GDPR goes into effect tomorrow, and most experts agree that no one’s really ready, not even regulators. With the massive amount of the data collected by devices in our connected world, Internet of Things (IoT) solutions providers face unique challenges in their efforts to comply.
What Exactly is GDPR?
The European Commission created plans for data protection reform across the European Union in January 2012. Almost four years later, they came to an agreement about what would be involved and how it will be enforced.
The General Data Protection Regulation (GDPR) was officially adopted by the European Union in 2016, and it gave companies two years to get compliant.
At its center, GDPR is a set of rules intended to give citizens in the EU more control over their personal data. Its reforms are designed to bring laws around personal data, privacy and consent up to speed for the Internet-connected world.
Under GDPR, organizations will have to be able to prove that personal data is gathered legally. On top of that, companies who collect and manage personal data will be required to protect it from misuse and exploitation.
The difference between this and other privacy measures put into place by different governments around the world? This one has teeth. The consequences of non-compliance are steep — regulators can fine companies up to 4 percent of their global revenue for violations.
GDPR itself is staggeringly complex, but it’s even more complicated for companies providing Internet of Things (IoT) products or solutions. If your company has IoT-enabled products, here are some things to be on the lookout for as GDPR goes into effect.
While IoT offers completely new ways for businesses and individuals to interact with technology, the data sharing inherent in IoT creates new opportunities for information to be compromised. That’s why it’s crucial to know what data you’re collecting, where it resides and how it is protected. GDPR puts even more urgency behind the need for following IoT security best practices, including:
- Reduce your attack surface
- Reduce the total amount of information stored on any given device
- Never store sensitive information in plain text
- Implement vulnerability testing
- Encrypt data both at rest and in transit
Read more about IoT security best practices in this blog post.
Even if a lot of your IoT data is related to products, rather than actual people, it still has the potential to impact privacy. Information provided by an Internet-connected vehicle, for example, can affect the privacy of the car owner if there’s a record of who owns that vehicle. Once a connected product is in a customer’s hands, all data broadcast through the product could be considered “personal data.” That means you need to apply “privacy by design principles” when it comes to gathering, storing, and processing any data.
“Just because you collect sensor data from IoT devices, don’t think that you are exempt from GDPR. Know where your data is, how it is protected, and what to do if there’s a problem."
— Adrian Davis, EMEA director of cybersecurity advocacy at security training specialist (ISC)2.
With the new rules laid out in GDPR, you must clearly communicate how you plan to use a person’s data and give them an explicit choice to opt in or opt out. Consent must be a specific, informed, and unambiguous “clear affirmative action” taken by the user, freely given. On top of that, the company controlling the data must document in detail how the consent was obtained, and users must be able to easily withdraw their consent.
This is a high bar for any application, and it becomes particularly cumbersome in the context of IoT. Why? For one, IoT manufacturers and service providers don’t have a good track record with providing explanations. In 2016 a study by the Global Privacy Enforcement Network found that:
- 59% of IoT devices failed to explain to users how they process user data
- 68% failed to explain how they store information
- 72% failed to explain how to delete data
- 38% failed to include contact information
3. Data Ownership
The GDPR gives individuals substantial rights to their personal data. These rights include the “right to be forgotten,” data portability rights, and the right to object to automated decision-making, as mentioned above. IoT providers will need to give careful thought to the design of IoT devices, applications and systems to build in the ability to comply with these new rights.
This could be especially important for architectures built on edge computing. Imagine if a compute node at the edge is somehow removed from your network, and you cannot prove that a user’s data has been removed from that device (or was ever on it in the first place). Due to the difficulty of maintaining control over physical devices at the edge, software should be designed in a way that keeps user data away from these devices as much as possible.
“For U.S.-based businesses subject to the GDPR, the right to be forgotten may seem to be a novel idea; however, it is a quickly approaching reality that must be addressed; due to the its mandates and burden shifting, compliance with the right to be forgotten has the potential to be very onerous for many,” says Marc C. Tucker, a partner at Raleigh-based law firm Smith Moore Leatherwood LLP.
4. Automated Decision-Making
Without explicit user consent, all automated decision-making is prohibited by the GDPR if it produces “significant effects” on an individual. A decision that has a significant effect, “must have the potential to significantly influence the circumstances, behaviour or choices of the individuals concerned.”
While the spirit of this piece of regulation seems to be pointed toward thwarting machine learning models that group individuals together in order to discriminate against or exclude them (like in the case of credit approvals, etc…). However, it’s a bit of a slippery slope. After all, it’d be easy to make the argument that an application using automated decision making to control a person’s oven could potentially burn the person’s house down, therefore having the potential to produce a “significant effect on the subject.” Right now, it’s difficult to know how strict regulators will be when it comes to automated decision-making.
In the coming weeks and months, we will inevitably learn much more about how GDPR will be enforced and the implications for IoT providers. For now, companies with Internet-connected products can start by vigilantly securing IoT data and obtaining explicit consent to collect data in the first place.
More long-term changes will also be necessary, including making architecture-level changes to comply with data ownership regulations, and maybe even rethinking the automation used in IoT products.