GDPR poses complex challenges to IoT programmes and networks. Kate O’Flaherty presents Internet of Business’ 10-point plan to protect your organisation – and, most importantly, your customers.
Companies could face fines of up to four percent of turnover for data breaches once the EU’s General Data Protection Regulation (GDPR) comes into force on 25 May 2018 – which the UK has also cast into law. In an age of information, and after the fallout from the Facebook/Cambridge Analytica ‘breach’ and other scandals, regulators are taking data protection very seriously.
GDPR compliance is particularly challenging when it comes to the Internet of Things (IoT), because it can be difficult to gain the consent needed to process personal data within IoT networks. In addition, GDPR advocates ‘privacy by design’, something that IoT devices aren’t known for, despite the recent moves by industry and governments to change this.
But compliance is by no means impossible. In fact, IoT organisations that go the extra mile in protecting data will benefit from increased customer trust, which can be a business differentiator.
So, what are the 10 things that organisations must consider for their IoT programmes ahead of the compliance deadline?
1. Be aware of the data you collect and process
Experts advise IoT-using organisations to assess whether the information they collect is personal data. But be advised: if you don’t collect personal information, that doesn’t mean you’re exempt from the regulations.
As Adrian Davis, EMEA director of cybersecurity advocacy at security training specialist (ISC)2 points out: “Just because you collect sensor data from IoT devices, don’t think that you are exempt from GDPR. Know where your data is, how it is protected, and what to do if there’s a problem.”
As part of this, some companies will need to reconsider how they’re storing data, says Alastair Johnson, founder and CEO of secure payment vendor, Nuggets. He thinks features such as client-side encryption and blockchain technology could be useful to protect businesses.
“In the event of a data breach, this type of tech stack mitigates any risk that a company may face under GDPR: There simply isn’t any user data stored in a business’ database for a malicious party to steal.”
• Internet of Business advises organisations to read up on the pros and cons of blockchain-based systems, which may not be appropriate for many applications.
2. Understand consent
Under GDPR, consent has to be given when personal data is processed. However, Helen Goldthorpe, associate at law firm Shulmans LLP, points out that there are several aspects of processing data, of which consent “is just one”. Others include requirements of contract, and legitimate interest – for example, if the data is being used for employee safety purposes.
3. Know that consent and GDPR apply to the whole supply chain
Many IoT firms don’t realise that customers can withdraw consent and have the ‘right to be forgotten’ (to have all data about them permanently erased), says Guy Bunker, SVP products at security company Clearswift. And when consent is withdrawn, your suppliers must also remove this information.
“The IoT community needs to think beyond getting consent. They need to consider what they will go through if consent is removed and customers ask for the right to be forgotten. In some cases, you will need to do a reasonable amount of work.”
4. Record everything you do to meet the requirements of GDPR
The regulations require companies to record all of their data processing. The payoff, says (ISC)2’s Davis, is: “If you have a problem and are investigated, you can show you did all this stuff and it still went wrong.”
Indeed, as Jon Collins, an analyst at technology research group Gigaom, explains, GDPR isn’t designed to catch companies out. Rather, its intention is to prevent the abuse of data. He says:
Understand what you do, say what you are doing about it, and do what you say. That’s a really good, simple check. If you are the kind of organisation that’s genuinely looking to do the right thing, the regulation isn’t there to catch you out.”
5. Be aware of the need for privacy by design, and default
Privacy by design is one of the stipulations of GDPR. Within the IoT, this applies to devices and software, in addition to backend systems.
Steve Giguere, security strategist at Synopsys Software Integrity Group, explains: “GDPR compliance can’t be achieved by securing IoT devices alone, since they are usually part of a much larger ecosystem.
“Governance and policies for security and privacy must be established and applied to the IoT devices that collect personal information, as well as to the networks and backend systems that transmit and process data.”
Shulmans LLP’s Goldthorpe adds that products “need to be developed from the ground up”. For example, she says: “You should have the ability to delete data to comply with subject access rights.
“Also, understand at an early stage how devices collect data, so you can explain if asked. With older devices, decide whether they need to collect that data at all.”
6. Basic security hygiene will help you comply
Basic security hygiene, such as making sure all systems are patched, is essential, says Clearswift’s Bunker. “As the IoT world is vulnerable, keeping those systems up to date is important, but the basics are often overlooked. Even if you have the best system in the world, if someone can still make a mistake on the inside, that’s a compliance breach.”
This applies to manufacturing systems too, says Gigaom’s Collins. “If you aren’t thinking about securing these now, you’d better start really quickly.
“Many IoT companies are only looking at very low-level data security, such as encryption. They aren’t thinking about more complex attacks, such as denial of service (DoS) and data being manipulated, and about the processes around this.”
7. See GDPR as a business differentiator
As we have seen with the Cambridge Analytica and Facebook scandal, trust is integral to the future of data protection. According to Bunker: “GDPR is not about fines, it’s about increasing trust within organisations. It’s one of those things where if you do it right, you increase trust and therefore have a competitive advantage.”
8. Remember that GDPR compliance is ongoing
Even if you think your organisation is ready for the regulation, it’s important to remember that GDPR compliance is not an endpoint; it’s ongoing. “In some ways this is more valuable,” says Bunker.
It’s not just a tick in the box, it’s about being better forever.”
9. Consider employing a data protection officer
A data protection officer (DPO) will be a mandatory requirement for public authorities, and for any organisation whose core activities include the regular and systematic monitoring of data subjects on a wide scale.
This means that any large-scale IoT-using organisation may need to employ a DPO as part of GDPR compliance – certainly it will need a senior responsible owner.
When making the appointment, Goldthorpe advises that organisations should take steps to avoid any conflicts of interest: “Ideally, if you are a big organisation, it makes sense to place a DPO within the compliance function.”
10. Prepare your response
It also wise to ensure that tested, rehearsed, and updated management plans are in place to respond to any breach, says Davis. “GDPR tells you to report within 72 hours – you should be doing this anyway.”
Preparing your response also applies to other aspects of GDPR, such as subject access requests. As part of this, Bunker asks: “If someone makes a subject access request, how quickly can you, as an organisation, get that data and respond?”
Internet of Business says
A good question to ask. And as Kate O’Flaherty and our expert panel say, remember: GDPR isn’t an endpoint, it’s an ongoing process.
We would add one further essential point to consider: Remember that many consumers may see GDPR as an opportunity to assert themselves – especially since revelations about Facebook’s logging of call data, alongside the Cambridge Analytica scandal.
In light of news stories like these, it seems inevitable that some customers may demand to see proof that data is being collected in their own interests (a further stipulation of GDPR) and for a useful purpose. Others may insist that their data is permanently removed from systems. From 25 May, you will have no choice but to comply.
After all, GDPR has been introduced to protect consumers’ and citizens’ interests, to reset the balance within the information economy – which regulators believe has tipped to far towards organisations’ commercial interests – and to prevent the wholesale grabbing of private data.
Internet of Business is committed to providing solutions to data privacy and security problems, as well as reporting the latest news. Here are just some of our recent reports on these and related areas: