IoT in light of the GDPR
The challenges for developing smart devices under the General Data Protection Regulation
15 November 2019
The Internet of Things (IoT) is on the rise. As a result, a huge volume of personal data is being processed, often even sensitive personal data. With consumers' awareness for data protection growing, it is important that when companies develop new technology for smart devices, they ensure they consider IT security and data protection during the whole lifecycle of a product.
This article sets out the challenges for developing smart devices for the IoT under the General Data Protection Regulation (GDPR) and highlights the actions required to not only be competitive but to avoid fines or damage claims.
IoT and data
Terms such as "Smart Home", "Connected Car" or "Industry 4.0" have been ubiquitous in recent years. They describe business models in which devices or machines (Things) connect and communicate via the internet with other Things. During this communication, the device will send and receive data that has been processed (e.g. collected) by itself or another device. This data may be non-personal data (e.g. for industrial machine-to-machine communication) or personal data, especially for Business-to-Consumer applications.
Application of the GDPR
IoT services are based on business models that rely upon data exchanges between networked devices or between these devices and a central infrastructure. Therefore, several requirements must be considered in order to comply with the GDPR, which applies to the processing of personal data within the European Union and the European Economic Area. In some cases, the GDPR also applies to companies outside the EU/EEA, e.g. if they offer goods or services to EU citizens or monitor their behaviour (e.g. profiles generated through smart devices).
Processing of personal data means any operation which is performed on information relating to an identified or identifiable natural person. This definition covers any kind of personal data being processed (e.g. collection, transfer or even anonymisation). A connected car, for example, processes its owner's locations, routes and driving habits. Similarly, fitness wearables process biological or health data of the person wearing the object. A smart refrigerator as part of a smart home processes information about its owner's living habits.
As a consequence, various obligations apply to suppliers of consumer goods and suppliers of industrial IoT products.
Obligations under the GDPR include:
- consent or other legal basis for processing data,
- granting of special rights to the data subject and being able to fulfil these rights,
- ensuring security of personal data, and
- implementing Privacy by Design and Privacy by Default.
Challenges resulting from the IoT
Data processing requires a legal basis in order to comply with the GDPR. These can include: the data subject's consent, that the processing is required for the performance of a contract (e.g. if the supplier also enters into a service agreement with the customer) or an interest balance. In many cases, suppliers will need to rely on consent as the other possibilities usually do not cover the broad range of processing. When basing the processing on consent, this needs to be validly obtained, i.e. given freely, sufficiently clear and specific. For consent to be valid, the customer must know who processes which data, for what purpose and with whom the data will be shared.
Beyond this requirement for a legal basis, and irrespective of whether consent is required, suppliers must communicate specific information to their customers regarding the processing of their data. All this information must – again – be given in a clear and transparent way. This information must include, for instance, a comprehensive description of the customer's rights as a data subject. A supplier also needs to ensure that it is able to fulfil these rights, e.g. be able to provide each customer with information on what data is stored about him or her and be able to delete such data upon request. To be able to fulfil these obligations, developers must know which data the smart device processes and where it is stored. This might be a complicated task considering the often large amounts of data and – potentially – the limited access to the data by the controller itself, considering that a significant amount of such data is typically stored within the smart device.
As part of the IoT business model, smart devices usually need access to data collected by other devices via the IoT and vice versa. Such access can sometimes be in the interest of the customer but not necessarily, especially as it might increase the risk for data breaches. According to a recent study by a data security company Gemalto, only 48% of suppliers can detect if their smart devices suffer a data breach. In this context, suppliers of IoT products and services should keep in mind that such data breaches will not only damage their reputation but will likely also have legal consequences. Especially if the IT security is not state of the art, sanctions of up to EUR 20,000,000 or 4% of worldwide annual turnover can be imposed. In recent months the UK ICO has shown that these are not idle threats, with notices to fine British Airways (£183.4 million or 1.5% of its global turnover) and Marriott (£99.2 million).
One of the intentions in the implementation of the GDPR was that companies should protect data subjects through IT measures and security. Therefore, when planning new devices, developers need to consider the concepts of Privacy by Design (i.e. adopting appropriate technical and organisational measures to provide for data minimisation in an effective manner) and Privacy by Default (i.e. setting the strictest privacy settings by default).
Suppliers should also keep an eye on the new EU Regulation on Privacy and Electronic Communication, which is planned for 2020 that would implement further requirements regarding IoT devices and applications.
In Germany, authorities have not yet responded to the challenges resulting from IoT. However, a look at other European countries can show how IoT business models could be regulated in near future. In October 2018, the UK Department for Digital, Culture, Media and Sport released a 'Code of Practice for Consumer IoT Security' setting out guidance and non-binding security standards for IoT manufacturers. Moreover, in May 2019, the UK Government released a consultation paper on the potential to create binding regulation as there are still 'significant shortcoming in many products on the market'. The consultation paper suggests mandating legislation that retailers may only sell IoT products that conform to all or certain parts of the 'Code of Practice' and/or mandatory labelling stating whether or not manufactures have complied with the 'Code of Practice'. Due to the change in government in the UK, it remains to be seen whether this specific legislation for IoT security will come into force In Germany, it remains to be seen whether the government will follow this development towards a stricter regulation of IoT business models.
To face these challenges, developers should consider data protection requirements throughout the whole engineering process. It is often too late to take these requirement into account when the technical planning has been finalised. As shown, many obligations under the GDPR require a technical solution. As smart devices often develop during their lifecycles, it is necessary that the processing of personal data and related IT security is regularly reviewed. From the beginning, developers must install and develop functional support services to enable reviews and amendments. It is therefore key for every developer and supplier to have a good understanding of its data processes. Only then can data protection compliance be achieved.
Companies developing and offering smart devices in the IoT need to increase their attention to IT security and data protection by including data protection requirements in their planning and review process. Due to consumers' increased awareness of data protection, compliance is no longer only a legal risk but is increasingly reputational.
The keys to a competitive product will be considering, and including measures to best implement, IT security and data protection from the outset.
Key take-away points
- Consider IT security and data protection from the outset
- Include data protection requirements in the complete lifecycle of a smart device
- Implement Privacy by Design, Privacy by Default measures in solutions
- Ensure state of the art IT security