The forthcoming European GDPR will probably be the toughest law that aims at protecting EU citizens from privacy and data breaches. It is, however, alarming how unprepared businesses are for this regulation and how little they know about it. One interesting area to look at is the IoT environment. A large number of businesses rely on processing and using personal data extensively. Especially in the area of IoT, given that the purpose of almost all IoT services is to anticipate the needs of the user and act on that. Much of the data that concerns IoT devices will fall under the new GDPR. There will be new obligations concerning breach notification time, data consent, data processing, security, privacy impact assessments, right to access and the need for data protection officers. When it comes to IoT and GDPR, let’s have a look at the following key areas:

Consent

The GDPR introduces a higher bar for relying on consent and will now require clear affirmative action. Silence, pre-ticked boxes or inactivity will not be sufficient to constitute consent. Businesses that perform complex analytics using personal data will have to consider their customer engagement strategies, user interfaces and (clearer!) terms and conditions to ensure that they comply with the GDPR. Privacy by design is also something that will be required by the GDPR. This means that companies handling EU citizens’ data will need to consider privacy throughout the whole engineering process.

Data Processors

The GDPR obligations will apply to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not. These new measures will make it much more difficult for businesses involved in IoT to allocate risk. Processors will also find themselves subject to compliance.

Security

This is my favourite topic when it comes to GDPR and IoT. How will billions of devices have the appropriate security measures in place to ensure that the personal data being handled on/from these devices is protected? GDPR will require that processors and controllers implement security measures, like pseudonymisation and encryption to protect data and prevent breaches. But there is still a large number of security challenges that will need to be addressed, such as:

• Limited security compute capabilities
• Scalability and management of billions of entities in the IoT ecosystem
• Encryption algorithms need higher processing power
• Patching also requires higher processing power & more storage capacity
• Mobile IoT devices can be stolen

The list goes on and on. Some companies are now looking at Blockchain, a multi-layered cloud network architecture. Will it be enough to satisfy the compliance elements of GDPR?

Sanctions

The sanctions brought by the EU GDPR are not small. Companies that will fail to comply can be fined up to 4% of annual global turnover or €20 Million.

There are many more factors that need to be taken into consideration when discussing IoT and GDPR, such as data profiling and the negative effects on consumers when profiles are applied to them, the extent of control we actually have over our data (as users) and how businesses can successfully accomodate the new legal framework. The good news is that organisations still have some time (18 months) to prepare for the GDPR and plan changes ahead.