IoT regulation: IoT, GDPR, ePrivacy Regulation and more regulations

With the rise of the IoT and related technologies such as robotics, AI and Big Data, new regulatory frameworks are deployed in an age where data is gold. Moreover, the Internet of Things needs specific attention in the scope of, among others, the GDPR and the ePrivacy Regulation. What you MUST know.

In May 2018, the European General Data Protection Regulation, also known as GDPR, becomes enforceable.

This Regulation has far-reaching consequences. The GDPR fines in case of data breaches or non-compliance can be very high. As the GDPR is about data privacy and the protection of personal data, it’s clear that you must also look at it if you have an Internet of Things project whereby personal data is involved.

Attention: the Regulation concerns all companies that process personal data of EU citizens, no matter where these companies or ‘data processors’ are. So, it also applies for organizations outside of the EU.

ePrivacy Regulation: electronic communication channels include the Internet of Things

On top of the GDPR, which is already an officially published text, a second legal framework is coming around the same time as the GDPR: the ePrivacy Regulation.

This regulation concerns all electronic communications. The European Parliament has approved the text and now it’s up to member states to take their positions and the European Commission to finalize, along with the member states.

While many people talk about the ePrivacy Regulation from the perspective of the Web (cookies), email and other electronic communications channels which we all know, we previously pointed out that the ePrivacy Regulation text also clearly mentions new electronic communication channels. These include Instant Messaging apps and tools like SnapChat and Facebook Messenger.

However it also clearly mentions the Internet of Things. As we wrote before, “the principle of confidentiality should apply to current and future means of communication”. And this includes the Internet of Things. Moreover, the draft text says that it is needed to have specific safeguards in machine-to-machine communications in particular sectors so expect more to come.

While not all Internet of Things use cases are about personal data, certainly in the Industrial Internet of Things (IIoT), it is clear that many other use cases are. We also need to point out that from an Internet of Things spending perspective, the Consumer IoT where the personal data aspect is omnipresent is expected to grow faster in Western-Europe.

The GDPR and the Internet of Things: no time for assumptions

Going back to the GDPR, here are some things you MUST know in order to be compliant if you use the Internet of Things.

A holistic approach to the Internet of Things GDPR reality

The GDPR mentions a range of identifiers such as online identifiers. These explicitly include Radio Frequency Identification (RFID) tags. Moreover, that list of online identifiers is not exhaustive.

Internet of Things use cases are always about data so it’s important to see where exactly personal data is used.

As the Internet of Things is part of a larger information and data reality, with many processes, this must be looked upon in a holistic way as is the case for all GDPR strategies really. You can’t uncouple the Internet of Things, which is already a vast reality from related technologies and the many areas, processes, use cases, organizational aspects and so forth in a GDPR context – and beyond.

Note: in some cases the GDPR requires the appointment of a Data Protection Officer. If this is so in your organization, he/she is the person to go to.

The specifics of IoT in a GDPR and ePrivacy Regulation context

However, at the same time you also need to look at the specifics. Analyze the specific risks of the Internet of Things from both GDPR and ePrivacy Regulation (breach) risks on one hand and the loss/theft of personal data risks on the other.

Six in ten Internet of Things devices don’t properly tell customers how their personal information is being used (PR ICO end 2016)

Once you know where personal data comes into play, you have to look at your IoT project. This seems obvious but in IoT there are many components that can pose a security risk and are often not seen or understood well enough by IT. There is no room or time for assumptions in this regard: IoT is “different” and not everyone leveraging it is equally aware of security aspects, to put it mildly.

Although the Internet of Things still really is in its early days, there are already different areas where personal data is leveraged.

In the context of the digital transformation of healthcare, for instance, there is a rapid growth of wearables and connected medical devices that enable remote health monitoring. More and more we’ll see wearables being used by healthcare payers too. Healthcare data are extremely sensitive data, also in the scope of the GDPR.

Connected vehicles are also a growing IoT use case. Here as well data, which can be traced back to an individual, need to be looked at. Then there is smart metering whereby personal data on household energy consumption patterns is leveraged. Finally, from the Consumer IoT perspective, we see that the fastest growing use case, from an IoT spending perspective, is in smart home applications. Needless to say that here as well data can be personal.

There is far more. Yet, the overarching message is to make sure that your IoT plans and projects are certainly included in both your GDPR compliance strategies and the future ways in which you plan to leverage the IoT from the privacy and confidentiality perspective of the ePrivacy Regulation context.

GDPR: some IoT security considerations

You won’t be able to do that alone and need help from IT, security, legal and expert partners, yet at the same time you’ll also need to look really well at the specific risks in IoT deployments and set-ups as some might be less known, even by IT.

The GDPR awareness stage is an important part of any GDPR compliance process, with the IoT you’ll need to take the various IoT technologies into account.

It goes without saying that there are several elements which need to be thoroughly understood and ‘followed’, including 1) existing IoT vulnerabilities and types of attacks, 2) the security initiatives which are taken in the IoT industry, including existing frameworks as we have them in industrial IoT security and in frameworks/initiatives of numerous vendors, standards bodies and associations and 3) the practices and initiatives of your partners.

This of course mainly goes for the types of technologies and vendors you want/need for your IoT project.

You probably don’t want to know that the Z-Wave Alliance (mainly used for smart home applications) has a new security framework if you’re deploying a farming or agriculture project (and cattle doesn’t fall under the category of data subjects in the GDPR) or are doing something in Industry 4.0 with, for example, the Internet of Robotic Things.

IoT device management is another important element as is real-time IoT device monitoring, something that is rarely done. Last but not least, if you plan an IoT project do know that there are IoT platforms that deal with security and that there is also such a thing as IoT managed security services. Both are mainly used in larger projects and industrial Internet type of use cases but not exclusive so do check the market as new players join and will join as other IoT platform vendors also come up with new features. As we wrote previously the overall Managed Security Service Providers (MSSPs) market is growing fast.

GDPR requirements which are important in an Internet of Things context

Below are some aspects of the GDPR which are relevant but not always clear in an IoT context:

IoT and Data Protection Impact Assessments under the GDPR

Something that is often overlooked is the importance of a Data Protection Impact Assessment or DPIA in the scope of IoT under the GDPR.

The GDPR has very specific rules with regards to when such a Data Protection Impact Assessment. These are especially required when a new, specific type of personal data processing which could lead to a high risk from the data subject rights and freedoms perspective and especially when new technologies are involved.

Guess what the WP29 Guidelines on the requirement of a DPIA mention as examples. Indeed: IoT applications. If personal data are processed using IoT it’s already best to check whether you need a DPIA as “the innovative use or applying new technological or organizational solutions” is already one of 9 criteria which are “recommended” to use in order to see whether the need for a DPIA will be likely.

IoT, data breaches and the reporting duty

The Regulation is clear: data breaches need to be reported if personal data are involved and under specific conditions (personal data breach notification). 

Needless to say that, certainly with a bunch of IoT consumer devices, which sometimes are hackable as hell, we are far from the possibility to do so in this segment. Whether you use consumer IoT devices and data in your consumer-oriented business or have IoT use cases in an Industrial Internet context whereby personal data is leveraged (e.g. healthcare) with other types of connected devices make sure the full solution, including those devices, connectivity (there are loads of specific IoT connectivity solutions, from the short-range ones such as Zigbee or those used in smart home apps to the many wireless ones in a long-range context, such as LPWA technologies), platforms, cloud and so on are integrated in a secure environment with security controls and policies on the levels of these various IoT components and an ability to report as the General Data Protection Regulation requires. These levels also include data and information streams further along the road.

IoT and the challenge of consent and lawful processing

A major aspect of the GDPR are the so-called legal grounds for lawfully processing personal data.

One of them is consent. In several IoT applications where consent is used, it might even need to be explicit consent. However, it is key to see what is the best legal ground for lawful processing as consent will certainly not always be the path to follow.

How do you do that in practice when you have an IoT use case whereby personal data (of EU citizens) are involved? You get the picture. Not easy at all, depending on context and use case. Even on the level of giving consent to a company with a basic personal fitness tracker and application it’s alreay hard. Imagine more sophisticated cases. While there is no general advice to give as it so much depends on the use case, you will have to think about the where, when and how you get that consent or which other legal ground is a better fit. In some cases it will be mainly a matter of additional clauses in contracts (e.g. telematics in insurance, smart metering in contracts with utility firms), in others it will be harder (e.g. in-store retail applications and most certainly the use of the IoT for marketing purposes).

Fortunately, although the GDPR clearly raised the bar with regards to consent, as said there are other grounds for lawful processing so make sure you check those out as well, several might fit in the scope of your IoT project, depending on purpose, types of personal data and more factors.

Other Internet of Things GDPR focus areas

These are two of the main areas where we see challenges to address.

Others include the specific regulations regarding the processing of personal data regarding children (ample of IoT toys nowadays), the right of erasure (a.k.a. right to be forgotten) and the right of access to personal data.However, the latter is is part of the post-consent stages, further down the road, where we would typically look at it from the data security, enterprise information management (policies, storage, all forms of processing, governance etc.) and Big Data perspective.

Last but not least there are the privacy by design rules. On our GDPR overview page you find plenty of links and resources where these and other topics are tackled. Do take a look at them in order to see where the IoT is involved if you look at the key rights, duties and stipulations of the GDPR.

Robots, AI, IoT and Big Data: more regulations coming  – consequences and duties

And there could be more coming. In the EU and outside the calls for regulations in the connected digital economy is louder.

In February 2017, for instance, members of the European Parliament started calling for EU-wide rules on robots and artificial intelligence. And in the top IoT trends for 2017 by Ovum, which we covered in our IoT trends overview, regulation is explicitly mentioned in those trends. Quote: “IoT security will become a core focus for both enterprises and providers, and will be part of every deployment discussion, as well as coming onto the radar for regulators” (source).

The inescapable rise of regulation(s)

It is clear that Big Data, the Internet of Things, robots and artificial intelligence are all connected. This is both the case in Industry 4.0 and to a certain extent in the growing market of robots for rather personal utilization.

IoT security comes onto the radar for regulators (Ovum, March 2017)

No matter how you look at it: you need to start looking at regulations, privacy, data breach liabilities and compliance/security now. The GDPR (and ePrivacy Regulation) are just a few urgent reasons and each day we’re amazed when we talk with professionals in information management and other industries who say they are shocked to see how many organizations aren’t even in the early stages of awareness and preparation, although it’s a big task with big consequences if not done. And it needs to be done, not just for the fines but also for the market, although we’re certainly not among those who believe everything needs to be regulated and do understand other realities. But with IoT the stakes are too high, from a security perspective and beyond.

IoT requires trust

The adoption of IoT, both among consumers and organizations, is related wih trust. Trust regarding security, transparency in data usage, clear information and so forth.

In its 2017 Trust Barometer, Edelman found all-time low levels of trust, also in regards with technological evolutions. The Internet of Things is no exception. It already starts with basic levels of trust such as the trust in IoT device manufacturers to provide data collection information as ISACA found end 2016 (see below, via Statista).

The distrust regarding clear consent and information gathering practices already starts on the level of IoT manufacturers

39 percent of European consumers said they completely disagreed with the fact that IoT manufacturers provide sufficient information about the data/information they collect. Another 42 percent somewhat disagreed. In other words: not good. Well, one of the fundamentals of the GDPR is that ‘data subjects’ (people) need to clearly give consent, not in legalese or weird ways, no: clear, visible and so forth. And at all times they have the right to know the what, who and why of the processing of their personal data.

Other research, summarized on the website of the ICO and conducted by 25 data protection regulators worldwide (coordinated by the Global Privacy Enforcement Network, the ‘privacy sweep’ in IoT), among others showed that, quote, “59 percent of devices failed to adequately explain to customers how their personal information was collected, used and disclosed, 68 percent failed to properly explain how information was stored and 72 percent didn’t explain consumers how to delete their data off the device”.

Among the devices that were checked: smart electricity meters, smart thermostats and health monitors (some medical devices turned out to send data to physicians via unencrypted mail). Note that the press release of the ICO is about the GDPR and was published end 2016, BEFORE the draft text of the ePrivacy Regulation was published.

Regulations as an IoT market and trust driver

So, at the same time it’s an opportunity and even a must as without security no Internet of Things.

We previously mentioned how consumer spending on the Internet of Things (consumer electronics) is slowed down by security concerns and how even in the Industrial Internet of Things it is a show-stopper as concerns are high in an environment where IIoT attacks are on the rise.

Do expect more regulation, also outside of the EU context, for specific industries where personal data and security are already key (e.g. finance) and do expect more regulations in the connected space of robotics, AI, IoT and so forth in other regions as well. This is your new reality: a lack of attention for security and personal data won’t be tolerated as the stakes grow and risks increase. And the consequences will be big in many cases.

You’ll need people who are very familiar with the specific risks regarding IoT and related technologies and experts in compliance, regulations and security when making a solid IoT deployment case. And you’ll need to do it from the very beginning.

Top image: Shutterstock – Copyright: Joe Techapanupreeda – All other images are the property of their respective mentioned owners.