GDPR and IoT: 5 Aspects of a Successful Compliance Strategy
Internet of Things privacy has always been a subject of heated discussion. The legitimacy of these concerns is quite strong, taking into account the amount and types of personal information IoT apps can collect. That is where GDPR comes into play.
Taking effect in May 2018, GDPR will set new standards for Internet of Things data collection and processing within the EU, and will introduce a unified set of rules for companies dealing with user data. This puts certain obligations on device manufacturers and software vendors, as they will need to tailor their strategies accordingly in order to comply with the new regulations.
Having helped a number of startups and businesses implement their IoT solutions, my team at Eastern Peak knows firsthand what GDPR means to IoT businesses and understands how to be GDPR compliant. In this article, I will share my experience and personal perspective on the Internet of Things privacy and GDPR.
How Will GDPR Impact IoT Applications? 5 Things You Need to Know
The number of software development requests for IoT projects has recently been at an all-time high. More businesses are considering this opportunity to enrich their business offerings, just like many startups are eager to cash in on the emerging trend. Yet, most of them have something in common. Namely, they don’t seem to understand how serious data security issues might be.
Now, with the GDPR just around the corner, data security is once again in the spotlight of the global IoT community.
To avoid troubles with the new regulations, I strongly recommend taking the following steps to ensure the Internet of Things privacy is adhered to.
1. Understand the GDPR requirements
As I have already mentioned, lacking the proper understanding of how GDPR principles apply to IoT is a common problem among both the industry newcomers and established players.
A common mistake is thinking that the GDPR has nothing to do with you or won’t impact your business directly.
Even if you are located outside of the EU, you still have to make sure your products comply with the local legislation in order to avoid fines and legal issues in the future. For example, it can be difficult to control where your IoT product is used, even if you have initially built it with a focus on a certain country. Thus, you need to keep in mind that some of your devices or software might end up in the EU. In this case ignorance won’t be considered a defense.
In addition to that, I would suggest educating your employees on the details of the regulation to avoid any violations in the future.
2. Develop a solid mitigation strategy
One more important aspect of the new regulation that every IoT business needs to take into account is the importance of an incident response plan. According to the GDPR, both the users and authorities must be notified of any data breach or security violation within 72 hours.
As IoT devices are considered an easy target for hackers, having a clear mitigation strategy in case of an attack is a must.
As the time will be limited, I would suggest outlining the mitigation plan in advance and communicating it to your employees. It is important that their actions are well coordinated and timely. Judging by our experience, it is important to minimize harm by having a responsible tech support specialists who can take action immediately while your administrative staff communicates with the users and authorities.
3. Prioritize transparency and users’ consent
Under the GDPR, you are required to get the users’ clear consent for data collection and processing. The types of collected data and its purpose should be clearly stated in the consent request. Plus, users have the right to withdraw their consent at any time.
To comply with the GDPR you need to put transparency and users’ interests above all.
In reality, this means that user consent can no longer be given through acceptance of the basic terms and conditions listed by default in the privacy policies. User consent given with a pre-ticked box on the sign-up page won’t be considered valid. That is why you might need to review and redesign your sign-up process and update your terms and conditions page.
Similarly, the GDPR grants the right to transfer user information between vendors or completely erase their data from the vendor’s database on request. All of those requirements should be built into your system by default and be made easily accessible to your users. From the development standpoint, that is something we at Eastern Peak keep in mind at all times when designing and building IoT solutions.
4. Consider the limitations and be ready to adapt
Additional implications concerning the Internet of Things privacy issues are tied to the IoT products targeting children. Children aged 13 and older can now give consent to share their data under the GDPR. However, for children aged 13-15, this will depend on the specific legislation in each member state (although it is now allowed by default in most EU states).
Some of the aspects of the new regulation might be tricky, yet it doesn’t mean you can ignore them.
As far as I understand, that puts additional limitations on IoT providers. Namely, you might need to introduce a mechanism for parental consent or even localize the product to meet the legal requirements in each separate country within the EU.
5. Put professionals in charge of data protection
I am pretty sure that GDPR is just the tip of the iceberg. As the industry matures, there will be more changes to come in the IoT data security sphere. To prepare for the new challenges, it is essential to hire a dedicated DPO (Data Protection Officer).
Keep an eye on the changes in regulations and hire a dedicated DPO to keep your data protection policy up to date.
Of course, having a Data Privacy Officer and security engineers take care of the GDPR compliance is preferred. Yet, I can understand that not all companies can afford to hire a dedicated privacy staff. In this case, we usually recommend partnering with a professional consultancy to put the required strategy in place. For example, our clients choose the “DPO as a service” model as a part of the development service at Eastern Peak.
It’s Time to Take Action
If you are ready to implement the requirements set by GDPR, we recommend to first of all closely review your existing data flows: What information do you collect? Where do you store it? How do you use it? Who has the access to it? Is it secure enough? By having a clear understanding of these processes, you will be able to tailor your data strategy according to the new legislation and close the gaps in your Internet of Things privacy policies.
To discuss your Internet of Things privacy concerns and receive expert advice on a GDPR compliance strategy, visit Booth #336 at the IoT Tech Expo Global in London on the 18-19 of April. I will be glad to meet and discuss IoT security in person.
(c) istockphoto.com/ likutin77 | rawpixel