Implications GDPR has on Internet of Things (IoT) solutions
The evolution of the Internet of Things will dramatically enhance the number of objects/sensors that have a built-in connectivity to a network. Gartner estimates that by the end of 2017, around 8.4 billion devices will be connected to the internet representing a 31% increase from 2016 and the number will rise to about 20.4 billion by the year 2020.
If your organisation carries out business in the European Union, you probably have started preparing for the new EU General Data Protection Regulation (GDPR), taking effect May 2018. GDPR is an extensive regulation to strengthen the need for the right to privacy of individuals by ensuring that their personal data is protected.
Organisations without a physical market presence in the EU will still be required to comply with the GDPR if the following conditions apply:
- The organisation offers paid or unpaid goods or services to individuals located in the EU
- The organisation is monitoring the behaviour of individuals within the EU
The financial penalties for failing to comply with the GDPR are clearly defined: for each instance of noncompliance, your organisation could face a fine of up to 20 million euros or 4 per cent of worldwide annual turnover (revenue), whichever is higher.
Privacy challenge posed by evolution of IoT and implementation of GDPR
In short, just about every industry can benefit from active usage of IoT technology – from fleet management, health care, insurance and risk assessment, manufacturing and production, oil and gas, agriculture, and mining, smart public transport, to power distribution within cities.
IoT can demonstrate a positive return on investment (ROI) by providing real time data, analysed with historical data and potentially external sources to support incremental improvements or rapid decisions. Predictive maintenance is another huge area for IoT solutions.
However, provision of IoT objects and solutions is complex. For data that is stored by various departments of the organization, it might be challenging to ascertain the individual responsible for safeguarding personal data. GDPR necessitates the right for the rectification, erasure, restriction and objection of data processing. Companies need to design frameworks for the collection, storing and processing of individual sensor data.
Organizations that has implemented IoT solutions, need to keep in mind the following among others:
Consent and Privacy by Design. The GDPR requires organizations to obtain a fairly high quality of consent from customers/users about the way their personal data will be used. Consent must be active – not the result of inactivity or pre-ticked boxes. The person giving consent must also understand how their personal data is being worked with.
Related to this is the idea in the GDPR of “privacy by design” and “privacy by default.” All the data that a IoT sensor/device creates will need to be classified as personal data, even if the data is not specifically linked to the owner of the device. This means that this data will need to be treated as personal information in the way it is gathered, stored and processed.
Security and notification of breaches. GDPR explicitly introduces a general mandatory notification regime. When there is a personal data breach, a supervisory authority needs to be notified within 72 hours once an organization becomes aware of a breach, and impacted individuals must also be notified if a certain threshold is met.
- Loopholes in firewalls can give access to the network via a poorly-designed IoT device and configuration. The entry point could be a networked sensor, Edge/Fog computing device, a camera, or a climate control device.
- An IoT hack could potentially take over the functionality of the device being hacked. For example, a IoT-hacked vehicle, a production line, worker’s safety system could be manipulated.
Personal Data relating to children. The GDPR will make it impossible for children under the age of 13 to consent on their own behalf to the processing of their personal data in relation to online services.
These provisions pose challenges for those intending to bring to market IOT devices that may be used by children, both in relation to the feasibility of introducing parental/guardian consent mechanisms to the devices and in relation to the ability to market such devices at an EU-wide level, given that the law relating to children between 13 and 15 may not be uniform across all Member States.
Knowing where all the data resides. Under the GDPR, an organization must be able to respond to a request by a client to see all of the data held on themselves within one month.
Being able to connect client data across silos – or even to eliminate silos – for organizations and third parties will become crucial when it comes to fulfilling this requirement. With IoT, it is going to be extremely difficult for some organizations to have a single source of truth for all their customer data
The best way to get started
Many organisations are aware they need to act now to prepare for the GDPR but are not sure of the best way to get started. The truth is there is no one right answer: where
you start depends a lot on where you are now.
If you haven’t already done so, your first step should be to understand your GDPR obligations and state of readiness, as well as the risks of failing to act now.
A key outcome of this GDPR readiness assessment should be a roadmap that helps you manage and mitigate the sources of risk that you identify. This would include identifying existing initiatives the company has that could be built upon for your IoT solutions, as well as GDPR business control gaps that may need to be filled in.
Responsibility and necessary steps for IOT companies
The GDPR depicts that the Board of directors is responsible for spearheading the implementation, compliance with the new law to strengthen the protection of consumer data. Organizations need to take necessary measures to make sure that they enhance digital relationships that are based on trust. It is through ensuring that their mandate extends from data privacy to ensure aspects of transparency and control of data is well implemented. To enhance the security of personal data the following steps need to be taken:
- Organizations need to implement a data plan for gathering, storing and processing of personal data
- Implement policies necessary for the protection, detection, investigating and reporting of protection of personal data and any breach
- Ensure that staffs are well educated regarding the implementation of the new data laws and their responsibility in enhancing data security.
- Ensure that all the customers and suppliers have implemented frameworks to comply with the GDPR requirements.