Preparing an IoT project or IoT application? Check if you need a privacy assessment now

With the ongoing growth of the Internet of Things (IoT) and ever more large-scale IoT projects come far more data. As tackled previously this deluge of IoT data has an impact on IT infrastructure and the shift towards the edge as in edge computing and in the several layers of the IoT stack, including IoT gateways and IoT platforms.

When you reduce IoT to its essence, making abstraction of the purposes, use cases and various processes, it is about data and what they can do. This brings additional challenges on the level of specific types of IoT data, namely those that can be used for the identification of a natural person, in others words personally identifiable information (PPI) and, even more sensitive categories of personal data or sensitive personal information (SPI).

There are ample IoT use cases or examples in which IoT gets combined with other ‘new technologies’ that include the processing of personal data. As the IoT gets more regulated, it’s also important to look at regulations regarding personal data and how they impact your IoT project or IoT data monetization and exchange approaches for that matter. IoT privacy and IoT privacy impact assessments.

IoT privacy trust and compliance - IoT privacy assessments

IoT projects/applications and projects including IoT and other technologies with personal data

It is not unusual that organizations perform a Data Protection Impact Assessment (DPIA) or a Privacy Impact Assessment (PIA) when launching new solutions, applications or services which de facto could have an important impact on personal data protection and privacy and thus in the scope of laws which aim to regulate that data and privacy protection.

In case you are launching an IoT project, solution or application whereby personal data gets processed from people in the EU it’s extremely important that you check whether you will need to conduct a DPIA or not, as chance is high you do and fines and penalties if you don’t can be pretty significant.

We’ve written before about IoT and GDPR and about IoT and other regulations such as the ePrivacy Regulation. While these are just two legal frameworks with a big and often underestimated impact on IoT from the sheer personal data and privacy perspective, it’s essential you know them and most of all check if your IoT project is compliant. As we’ll see it’s not just about compliance and regulation though, even if in this article it’s our key focus.

Certain “Internet of Things” applications could have a significant impact on individuals’ daily lives and privacy; and therefore require a Data Protection Impact Assessment (GDPR DPIA guidelines WP29)

We look at IoT privacy in the perspective of IoT projects/applications and privacy regulations, with a specific focus on the Data Protection Impact Assessment duty under the GDPR (and when it’s mandatory and where IoT projects come in). We could have broadened this article to other ‘new technologies’ such as intelligent video analysis, social media (less new), predicative analytics, behavioral profiling and physical access control, combining finger prints and facial recognition, too, as they’re all mentioned in the scope of the mandatory Data Protection Impact Assessment and when it applies. However, when it boils down to the GDPR unfortunately one always needs to be very specific to inform particular ‘target audiences’, in this case people with IoT plans. Obviously, several of the other technologies de facto can be and are used in combination with IoT, depending on the purpose and scope of the IoT project/solution.

IoT and checking whether a DPIA is mandatory: what you need to know

Anyway, let’s not dive too deep in all those scenarios as there are really a lot you can imagine and the GDPR doesn’t mention them. The WP29 Guidelines on the DPIA and GDPR, however, do go a bit further, even if they don’t sum them all up neither of course but they help a lot.

Here is the key message again: if you are planning an IoT project/solution in which personal data of data subjects get processed (and do define processing in the broadest possible sense, including capturing data via IoT, storing them, analyzing them, trashing them, whatever) and these data subjects are in the EU, check if you need to conduct a Data Protection Impact Assessment as in right now – if you are not processing personal data of data subjects in the EU, consider it as well.

The WP29 encourages the development of sector-specific DPIA frameworks…this means the DPIA can address the issues that arise in a particular economic sector, or when using particular technologies or carrying out particular types of processing operation. (GDPR DPIA guidelines WP29)

In GDPR Article 35, IoT is not specifically mentioned. That Article makes a DPIA mandatory for types of personal data processing, in particular when using new technologies and when there is a high risk to the data subject’s rights and freedoms. Those rights and freedoms stretch pretty far in the guidelines of the WP29, which aim to help supervisory authorities in applying and enforcing the GDPR; they go beyond the many rights stipulated in the GDPR itself.

You can read the rest of Article 35 and will notice that there are many specific circumstances which, simply said, totally call for a DPIA and which do often occur in IoT applications.

However, if you read that Article 35 and our entry on the GDPR and DPIA, go to those WP29 guidelines we mentioned as, on top of the 9 criteria to consider when gauging whether a data processing operation is likely to result in a high risk, as depicted below, it clearly mentions IoT, which of course is more than just connected things but a reality with several ‘new technologies’, which are typically present in IoT applications and projects.

The sheer fact of an “innovative use or applying new technological or organizational solutions” is already a criterion as such! Add one or more and chance is pretty high that you need to conduct a DPIA BEFORE you start your IoT project.

GDPR and DPIA - the likeliness of a high risk 9 DPIA criteria - criteria to consider when gauging whether a concrete processing operation is likely to result in a high risk DPIA guidelines
GDPR – criteria, including new technologies, systematic monitoring, profiling, predicting and automated decision-making, to consider when gauging whether a concrete processing operation such as IoT data processing of personal data is likely to result in a high risk DPIA guidelines

Takeaways from the WP29 guidelines regarding IoT and DPIAs – and why your IoT plans might use a DPIA anyway

Here is from the WP29 guideline (last changed in October 2017) on some of the other criteria:

  • “Some categories of data can be considered as increasing the possible risk to the rights and freedoms of individuals. These personal data are considered as sensitive (as this term is commonly understood) because they are linked to household and private activities (such as electronic communications whose confidentiality should be protected), or because they impact the exercise of a fundamental right (such as location data whose collection questions the freedom of movement).” Location data and data related with electronic communications (which includes IoT in the previously mentioned ePrivacy Regulation). The link with various IoT applications is clear.
  • A DPIA will help the data controller to understand and to treat such risks. For example, certain “Internet of Things” applications could have a significant impact on individuals’ daily lives and privacy; and therefore require a DPIA. That doesn’t need more explanation.
  • A case where a DPIA is most probably required as mentioned in the guidelines: the use of a camera system to monitor driving behavior on highways. The controller envisages to use an intelligent video analysis system to single out cars and automatically recognize license plates.

We can go on but the message once more: IoT applications with personal data processing of EU data subjects? Check the WP29 Guidelines (PDF opens) and make sure to check, one way or the other (seeking advice, looking at those 9 criteria, whatever), whether you will need to conduct a DPIA or not (whereby a data protection officer, if there is one, needs to be involved).

And, in general, even if you do not process personal data of EU data subjects in your intended IoT project/application or are convinced you’re OK, it never hurts to conduct one anyway because it is about more than regulations and also about trust, security and anything else you might need to demonstrate not just compliance but also professionalism and credibility towards any IoT ecosystem partner whatsoever.

 

Top image: Shutterstock – Copyright: chombosan – Although the content of this article is thoroughly checked we are not liable for potential mistakes and advice you to seek assistance in preparing for GDPR.