IoT and GDPR: Challenges and Opportunities

We live in an era in which data is gold. Indeed, anyone operating in the IoT space should be aware of the recent changes to the EU data protection program.

Lock within European Union stars
Illustration: © IoT For All

We live in an era in which data is gold. Robotics, AI, big data analytics. All these new technologies and more are flooding the digital ecosystem and offering new and improved ways for companies to manage and make sense of their data. Companies operating in the Internet of Things (IoT) have never had so many exciting resources on their hands to help reach customers more effectively and to cut internal operating costs based on intuitive KPIs. While the excitement is warranted, it does challenge long-standing laws defending personal privacy, which have, up until recently, not kept pace with the rapid innovation in the industry.

Indeed, anyone operating in the IoT space should be aware of the changes to the EU data protection program. The General Data Protection Regulation (GDPR) was created in May 2016 and came into full legal effect on May 25th, 2018. These new regulations changed the operational and legal landscape for companies across the board. IoT device manufacturers have to abide by a different regulatory code; application developers have some updated requirements lists to follow in designing their products; and IoT cloud platforms have a whole new set of legal obligations to abide by in setting their terms of use.

Grayscale photo of woman doing silent hand sign
Image credit: Kristina Flour on Unsplash

Here are three things to know about the new GDPR updates in terms of what they mean for business operations:

1. The Question of Security Breaches

In the interest of transparency, this new GDPR regulation brings general mandatory notifications for data breaches of all shapes and sizes. As of May 2018, data maintenance analysts are obliged to report any data breaches to their supervisor; even in some cases, they must alert individuals that their data has been temporarily compromised. Alerts need to be made within 72 hours of the incident by law. The goal of these new regulations is to stem the tide of cybersecurity (which remains a commonplace issue) and to offer more insight into user’s data history.

2. Consent Is Enlarged

The issue of consent regarding the sharing of information has been a hot topic for years. Many activists within the IoT community have been calling for more consent discussion between customers and their IoT providers for years. The GDPR is meant to address these concerns by forcing companies to offer more opt-in or opt-out clauses. No longer can consent be assumed based on the inactivity of a customer. The GDPR demands that data controllers get explicit consent from all customers before extracting their personal data. It’s as simple as that.

3. Stronger Data Subject Rights

A third major area of upheaval is in the subjects’ rights category. Before the GDPR, data controllers had much more leeway than subjects in terms of how data was recorded and which data could be recorded or not. Under these new changes, the subject has much more far-reaching control over their data. For example, subjects are able to have their data forgotten in the system. They also enjoy data portability, essentially allowing users to access and use their own data across platforms and over time.

New Regulations, New Obligations

The importance of following these regulations should not be lost on a CEO or company executive engaged in the field, as the GDPR fines run in the thousands and can really set a company back. Also, with a number of cybersecurity issues already at play in the IoT industry, perhaps these new regulations are what’s needed to bring more transparency.

We recommend executives think differently about GDPR. It brings with it the opportunity to add value to companies. It’s not just a cost; it is a way to leverage “privacy by design” for building trust in your organization.

Roland Atoui
Roland Atoui is an expert in cybersecurity and the Internet of Things (IoT) having recognized achievements working for companies such as Gemalto and Oracle with a background in both research and industry. From smart cards to smartphones to IoT technologies. Roland is a new technology enthusiast with a current mission to bring trust to the IoT. After following an Executive MBA education at EDHEC business school in France he founded Red Alert Labs – an IoT security firm addressing both technical and commercial cybersecurity challenges in IoT.