation or GDPR.

If you’re not up-to-speed on the situation (have you been living in a cave?) a few days ago Troy Hunt pointed out the change to VTech’s T&Cs.

With the change they made it clear that they in no way would accept any responsibility for the loss or abuse of their customers’ data if their systems were compromised.

Based on their attitude I’m guessing ‘when’ rather than ‘if’, but that’s by-the-by.

Who does the GDPR affect?

As of spring 2018 any organisation trading in any EU Member State (that’ll include you VTech) that collects personal data is legally obliged to properly protect that data. It’s not a wishy-washy regulation either; it’s MANDATORY. National legislation can be introduced to augment the GDPR, to make it even more robust nationally.

It will apply to all personal data, regardless of the age of the people it relates to (that includes children VTech in case you’re not clear), in whatever format it is held (including structured paper files) and whenever it was collected.

What is ‘Personal Data’?

The new wider definition of ‘personal data’ covers any information about an identified or identifiable individual.

…but to identify someone you do not need to know their name.

It is enough if you can single them out from a group, by means of an identification number, location data or online identifier (such as an IP address) or something that is specific to their physical, physiological, genetic, mental, economic, cultural or social identity.

The challenge of the GDPR

The GDPR will be a priority for organisations across Europe (and beyond) throughout 2016, but even so many organisations will find that two years is not long enough to do all that needs to be done.

Data protection compliance is a constant and iterative process. You need to be moving towards compliance and revising your approach in the light of developments, such as how the UK decides to exercise its discretion in certain areas as well as new guidance and cases in the UK and Europe.

Where can you find up to date and reliable information

This is a tricky one. There are thousands of pages of guidance on the ICO’s website, but they all relate to the existing regime and the Ministry of Justice has not yet issued any guidance to organisations in the UK on the GDPR.

Guidance will eventually be issued by the European data protection authorities, but there is still a huge quantity of work to be done before this can be finalised.


So VTech, you have two years to get your house in order, otherwise you’ll get the sort of fine you deserve for your cock-up: €20,000,000 or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater.