IoT regulation IoT GDPR ePrivacy Regulation and more regulations

The GDPR mentions a range of identifiers such as online identifiers. These explicitly include Radio Frequency Identification (RFID) tags. Moreover, that list of online identifiers is not exhaustive.

Digital transformation in transportation and logistics

ePrivacy Regulation: electronic communication channels include the Internet of Things

GDPR: some IoT security considerations

Digital transformation in government

Digital transformation and security

The Regulation is clear: data breaches need to be reported if personal data are involved and under specific conditions (personal data breach notification).

On top of the GDPR, which is already an officially publishedtext, a second legal framework is coming around the same time as the GDPR: theePrivacy Regulation.

So, at the same time its an opportunity and even a must as without security no Internet of Things.

While not all Internet of Things use cases are about personal data, certainly in theIndustrial Internet of Things (IIoT), it is clear that many other use cases are. We also need to point out that from an Internet of Things spending perspective, theConsumer IoTwhere the personal data aspect is omnipresent isexpected to grow fasterin Western-Europe.

IoT, data breaches and the reporting duty

Digital transformation in utilities

A holistic approach to the Internet of Things GDPR reality

IoT device management is another important element as isreal-time IoT device monitoring, something that is rarely done. Last but not least, if you plan an IoT project do know that there areIoT platformsthat deal with security and that there is also such a thing as IoT managed security services. Both are mainly used in larger projects and industrial Internet type of use cases but not exclusive so do check the market as new players join and will join as other IoT platform vendors also come up with new features. As we wrote previously the overallManaged Security Service Providers (MSSPs) marketis growing fast.

Robots, AI, IoT and Big Data: more regulations coming  consequences and duties

Customer experience and contact center

The adoption of IoT, both among consumers and organizations, is related wih trust. Trust regarding security, transparency in data usage, clear information and so forth.

Digital transformation in healthcare

Other research, summarized on the website of the ICOand conducted by 25 data protection regulators worldwide(coordinated by the Global Privacy Enforcement Network,the privacy sweep in IoT), among others showed that, quote, 59 percent of devices failed to adequately explain to customers how their personal information was collected, used and disclosed, 68 percent failed to properly explain how information was stored and 72 percent didnt explain consumers how to delete their data off the device.

Digital transformation readiness 2018

This regulation concerns all electronic communications. The European Parliament has approved the text and now its up to member states to take their positions and the European Commission to finalize, along with the member states.

One of them isconsent. In several IoT applications where consent is used, it might even need to beexplicit consent. However, it is key to see what is the best legal ground for lawful processing as consent will certainly not always be the path to follow.

These are two of the main areas where we see challenges to address.

Other Internet of Things GDPR focus areas

As the Internet of Things is part of a larger information and data reality, with many processes, this must be looked upon in a holistic way as is the case for allGDPR strategiesreally. You cant uncouple the Internet of Things, which is already a vast reality from related technologies and the many areas, processes, use cases, organizational aspects and so forth in a GDPR context and beyond.

You wont be able to do that alone and need help from IT, security, legal and expert partners, yet at the same time youll also need to look really well at the specific risks in IoT deployments and set-ups as some might be less known, even by IT.

Building management systems and IoT

Awareness regarding GDPR and privacy laws

Digital transformation in government

Fortunately, although the GDPR clearly raised the bar with regards to consent, as said there are other grounds for lawful processing so make sure you check those out as well, several might fit in the scope of your IoT project, depending on purpose, types of personal data and more factors.

Digital transformation in manufacturing

IoT and the challenge of consent and lawful processing

Digital transformation readiness 2018

Digital transformation in transportation and logistics

However it also clearly mentions the Internet of Things. As we wrote before,the principle of confidentiality should apply to current and future means of communication. And this includes the Internet of Things. Moreover, the draft text says that it is needed to have specific safeguards in machine-to-machine communications in particular sectors so expect more to come.

Digital transformation in healthcare

We previously mentioned howconsumer spending on the Internet of Things (consumer electronics)is slowed down by security concerns and how even in the Industrial Internet of Things it is a show-stopper as concerns are high in an environment whereIIoT attacks are on the rise.

Digital transformation in insurance

In May 2018, the European General Data Protection Regulation, also known asGDPR, becomes enforceable.

The inescapable rise of regulation(s)

With the rise of theIoTand related technologies such as robotics, AI and Big Data, new regulatory frameworks are deployed in an age where data is gold. Moreover, the Internet of Things needs specific attention in the scope of, among others, the GDPR and the ePrivacy Regulation. What you MUST know.

Digital transformation and information

In the context of thedigital transformation of healthcare, for instance, there is a rapid growth ofwearablesand connected medical devices that enable remote health monitoring. More and more well see wearables being used by healthcare payers too. Healthcare data are extremely sensitive data, also in the scope of the GDPR.

In February 2017, for instance,members of the European Parliament started callingfor EU-wide rules on robots andartificial intelligence. And in the top IoT trends for 2017 by Ovum, which we covered in our IoT trends overview, regulation is explicitly mentioned in those trends. Quote: IoT security will become a core focus for both enterprises and providers, and will be part of every deployment discussion, as well as coming onto the radar for regulators (source).

Connected vehicles are also a growing IoT use case. Here as well data, which can be traced back to an individual, need to be looked at. Then there is smart metering whereby personal data on household energy consumption patterns is leveraged. Finally, from the Consumer IoT perspective, we see that the fastest growing use case, from an IoT spending perspective, is insmart homeapplications. Needless to say that here as well data can be personal.

GDPR in the UK the Data Protection Bill

Digital transformation and security

IoT and regulation (GDPR, ePrivacy,)

GDPR requirements which are important in an Internet of Things context

In its 2017 Trust Barometer, Edelman found all-time low levels of trust, also in regards with technological evolutions. The Internet of Things is no exception. It already starts with basic levels of trust such as the trust in IoT device manufacturers to provide data collection information asISACAfound end 2016 (see below, viaStatista).

Note: in some cases the GDPR requires the appointment of aData Protection Officer. If this is so in your organization, he/she is the person to go to.

While many people talk about the ePrivacy Regulation from the perspective of the Web (cookies), email and other electronic communications channels which we all know, we previously pointed out that the ePrivacy Regulation text also clearly mentions new electronic communication channels. These include Instant Messaging apps and tools like SnapChat and Facebook Messenger.

Do expect more regulation, also outside of the EU context, for specific industries where personal data and security are already key (e.g. finance) and do expect more regulations in the connected space of robotics, AI, IoT and so forth in other regions as well. This is your new reality: a lack of attention for security and personal data wont be tolerated as the stakes grow and risks increase. And the consequences will be big in many cases.

Digital transformation and marketing

Attention: the Regulation concerns all companies that process personal data of EU citizens, no matter where these companies or data processors are. So, it also applies for organizations outside of the EU.

However, at the same time you also need to look at the specifics. Analyze the specific risks of the Internet of Things from both GDPR and ePrivacy Regulation (breach) risks on one hand and the loss/theft of personal data risks on the other.

Youll need people who are very familiar with the specific risks regarding IoT and related technologies and experts in compliance, regulations and security when making a solid IoT deployment case. And youll need to do it from the very beginning.

i-SCOOP provides publications, educational resources, training and hands-on consulting regarding integrated marketing, digital business, transformation and organizational processes.

Regulations as an IoT market and trust driver

Top image: Shutterstock Copyright:Joe Techapanupreeda All other images are the property of their respective mentioned owners.

A major aspect of the GDPR are the so-called legal grounds forlawfully processing personal data.

The GDPR and the Internet of Things: no time for assumptions

Digital transformation and technologies

Content marketing and product marketing

Write CSS OR LESS and hit save. CTRL + SPACE for auto-complete.

It is clear that Big Data, the Internet of Things, robots and artificial intelligence are all connected. This is both the case in Industry 4.0 and to a certain extent in the growing market of robots for rather personal utilization.

And there could be more coming. In the EU and outside the calls for regulations in the connected digital economy is louder.

Building management systems and IoT

IoT and Data Protection Impact Assessments under the GDPR

This Regulation has far-reaching consequences. TheGDPR finesin case of data breaches or non-compliance can be very high. As the GDPR is about data privacy and theprotection of personal data, its clear that you must also look at it if you have an Internet of Things project whereby personal data is involved.

You probably dont want to know that the Z-Wave Alliance (mainly used for smart home applications) has anew security frameworkif youre deploying a farming or agriculture project (and cattle doesnt fall under the category of data subjects in the GDPR) or are doing something inIndustry 4.0with, for example, theInternet of Robotic Things.

ePrivacy Regulation: electronic communication channels include the Internet of Things

Industrial Internet of Things (IIoT)

Digital transformation and technologies

No matter how you look at it: you need to start looking at regulations, privacy, data breach liabilities and compliance/security now. The GDPR (and ePrivacy Regulation) are just a few urgent reasons and each day were amazed when we talk with professionals in information management and other industries who say they are shocked to see how many organizations arent even in the early stages of awareness and preparation, although its a big task with big consequences if not done. And it needs to be done, not just for the fines but also for the market, although were certainly not among those who believe everything needs to be regulated and do understand other realities. But with IoT the stakes are too high, from a security perspective and beyond.

Digital transformation in insurance

IoT and regulation (GDPR, ePrivacy,)

Needless to say that, certainly with a bunch ofIoT consumer devices, which sometimes are hackable as hell, we are far from the possibility to do so in this segment. Whether you use consumer IoT devices and data in your consumer-oriented business or have IoT use cases in anIndustrial Internetcontext whereby personal data is leveraged(e.g. healthcare)with other types of connected devices make sure the full solution, including those devices, connectivity(there are loads of specificIoT connectivitysolutions, from the short-range ones such asZigbeeor those used in smart home apps to the many wireless ones in a long-range context, such asLPWA technologies), platforms, cloud and so on are integrated in a secure environment with security controls and policies on the levels of these various IoT components and an ability to report as the General Data Protection Regulation requires. These levels also include data and information streams further along the road.

39 percent of European consumers said they completely disagreed with the fact that IoT manufacturers provide sufficient information about the data/information they collect. Another 42 percent somewhat disagreed. In other words: not good. Well, one of the fundamentals of the GDPR is that data subjects (people) need to clearly give consent, not in legalese or weird ways, no: clear, visible and so forth. And at all times they have the right to know the what, who and why of the processing of their personal data.

The specifics of IoT in a GDPR and ePrivacy Regulation context

Digital transformation and information

Although the Internet of Things still really is in its early days, there are already different areas where personal data is leveraged.

There is far more. Yet, the overarching message is to make sure that your IoT plans and projects are certainly included in both your GDPR compliance strategies and the future ways in which you plan to leverage the IoT from the privacy and confidentiality perspective of the ePrivacy Regulation context.

How do you do that in practice when you have an IoT use case whereby personal data (of EU citizens) are involved?You get the picture. Not easy at all, depending on context and use case. Even on the level of giving consent to a company with a basic personal fitness tracker and application its alreay hard. Imagine more sophisticated cases. While there is no general advice to give as it so much depends on the use case, you will have to think about the where, when and how you get that consent or which other legal ground is a better fit. In some cases it will be mainly a matter of additional clauses in contracts(e.g. telematics in insurance, smart metering in contracts with utility firms), in others it will be harder(e.g. in-store retail applications and most certainly the use of the IoT for marketing purposes).

Customer experience and contact center

TheGDPR awarenessstage is an important part of any GDPR compliance process, with the IoT youll need to take the various IoT technologies into account.

The GDPR has very specific rules with regards to when such a Data Protection Impact Assessment. These are especially required when a new, specific type ofpersonal data processingwhich could lead to a high risk from thedata subject rightsand freedoms perspective and especially when new technologies are involved.

Among the devices that were checked: smart electricity meters, smart thermostats and health monitors (some medical devices turned out to send data to physicians via unencrypted mail). Note that the press release of the ICO is about the GDPR and was published end 2016, BEFORE the draft text of the ePrivacy Regulation was published.

Others include the specific regulations regarding the processing of personal data regarding children (ample of IoT toys nowadays), the right of erasure (a.k.a.right to be forgotten) and the right of access to personal data.However, the latter is is part of the post-consent stages, further down the road, where we would typically look at it from the data security,enterprise information management(policies, storage, all forms of processing,governanceetc.) andBig Dataperspective.

Digital transformation in manufacturing

Digital transformation and marketing

This of course mainly goes for the types of technologies and vendors you want/need for your IoT project.

Internet of Things use cases are always about data so its important to see where exactly personal data is used.

Something that is often overlooked is the importance of aData Protection Impact Assessmentor DPIA in the scope of IoT under the GDPR.

Once you know where personal data comes into play, you have to look at your IoT project. This seems obvious but in IoT there are many components that can pose a security risk and are often not seen or understood well enough by IT. There is no room or time for assumptions in this regard: IoT is different and not everyone leveraging it is equally aware of security aspects, to put it mildly.

Last but not least there are the privacy by design rules. On ourGDPR overview pageyou find plenty of links and resources where these and other topics are tackled. Do take a look at them in order to see where the IoT is involved if you look at the key rights, duties and stipulations of the GDPR.

Legal grounds for lawful processing

IoT regulation: IoT, GDPR, ePrivacy Regulation and more regulations

Going back to the GDPR, here are some things you MUST know in order to be compliant if you use the Internet of Things.

Content marketing and product marketing

Below are some aspects of the GDPR which are relevant but not always clear in an IoT context:

Industrial Internet of Things (IIoT)

Digital transformation in utilities

It goes without saying that there are several elements which need to be thoroughly understood and followed, including 1) existing IoT vulnerabilities and types of attacks, 2) the security initiatives which are taken in the IoT industry, including existing frameworks as we have them inindustrial IoT securityand in frameworks/initiatives of numerous vendors, standards bodies and associations and 3) the practices and initiatives of your partners.

Guess what the WP29 Guidelines on the requirement of a DPIA mention as examples. Indeed: IoT applications. If personal data are processed using IoT its already best to check whether you need a DPIA as the innovative use or applying new technological or organizational solutions is already one of 9 criteria which are recommended to use in order to see whether the need for a DPIA will be likely.

Leave a Reply