Even if a lot of your IoT data is related to products, rather than actual people, it still has the potential to impact privacy. Information provided by an Internet-connected vehicle, for example, can affect the privacy of the car owner if there’s a record of who owns that vehicle. Once a connected product is in a customer’s hands, all data broadcast through the product could be considered “personal data.” That means you need to apply “privacy by design principles” when it comes to gathering, storing, and processing any data.
“Just because you collect sensor data from IoT devices, don’t think that you are exempt from GDPR. Know where your data is, how it is protected, and what to do if there’s a problem."
— Adrian Davis, EMEA director of cybersecurity advocacy at security training specialist (ISC)2.
With the new rules laid out in GDPR, you must clearly communicate how you plan to use a person’s data and give them an explicit choice to opt in or opt out. Consent must be a specific, informed, and unambiguous “clear affirmative action” taken by the user, freely given. On top of that, the company controlling the data must document in detail how the consent was obtained, and users must be able to easily withdraw their consent.
This is a high bar for any application, and it becomes particularly cumbersome in the context of IoT. Why? For one, IoT manufacturers and service providers don’t have a good track record with providing explanations. In 2016 a study by the Global Privacy Enforcement Network found that:
- 59% of IoT devices failed to explain to users how they process user data
- 68% failed to explain how they store information
- 72% failed to explain how to delete data
- 38% failed to include contact information
Read more about why many IoT products fail.
3. Data Ownership
The GDPR gives individuals substantial rights to their personal data. These rights include the “right to be forgotten,” data portability rights, and the right to object to automated decision-making, as mentioned above. IoT providers will need to give careful thought to the design of IoT devices, applications, and systems to build in the ability to comply with these new rights.
This could be especially important for architectures built on edge computing. Imagine if a compute node at the edge is somehow removed from your network, and you cannot prove that a user’s data has been removed from that device (or was ever on it in the first place). Due to the difficulty of maintaining control over physical devices at the edge, software should be designed in a way that keeps user data away from these devices as much as possible.
“For U.S.-based businesses subject to the GDPR, the right to be forgotten may seem to be a novel idea; however, it is a quickly approaching reality that must be addressed; due to the its mandates and burden shifting, compliance with the right to be forgotten has the potential to be very onerous for many,” says Marc C. Tucker, a partner at Raleigh-based law firm Smith Moore Leatherwood LLP.
4. Automated Decision-Making
Without explicit user consent, all automated decision-making is prohibited by the GDPR if it produces “significant effects” on an individual. A decision that has a significant effect, “must have the potential to significantly influence the circumstances, behavior, or choices of the individuals concerned.”
While the spirit of this piece of regulation seems to be pointed toward thwarting machine learning models that group individuals together in order to discriminate against or exclude them (like in the case of credit approvals, etc…). However, it’s a bit of a slippery slope. After all, it’d be easy to make the argument that an application using automated decision making to control a person’s oven could potentially burn the person’s house down, therefore having the potential to produce a “significant effect on the subject.” Right now, it’s difficult to know how strict regulators will be when it comes to automated decision-making.
In the coming weeks and months, we will inevitably learn much more about how GDPR will be enforced and the implications for IoT developers and providers. For now, companies with Internet-connected products can start by vigilantly securing IoT data and obtaining explicit consent to collect data in the first place.
More long-term changes will also be necessary, including making architecture-level changes to comply with data ownership regulations, and maybe even rethinking the automation used in the IoT application development framework.