GDPR, a speed breaker for IoT?
EU General Data Protection Regulation (GDPR) enforcement date (May 25, 2018) is fast approaching. It was designed to harmonize data privacy laws across Europe. In this connected world, its impact is not limited to EU only. It has the potential to reshape global organizations’ data privacy policies and approach.
Data is often touted as “the new oil” and entire new economy is built on data sharing. New use cases are mostly around how to extract meaningful insights from the data collected, and often there is not much diligence on what to collect. The approach mostly is to get as much data as possible, and then analyze and discard the unwanted. There are no guarantees that discarded data is not in vulnerable hands for possible exploitation. Now comes GDPR, starting to put breaks on this whole model. With huge penalties for non-compliance, companies are making changes to data collection and storage methods, rewriting contracts and applications.
In the Internet of Things (IoT) enabled “well-connected” world, GDPR is a defining moment. Pervasiveness of IoT means, there is no one industry immune from data privacy concerns.
The very architecture of IoT introduces many challenges for compliance under GDPR. Sensors collecting and feeding the data to gateways that in turn forwards to cloud for analytical purposes. The analyzed data at the edge or cloud provides actionable insights and activates actuators.
The first challenge IoT presents is "scale" – number of devices, types of devices, partners, software/firmware versions, connectivity type etc. presents a huge task of documenting each one of them, and also the associated risks. Some of the devices might carry local storage but may not have the ability to erase the data, some might not have encryption capability, and some might carry vulnerabilities as the firmware is not upgradable. IoT deployments are exploited continuously by hackers worldwide, and critical infrastructures are already under threat. Under GDPR, data breaches should be notified to authorities within 72 hours. It will be a tall ask if companies do not even know the whereabouts of the compromised device.
Sharing of data between devises and cloud – Analytic applications at the edge and cloud processes enormous amount of data, structured and unstructured. It is a real challenge to govern unstructured data when there is no clear knowledge exists on personally identifiable information. Tools are typically configured to look only for actionable insights to improve business process, efficiency and value creation, without enough attention to the personal data collected. After analysis, data is either archived – one should know how to retrieve when the subject requests for the data (under GDPR this is a requirement that must be met) or deleted – it poses even a bigger challenge to prove non-existence of the data. Also the data might get transferred through several connected applications (for example, through APIs), and tracking the same across the entire chain will be a nightmare.
Under GDPR it requires explicit consent for collecting personal data and storing them for future use. It needs to be clearly informed to the user on how and when the collected data will be used. Also consent must be sort again prior to using the data for different purpose. This requirement should be factored in the design of the IoT device and entire partner ecosystem needs to work to address this requirement. Companies should evaluate the products against collecting unsolicited data, and should also have the capability to selectively wipe when user demands all the collected data should be erased from all the systems – “right to be forgotten” under GDPR.
Asset discovery and identification – the configuration management database (CMDB), that typically restricts itself to IT assets should expand to incorporate IoT devices and related assets as well. Companies should have a good asset introduction process and change process implemented, and enforced through tools. Companies should invest in monitoring tools to cover the entire IoT footprint.
Data Protection Impact Assessments (DPIA) – companies should enforce DPIA assessments on all the assets where personal data is processed. GDPR Article 35:
Incident response plan – companies should revisit their existing incident response plan for security breaches and augment or should put together a comprehensive plan from scratch. Under GDPR breach notification requirement, any breach that “results in a risk for the rights and freedoms of the individuals”, must be done within 72 hours of first having become aware of the breach. Data processors will also be required to notify their customers, the controllers, “without undue delay” after first becoming aware of a data breach. This requires a comprehensive approach to incident response to avoid hefty penalties.
“Need to know” framework - This is a fundamental principle advocated time and again as an essential best practice. Companies should collect and process only the data at any moment that is required to carry out the intended work. Adherence to this is even more critical when it comes personal data. Under GDPR’s privacy by design (article 23) calls for “controllers to hold and process only the data absolutely necessary for the completion of its duties (data minimization), as well as limiting the access to personal data to those needing to act out the processing.” This requires close audit of all the IoT devices for its default settings and working with partners to ensure hardened firmware/software, with unwanted services removed from those devices.
Secure data handling at the devices – GDPR mandates “right of access” and “right to be forgotten” (article 15 & 17). This means the IoT devices and applications should have the capability for selective wipe of the data, if they have local storage capability in whatever form, and also store the data in an encrypted form to protect against data loss. Companies based on their jurisdiction, should evaluate the IoT products against these capabilities, and work with partners to remediate them, as needed.
Although the aim of GDPR is to protect European Union citizens from privacy and data breaches, the law will almost affect everyone, as global businesses use data to improve the services. When it comes to IoT, there is increased awareness to drive standardization recently and regulatory authorities are also stepping in to bring order. The controls mandated by GDPR will further strengthen this drive. By taking GDPR into consideration during conceptual stage of digital transformation initiatives, and implementing necessary controls and tools, companies can reap the benefits of IoT confidently.
Data is often touted as “the new oil” and entire new economy is built on data sharing. New use cases are mostly around how to extract meaningful insights from the data collected, and often there is not much diligence on what to collect. The approach mostly is to get as much data as possible, and then analyze and discard the unwanted. There are no guarantees that discarded data is not in vulnerable hands for possible exploitation. Now comes GDPR, starting to put breaks on this whole model. With huge penalties for non-compliance, companies are making changes to data collection and storage methods, rewriting contracts and applications.
In the Internet of Things (IoT) enabled “well-connected” world, GDPR is a defining moment. Pervasiveness of IoT means, there is no one industry immune from data privacy concerns.
Connected car, where personal data is collected to track whereabouts, behavior analysis, personalized entertainment etc.
Smart homes – where every device is connected and exchanging digital persona
Wearables, providing real time feed of everything that is personal
Human-machine interactions (Cyber Physical Systems) in industrial settingsDue to the type and volume of data generated in real time by such vast number of disparate IoT devices with no common standards governing them, it is a herculean task to protect and process personal data. GDPR is going to penalize companies heavily for not doing so hundred percent, all the time.
The very architecture of IoT introduces many challenges for compliance under GDPR. Sensors collecting and feeding the data to gateways that in turn forwards to cloud for analytical purposes. The analyzed data at the edge or cloud provides actionable insights and activates actuators.
The first challenge IoT presents is "scale" – number of devices, types of devices, partners, software/firmware versions, connectivity type etc. presents a huge task of documenting each one of them, and also the associated risks. Some of the devices might carry local storage but may not have the ability to erase the data, some might not have encryption capability, and some might carry vulnerabilities as the firmware is not upgradable. IoT deployments are exploited continuously by hackers worldwide, and critical infrastructures are already under threat. Under GDPR, data breaches should be notified to authorities within 72 hours. It will be a tall ask if companies do not even know the whereabouts of the compromised device.
Sharing of data between devises and cloud – Analytic applications at the edge and cloud processes enormous amount of data, structured and unstructured. It is a real challenge to govern unstructured data when there is no clear knowledge exists on personally identifiable information. Tools are typically configured to look only for actionable insights to improve business process, efficiency and value creation, without enough attention to the personal data collected. After analysis, data is either archived – one should know how to retrieve when the subject requests for the data (under GDPR this is a requirement that must be met) or deleted – it poses even a bigger challenge to prove non-existence of the data. Also the data might get transferred through several connected applications (for example, through APIs), and tracking the same across the entire chain will be a nightmare.
Under GDPR it requires explicit consent for collecting personal data and storing them for future use. It needs to be clearly informed to the user on how and when the collected data will be used. Also consent must be sort again prior to using the data for different purpose. This requirement should be factored in the design of the IoT device and entire partner ecosystem needs to work to address this requirement. Companies should evaluate the products against collecting unsolicited data, and should also have the capability to selectively wipe when user demands all the collected data should be erased from all the systems – “right to be forgotten” under GDPR.
GDPR mandates data subjects (people) should give clear consent and at all times they have the right to know the what, who and why of the processing of their personal data.GDPR presents us with a great opportunity to improve the security posture of IoT implementation and beyond. There are few often repeated (but often overlooked) security best practices that will come in handy here.
Asset discovery and identification – the configuration management database (CMDB), that typically restricts itself to IT assets should expand to incorporate IoT devices and related assets as well. Companies should have a good asset introduction process and change process implemented, and enforced through tools. Companies should invest in monitoring tools to cover the entire IoT footprint.
Data Protection Impact Assessments (DPIA) – companies should enforce DPIA assessments on all the assets where personal data is processed. GDPR Article 35:
“Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.”IoT as a foundation for digital transformation across industries, definitely qualifies as a “new technology”.
Incident response plan – companies should revisit their existing incident response plan for security breaches and augment or should put together a comprehensive plan from scratch. Under GDPR breach notification requirement, any breach that “results in a risk for the rights and freedoms of the individuals”, must be done within 72 hours of first having become aware of the breach. Data processors will also be required to notify their customers, the controllers, “without undue delay” after first becoming aware of a data breach. This requires a comprehensive approach to incident response to avoid hefty penalties.
“Need to know” framework - This is a fundamental principle advocated time and again as an essential best practice. Companies should collect and process only the data at any moment that is required to carry out the intended work. Adherence to this is even more critical when it comes personal data. Under GDPR’s privacy by design (article 23) calls for “controllers to hold and process only the data absolutely necessary for the completion of its duties (data minimization), as well as limiting the access to personal data to those needing to act out the processing.” This requires close audit of all the IoT devices for its default settings and working with partners to ensure hardened firmware/software, with unwanted services removed from those devices.
Secure data handling at the devices – GDPR mandates “right of access” and “right to be forgotten” (article 15 & 17). This means the IoT devices and applications should have the capability for selective wipe of the data, if they have local storage capability in whatever form, and also store the data in an encrypted form to protect against data loss. Companies based on their jurisdiction, should evaluate the IoT products against these capabilities, and work with partners to remediate them, as needed.
Although the aim of GDPR is to protect European Union citizens from privacy and data breaches, the law will almost affect everyone, as global businesses use data to improve the services. When it comes to IoT, there is increased awareness to drive standardization recently and regulatory authorities are also stepping in to bring order. The controls mandated by GDPR will further strengthen this drive. By taking GDPR into consideration during conceptual stage of digital transformation initiatives, and implementing necessary controls and tools, companies can reap the benefits of IoT confidently.
 


 
 
 
The GDPR will be far-reaching in other respects too: It will extend to IoT devices and their networks. What is far less clear is how organizations will be able to achieve compliance in IoT GDPR. While the advice offered to businesses on more generic GDPR compliance holds true, applying it in an IoT context can be a real challenge thanks to the very nature of IoT devices and the processing that makes Internet of Things business models viable.
ReplyDeleteGDPR training is important so that they do not make one silly mistake that snowballs into a hefty fine not only this but you also must have a cookie consent banner on your website.
ReplyDeleteA GDPR consultant helps companies understand and properly comply with the General Data Protection Regulation for the European Union. A good GDPR consultant is an expert in GDPR who assists and guides businesses in their quest for complete compliance. Know more from https://www.teamworkims.co.uk/gdpr
ReplyDeleteGDPR awareness course I wanted to thank you for this excellent read!! I definitely loved every little bit of it. I have you bookmarked your site to check out the new stuff you post.
ReplyDelete