The Internet of Things in the GDPR Era

According to a research conducted by the Global Privacy Enhancement Network, 59% of internet-connected devices failed to explain to their customers how their data was collected, used, or disclosed. Furthermore, 68% was unable to tell how the data is stored, 72% did not explain to the users how to erase that data from the device, while 38% did not include easily identifiable contact details, in case the users had any privacy concerns.

These devices are all part of the so-called Internet of Things (IoT), a relatively new phenomenon that rises along other similar technologies such as AI and Big Data. Within IoT, we have all sorts of devices that range from smartphones, tablets, and PCs to vehicles, home appliances, and even industrial hardware, all fitted with software and connected to each other across a network infrastructure. It is these devices that the statistics mentioned above apply.

What is GDPR?

The General Data Protection Regulation (GDPR) is a new regulation within the European Union law that tackles data protection and privacy for all individuals within its borders. GDPR primary purpose is to give control to EU citizens and residents over their data, all the while simplifying the regulatory process. Now, even though the GDPR is applicable in the EU, it can still exert its influence over its borders. And after a two-year, the law will become enforceable on 25 May 2018.

IoT vs. GDPR

Based on the policies that the GDPR implies as well as the previously-mentioned statistics, some argue that many IoT technologies will have a difficult, if not impossible time to comply with the new regulations.

Security

The most significant challenge will be concerning security. Since the GDPR places such an emphasis on it, there will be considerable fines to those who go through a data breach as a direct result of poor security implementation. The GDPR doesn’t require a specific security method, leaving each organization to choose based on their needs and activity.

Consent

Another issue comes in the form of approval. The GDPR requires that all devices that collect and store personal data need to make sure to receive permission from users every time they do so. The new regulation does not consider silence or inactivity as valid consent.

Asking the user to offer consent every time they use a device is an option, but this implies that all situations when data is collected need to be accounted for, otherwise, risk noncompliance and be subject to a considerable fine. Likewise, children under the age of 13 cannot express consent on their own, although many children use IoT devices.

Data Location

Lastly is the challenge of knowing where your data is at all times. Under the GDPR, users have the right to be informed at any time where their information is, what it was used for, and who else had access to it. With so many IoT devices belonging to a single user, there is a high risk of losing track of this information. Devices need to focus on “privacy by design and by default,” meaning that they need to consider all of these scenarios presented here right from the design phase.

Conclusion

If you feel that this article raises more questions than answers, you are not alone. Some may be inclined to forsake IoT altogether after seeing this, but at the rate to which technology is evolving, that means living off the grid, in a forest somewhere. Nevertheless, what the GDPR hopes to achieve is commendable, placing IoT on the road to improve security and privacy.