Internet of Things (IoT) objects are often equipped with sensors that enable them to collect information from their environment and subsequently channel it through machine to machine transmitters. Whenever personal data is processed, i.e. any information relating to an identified or identifiable natural person, you should be on the lookout for GDPR.
What is IoT and why is GDPR relevant?
IoT is a broad term that refers to internet-enabled objects which can communicate directly with other internet-enabled objects by using electronic communications networks without human intermediation. IoT objects can include baby monitors, fitness and health wearables, smart medication dispensers, home automation technologies, car systems, and even children’s toys.
The two most important IoT privacy concerns…
1. Juggling sensitive data & consent
Consent is necessary for the processing of sensitive data, such as e.g. health data. In addition, unless necessary for the performance of a contract with the user, all automated decision-making without consent (which is arguably one of the core features of IoT) is prohibited by the GDPR if it produces “significant effects” on an individual, i.e. if it has potential to significantly influence the circumstances of the individuals concerned.
The very core of IoT relies on the lack of human intermediation when it comes to M2M communications, rendering consent hard to achieve. Furthermore, IoT devices do not usually feature an interface for the display of the required privacy information and the consent form.
2. Keeping up with data subject rights
The GDPR gives individuals substantial rights to their personal data, such as the “right to be forgotten”. IoT developers often face obstacles when designing IoT devices to build in the ability to comply with these new rights, such as interoperability. In addition, as data processing and analytics on the cloud means a chain involving multiple parties, and the relationships between the various parties are complicated, data processing agreements should be drafted carefully to ensure assistance in complying with data subject requests. As the Article 29 Working Party suggests, communication between IoT devices often takes place without the individual being aware of it, rendering the control of the generated flow of data nearly impossible.
…and the steps to minimise GDPR-exposure
1. Achieve consent
- Embed consent mechanisms into your devices where you can.
- Where embedding is not technically feasible, broadcast the necessary data protection information to mobile devices in proximity of the IoT objects, e.g. via a dedicated app.
2. Put users in control of the flow of data
Provide granular choice over data capture
- The granularity should not concern only the category of personal data, but also the time and frequency of collection.
- E.g. inform users when their smart device is active via a physical interface or by broadcasting on a wireless channel.
- E.g. offer a “do not collect personal data” option similar to airplane mode. In an ideal “privacy by design” setup, users have to activate this for the device to start transmitting data. If they don’t, their device still has at least limited functionality.
Limit data distribution
- Before leaving the smart device, transform raw data into aggregated data and delete raw data immediately.
Enforce local control
- Facilitate local storage and processing without having to transmit the data.
- E.g. provide tools which enable users to locally read, edit, and modify the data before leaving the smart device.
Implement adequate security measures
- Reduce the attack surface.
- Test for vulnerabilities and frequently dispatch security updates.
- Encrypt personal data both at rest and in transit.
- Ensure M2M communications over secure channels.
Minimise the collection of data
- Limit data collection so you don’t have to worry about anonymization.
- In particular, discuss the following points:
- Does the data collection conform with the GDPR?
- Is the data needed?
- Will the data create an obstacle to compliance?
In short, data protection presents a challenge to IoT developers: ensuring freely given consent and granting data subject rights are just some of the obstacles that developers must face. Implementing consent mechanisms, providing granular choice over data capture, limiting data distribution, enforcing local control and implementation of security measures are a good start on your GDPR-compliance journey.