The Internet of Things (IoT) is rising together with other related technologies such as AI and Big Data. At the same time, we see new regulatory frameworks being imposed, such as the GDPR and the ePrivacy Regulation. Opinions are divided. There are those who say technologies such as IoT will make compliance to the GDPR almost impossible. At the other end of the line, there are those who say the GDPR is slow the progress of technology and make the use of IoT difficult. The truth is probably somewhere in the middle.
What is the Internet of Things?
Generally speaking, the IoT refers to any devices that are connected to the internet – such as smartphones, smart TVs, computers, health devices. It is estimated that by 2020 there will be 20 billion devices connected. Each such device collects data from the users. Already here we can see how the GDPR can pose a problem to the IoT. Privacy of personal data is an essential aspect of the Regulation.
With the Internet of Things personal data is collected in a continuous manner at times. This poses a risk to the security of the respective data, to the privacy of the data subject. It also rises other questions: how can we make sure consent is properly obtained for all data gathered by the IoT devices? How can we know where exactly the data is and who is responsible for it? We will tackle some of the major issues in this article and we will attempt to find answers to some of these questions.
Internet of Things security
The first problem arises due to the difficulties in ensuring IoT security. Both industry and academic researchers are still searching for the most efficient methods in the area of IoT security. Since the GDPR places great emphasis on security and privacy, with great fines in the case of a data breach especially if the breach takes place due to poor security, we can see the first conflict between the regulation and the IoT.
At the same time, the GDPR does not require specific methods to be used for security. As such, encryption, pseudonymization, anonymization, multi-factor authentication are all valid option. Each organization is given the possibility to choose their methods in accordance to the systems they use, their financial possibilities and the risk level. Security and the GDPR is a topic that has been previously covered on our blog, so we won’t go into further detail. If you feel you need to learn more, you can find the article here.
GDPR Consent and the Internet of Things
Another issue is making sure the consent to process data is obtained in compliance to the GDPR. We’ve discussed the issue of consent in a previous blog post, so if you need a reminder, you can check it out here. In short, we’ll remind you that the GDPR considers silence or inactivity is not valid consent. The data subject has to agree to the data processing through a clear affirmative act. It is not yet clear how this could be handled in IoT.
Asking the data subject for consent before they start using each device could be an option – but can we really take into consideration all the situations where data will be collected? The issue is still under debate, with no clear answer provided. As a data controller or a data processor you will have to make sure you take into consideration all scenarios where consent might be required. Otherwise, you risk to be non-compliant to the GDPR and the fines are considerable.
Another sensitive issue under the GDPR is processing the personal data of children. Those under the age of 13 should not be able to express consent on their own for processing in relation to online services. Many IoT devices are used by children.
Where is my data?
Another challenge that rises with the Internet of Things is knowing where the data is at all times. This means location, as well as who has the right to access it, how the data is used and to whom was it disclosed. According to the GDPR, a data subject has the right to be informed of this and more, at any given time. As a data controller, you have to able to provide the information. With the IoT, with the use of so many devices by each data subject, the risk to lose track of the data is not negligible.
As a data controller or processor, you are going to have to consider all scenarios right from the design phase. It is called “privacy by design and by default” for a reason. If you still feel like things are unclear, don’t worry! You are not alone. Most businesses report to be unclear about this. This is both because of the various devices, storage methods, but also because of the multiple departments existent. And before you panic, remember that a data controller has a month to answer to any access requests under the GDPR. This does not absolve you from implementing privacy by design and by default. It does however give you time to have a thorough answer ready.
All in all, statistics are not encouraging. According to a research coordinated by Global Privacy Enhancement network, finds, as reported by the TM Forum Inform that:
- 59% of devices failed to explain customers how their personal data was collected, used or disclosed
- 68% failed to explain how the data is stored
- 72% did not explain how data subjects could erase their information off a device
- 38% did not include easily identifiable contact details in case the data subjects had any privacy concerns.
The results are alarming in themselves. If we add the GDPR to the mix, it only gets worse. Does this mean we should do our best to avoid the IoT? Absolutely not. Because let’s face it, at the rate at which technology is moving, that would eventually mean going off the grid and into the woods.
The key is to look at the GDPR as an opportunity and not as an impediment. An opportunity to improve security and privacy. To offer tangible rights to the data subjects. And to offer better services overall. As long as we can see the opportunities behind Regulation, to focus on those and not on the fines, GDPR compliance should become a little bit easier. Even with complex systems like the Internet of Things.