GDPR meets IoT — IoT is not a thing with­out security

Do you know the ways IoT and devices use per­son­al data?

As the devices in our dai­ly lives become more and more intel­li­gent, they gath­er greater amounts of data. The sales of smart devices are going through the ceil­ing and many of us own more than one smart device. Devices, com­pat­i­ble with mul­ti­ple appli­ca­tions, process an enor­mous amount of our infor­ma­tion. Have you ever con­sid­ered what this infor­ma­tion is being used for and by whom?

Nowa­days, Inter­net of Things devices are every­where. IoT devices are ordi­nary devices and objects that are con­nect­ed to the inter­net or col­lect data through oth­er means. For instance, you can con­trol all the devices in your home through your smart­phone or watch.

Often­times, IoT devices gath­er per­son­al data that are exploitable by hack­ers look­ing to steal your iden­ti­ty. The cur­rent risk with IoT devices is that they offer hack­ers easy tar­gets and are vul­ner­a­ble to secu­ri­ty breach­es. In the not-so-dis­tant future, the risks are only expect­ed to increase in this area.

Many IoT devices still do not let you know how your per­son­al data is used. Accord­ing to the GDPR, the data proces­sor must be aware of oblig­a­tion to let data sub­jects know how their per­son­al data is gath­ered, processed, dis­sem­i­nat­ed, and record­ed. More­over, the data sub­jects need to know what their rights to their per­son­al data are. Trust is an inte­gral part of inno­va­tion. Com­pa­nies are at risk of loos­ing it if their clients are not con­fi­dent that com­pa­nies are open about how data is processed.

GDPR and IoT

The GDPR has very spe­cif­ic rules for esti­mat­ing the impact of such data pro­tec­tion cir­cum­stances. They tru­ly come in handy for per­son­al data pro­cess­ing where the risks are high in terms of data sub­jects’ rights and free­dom, espe­cial­ly in new tech­nolo­gies. One can­not ignore the fact that these devices process loca­tion infor­ma­tion and domain data, such as IP address­es. This means that once ful­ly enforced from May 25th, the GDPR will also include this field. The world of IoT can encom­pass many com­plex lev­els of data pro­cess­ing with their respec­tive proces­sors. These cat­e­gories are made up of, for exam­ple, equip­ment man­u­fac­tur­ers, appli­ca­tion devel­op­ers, social media plat­forms and aggre­ga­tion possibilities.

Data pro­tec­tion has to be built from ground up if the device uses per­son­al data. GDPR entails that per­sona data pro­tec­tion is con­sid­ered in any devel­oped prod­uct or ser­vice. An empha­sized con­cern is the data pro­tec­tion issue that may arise at the begin­ning of prod­uct devel­op­ment. At this stage, it must be ensured that data pro­tec­tion issues are acknowl­edged through­out the life­cy­cle of any device or ser­vice. It is also impor­tant to car­ry out any tech­ni­cal pro­ce­dure to ensure that the device that process­es per­son­al data is secure. As IoT is a part of a wider con­cept of infor­ma­tion real­i­ty with a man­i­fold of process­es, the issue must be approached holistically.

Data Pro­tec­tion Impact Assess­ment is a tool that aids orga­ni­za­tions in fol­low­ing data pro­tec­tion reg­u­la­tions when devel­op­ing a device, prod­uct or a ser­vice that process­es per­son­al data. It is used to iden­ti­fy and reme­di­ate data pro­tec­tion issues in the ear­ly devel­op­ment stages of new projects and devel­op­ment. Fur­ther­more, it is an instru­ment that will help you answer cus­tomer data pro­tec­tion con­cerns. In cer­tain cas­es, espe­cial­ly when the pro­cess­ing of per­son­al data pos­es major risks, the DPIA is mandatory.

Who can accept the pro­cess­ing of their per­son­al data?

When it comes to the devices, appli­ca­tions, and sys­tems in the IoT, atten­tion must be payed to the trans­fer­ring of data. For instance, it is impos­si­ble for chil­dren to accept the pro­cess­ing of their data with due dili­gence with regards to, for exam­ple, online ser­vices. Nev­er­the­less, the mar­ket is filled with toys that are a part of IoT.

For ado­les­cents between the ages 13 and 15, the per­mis­sion to release per­son­al data for pro­cess­ing depends on the leg­is­la­tion of indi­vid­ual Mem­ber Coun­tries. The assump­tion, how­ev­er, is that these ado­les­cents are not eli­gi­ble to give con­sent due to their young age. This notion means major chal­lenges to those orga­ni­za­tions intend­ing to dis­trib­ute devices that are meant to be used by chil­dren. More­over, anoth­er chal­lenge comes with the ques­tion if IoT devices have parental con­sent fea­tures inte­grat­ed. Issues such as these become even more com­pli­cat­ed because the leg­is­la­tion is not con­sis­tent with­in the GDPR enforc­ing countries.

Con­sumers and Data Protection

Con­sumers are becom­ing increas­ing­ly aware of data pro­tec­tion risks. In the IoT, con­sumer elec­tron­ics as an exam­ple, secu­ri­ty issues are under­stood at a cer­tain lev­el. In the cor­po­rate world, how­ev­er, they are clear show stop­pers. This means that con­cerns are high in envi­ron­ments where IoT secu­ri­ty breach attempts are on the rise.

Reg­u­la­tions are wel­comed in cer­tain fields where per­son­al data and secu­ri­ty if of the essence. A great exam­ple is the finan­cial indus­try. The demand for reg­u­la­tions does not only apply to IoT but also to robot­ics and arti­fi­cial intel­li­gence. This is the new real­i­ty that we all must face. Ignor­ing per­son­al data pro­tec­tion is no longer an option when the stakes and risks are too high. Hence, the con­se­quences are equal­ly high. There­fore, orga­ni­za­tions need experts who are skilled at per­son­al data pro­cess­ing and its relat­ed tech­no­log­i­cal risks and stipulations.

Cur­rent­ly, orga­ni­za­tions train their staff on how to process per­son­al infor­ma­tion. This type of train­ing should be extend­ed to the con­sumer lev­el to cre­ate aware­ness are IoT data secu­ri­ty issues. Fur­ther­more, prod­ucts need to ensure per­son­al pri­va­cy. For the man­u­fac­tur­ers of objec­tive goods, GDPR will change everything.

The GDPR man­dates that users are giv­en a clear overview of terms and con­di­tions relat­ed to per­son­al data pro­tec­tion of IoT prod­ucts. In addi­tion, con­sumers need to accept these terms before per­son­al data can be saved. For prod­ucts that do not have screens, this will be prob­lem­at­ic. Nev­er­the­less, IoT prod­uct man­u­fac­tur­ers need to remem­ber that data pro­tec­tion and data secu­ri­ty are mutu­al­ly inclu­sive. The mes­sage to con­sumers is loud and clear. The IoT orga­ni­za­tions that invest time and mon­ey to design safe prod­ucts, respect their clients.

Data pro­tec­tion and secu­ri­ty does not only chal­lenge IT depart­ments. Thanks to this inter­twin­ing, they both need to be high on the agen­das at boardrooms.”

As the intro­duc­tion of the new reg­u­la­tion cre­ates new oblig­a­tions for com­pa­nies with added admin­is­tra­tive work, the plan­ning and exe­cu­tion of GDPR com­pli­ance should be start­ed as soon as pos­si­ble. The win­dow giv­en to tran­si­tion to GDRP is a year, mean­ing that the time to become GDPR com­pli­ant is rather short. Now is the time to act. The analy­sis of cur­rent data secu­ri­ty and pro­tec­tion sta­tus by an exter­nal spe­cial­ist is a rec­om­mend­ed first step. We are more than hap­py to help you get ready for GDPR!

Con­tact Information:
Piia Hoff­sten
Chief Oper­at­ing Office
piia.​hoffsten@​isletgroup.​fi
+358 40 5877 303

Buzz­words: #GDPR #dat­apro­tec­tion #cyber­se­cu­ri­ty #datase­cu­ri­ty #IoT #AI #spreadthe­news