Do you know the ways IoT and devices use personal data?
As the devices in our daily lives become more and more intelligent, they gather greater amounts of data. The sales of smart devices are going through the ceiling and many of us own more than one smart device. Devices, compatible with multiple applications, process an enormous amount of our information. Have you ever considered what this information is being used for and by whom?
Nowadays, Internet of Things devices are everywhere. IoT devices are ordinary devices and objects that are connected to the internet or collect data through other means. For instance, you can control all the devices in your home through your smartphone or watch.
Oftentimes, IoT devices gather personal data that are exploitable by hackers looking to steal your identity. The current risk with IoT devices is that they offer hackers easy targets and are vulnerable to security breaches. In the not-so-distant future, the risks are only expected to increase in this area.
Many IoT devices still do not let you know how your personal data is used. According to the GDPR, the data processor must be aware of obligation to let data subjects know how their personal data is gathered, processed, disseminated, and recorded. Moreover, the data subjects need to know what their rights to their personal data are. Trust is an integral part of innovation. Companies are at risk of loosing it if their clients are not confident that companies are open about how data is processed.
GDPR and IoT
The GDPR has very specific rules for estimating the impact of such data protection circumstances. They truly come in handy for personal data processing where the risks are high in terms of data subjects’ rights and freedom, especially in new technologies. One cannot ignore the fact that these devices process location information and domain data, such as IP addresses. This means that once fully enforced from May 25th, the GDPR will also include this field. The world of IoT can encompass many complex levels of data processing with their respective processors. These categories are made up of, for example, equipment manufacturers, application developers, social media platforms and aggregation possibilities.
Data protection has to be built from ground up if the device uses personal data. GDPR entails that persona data protection is considered in any developed product or service. An emphasized concern is the data protection issue that may arise at the beginning of product development. At this stage, it must be ensured that data protection issues are acknowledged throughout the lifecycle of any device or service. It is also important to carry out any technical procedure to ensure that the device that processes personal data is secure. As IoT is a part of a wider concept of information reality with a manifold of processes, the issue must be approached holistically.
Data Protection Impact Assessment is a tool that aids organizations in following data protection regulations when developing a device, product or a service that processes personal data. It is used to identify and remediate data protection issues in the early development stages of new projects and development. Furthermore, it is an instrument that will help you answer customer data protection concerns. In certain cases, especially when the processing of personal data poses major risks, the DPIA is mandatory.
Who can accept the processing of their personal data?
When it comes to the devices, applications, and systems in the IoT, attention must be payed to the transferring of data. For instance, it is impossible for children to accept the processing of their data with due diligence with regards to, for example, online services. Nevertheless, the market is filled with toys that are a part of IoT.
For adolescents between the ages 13 and 15, the permission to release personal data for processing depends on the legislation of individual Member Countries. The assumption, however, is that these adolescents are not eligible to give consent due to their young age. This notion means major challenges to those organizations intending to distribute devices that are meant to be used by children. Moreover, another challenge comes with the question if IoT devices have parental consent features integrated. Issues such as these become even more complicated because the legislation is not consistent within the GDPR enforcing countries.
Consumers and Data Protection
Consumers are becoming increasingly aware of data protection risks. In the IoT, consumer electronics as an example, security issues are understood at a certain level. In the corporate world, however, they are clear show stoppers. This means that concerns are high in environments where IoT security breach attempts are on the rise.
Regulations are welcomed in certain fields where personal data and security if of the essence. A great example is the financial industry. The demand for regulations does not only apply to IoT but also to robotics and artificial intelligence. This is the new reality that we all must face. Ignoring personal data protection is no longer an option when the stakes and risks are too high. Hence, the consequences are equally high. Therefore, organizations need experts who are skilled at personal data processing and its related technological risks and stipulations.
Currently, organizations train their staff on how to process personal information. This type of training should be extended to the consumer level to create awareness are IoT data security issues. Furthermore, products need to ensure personal privacy. For the manufacturers of objective goods, GDPR will change everything.
The GDPR mandates that users are given a clear overview of terms and conditions related to personal data protection of IoT products. In addition, consumers need to accept these terms before personal data can be saved. For products that do not have screens, this will be problematic. Nevertheless, IoT product manufacturers need to remember that data protection and data security are mutually inclusive. The message to consumers is loud and clear. The IoT organizations that invest time and money to design safe products, respect their clients.
Data protection and security does not only challenge IT departments. Thanks to this intertwining, they both need to be high on the agendas at boardrooms.”
As the introduction of the new regulation creates new obligations for companies with added administrative work, the planning and execution of GDPR compliance should be started as soon as possible. The window given to transition to GDRP is a year, meaning that the time to become GDPR compliant is rather short. Now is the time to act. The analysis of current data security and protection status by an external specialist is a recommended first step. We are more than happy to help you get ready for GDPR!
Contact Information:
Piia Hoffsten
Chief Operating Office
piia.hoffsten@isletgroup.fi
+358 40 5877 303
Buzzwords: #GDPR #dataprotection #cybersecurity #datasecurity #IoT #AI #spreadthenews