The internet of things and GDPR Regulation
Internet of Things (IoT) can offer a positive return on investment (ROI) by providing real time data; converged with historical data and various external sources to support incremental improvements or rapid decisions. One example of such improvements is the introduction of predictive maintenance through the utilization of IoT.
However, provision of IoT objects and solutions is complex, and will likely introduce the organization to new challanges. Concerning data being stored by various departments, it may prove challenging to ascertain the individual responsible for safeguarding personal data. GDPR necessitates the right for the rectification, erasure, restriction and objection of data processing. Companies need to design frameworks for the collection, storing and processing of individual sensor data.
If your organisation operates in the European Union, you have probably begun preparations for the new EU General Data Protection Regulation (GDPR).
Why the GDPR?
Although the current legislation was enacted before the internet, newer technologies such as social media and cloud computing have raised the bar in terms of the amount of data we consume, as well as ways these data can be exploited.
And although much of the GDPR codifies existing guidance from already established data protection laws, the changes being introduced are intended to actuate a new mindset and culture shift about the use and security of data.
With the emergence of the digital economy, the GDPR seeks to strengthen data protection regulations by introducing stricter enforcement measures.
Privacy challenge posed by evolution of IoT and implementation of GDPR. Organizations that has implemented IoT solutions, need to keep in mind the following among others:
Consent and Privacy by Design. The GDPR requires organizations to obtain a fairly high quality of consent from customers/users about the way their personal data will be used. Consent must be active – not the result of inactivity or pre-ticked boxes. The person giving consent must also understand how their personal data is being worked with.
Related to this is the idea in the GDPR of “privacy by design” and “privacy by default.” All the data that a IoT sensor/device creates will need to be classified as personal data, even if the data is not specifically linked to the owner of the device. This means that this data will need to be treated as personal information in the way it is gathered, stored and processed.
Security and notification of breaches. GDPR explicitly introduces a general mandatory notification regime. When there is a personal data breach, a supervisory authority needs to be notified within 72 hours once an organization becomes aware of a breach, and impacted individuals must also be notified if a certain threshold is met.
- Loopholes in firewalls can give access to the network via a poorly-designed IoT device and configuration. The entry point could be a networked sensor, Edge/Fog computing device, a camera, or a climate control device.
- An IoT hack could potentially take over the functionality of the device being hacked. For example, a IoT-hacked vehicle, a production line, worker’s safety system could be manipulated.
Personal Data relating to children. The GDPR will make it impossible for children under the age of 13 to consent on their own behalf to the processing of their personal data in relation to online services.
These provisions pose challenges for those intending to bring to market IOT devices that may be used by children, both in relation to the feasibility of introducing parental/guardian consent mechanisms to the devices and in relation to the ability to market such devices at an EU-wide level, given that the law relating to children between 13 and 15 may not be uniform across all Member States.
Knowing where all the data resides. Under the GDPR, an organization must be able to respond to a request by a client to see all of the data held on themselves within one month.
Being able to connect client data across silos – or even to eliminate silos – for organizations and third parties will become crucial when it comes to fulfilling this requirement. With IoT, it is going to be extremely difficult for some organizations to have a single source of truth for all their customer data
The best way to get started
Many organisations are aware they need to act now to prepare for the GDPR but are not sure of the best way to get started. The truth is there is no one right answer: where you start depends a lot on where you are now.
If you haven’t already done so, your first step should be to understand your GDPR obligations and state of readiness, as well as the risks of failing to act now.
A key outcome of this GDPR readiness assessment should be a roadmap that helps you manage and mitigate the sources of risk that you identify. This would include identifying existing initiatives the company has that could be built upon for your IoT solutions, as well as GDPR business control gaps that may need to be filled in.
Responsibility and necessary steps for IOT companies
The GDPR depicts that the Board of directors is responsible for spearheading the implementation, compliance with the new law to strengthen the protection of consumer data. Organizations need to take necessary measures to make sure that they enhance digital relationships that are based on trust. It is through ensuring that their mandate extends from data privacy to ensure aspects of transparency and control of data is well implemented. To enhance the security of personal data the following steps need to be taken:
- Organizations need to implement a data plan for gathering, storing and processing of personal data
- Implement policies necessary for the protection, detection, investigating and reporting of protection of personal data and any breach
- Ensure that staffs are well educated regarding the implementation of the new data laws and their responsibility in enhancing data security.
- Ensure that all the customers and suppliers have implemented frameworks to comply with the GDPR requirements.