GDPR and the Internet Of Things

Updated: Apr 13, 2020

‘The Internet of Things’. IoT’s are any devices that are connected to the internet. This includes smartphones, smart televisions, PCs and health devices. It is estimated that by the year 2020, 20 billion devices will be connected to the internet.

The ‘Internet of Things’ or IoT is everywhere. Along with the emergence of IoT however, are new regulatory frameworks implemented such as GDPR and the ePrivacy Regulation to name a few.

Because of this, doubters have voiced out their opinion on how the existence of GDPR will make it very difficult for IoT products/companies to comply and to use. But how is the European Union’s GDPR going to affect IoT?

Every device that connects to the internet will have its data collected, a territory (depending on data) where GDPR may become involved.

Internet Of Things frequently collects personal data which could be quite a risk to personal data, particularly to the privacy of their data. Furthermore, it brings us to the question of how consent comes into play when it comes to data gathering of IoT devices. Another question to be asked is identifying the person responsible for the data collection.

IoT can be problematic with GDPR because there aren’t many guarantees regarding its security as of the moment. In fact, research from both the industry and the academically are still being conducted to establish the most efficient methods in IoT Security.

GDPR does not dictate when it comes to the type of method that a company will use for its security. So this means that they could one of many methods such as encryption, pseudonymization, anonymization, multi-factor authentication for security depending on what type would work best for their companies.

However, apart from security, another dilemma with IoT is to ensure that they will be compliant to GDPR in terms of data collection through the consent of its users. Data subjects should give consent and should have the option to opt-out should they disagree to have their personal data collected. This can be very difficult for IoTs since they frequently collect data from their data subjects.

To make things even harder, data controllers and/or data processors should consider every aspect and possibility where consent is required because one overlooked step could lead to non-compliance with GDPR and that is going to get you in trouble – and a potentially a hefty fine!

Another red flag for IoTs is GDPR’s sensitivity to children. GDPR specifically asks that data subjects under the age of 13 should not be given the right to give consent on their own when it comes to online services. Unfortunately for IoT devices, they are not age-restricted and they have a lot of users below 13 years old.

Moreover, IoT will also have to deal with frequently tracking the location of the data. This would include knowing the people who have the right to data access, how the data is or will be used and, to the person who has been disclosed with the data. This will be hard for IoT device because GDPR imposes that this information should be disclosed AND more to data subjects at any given point in time and with a lot of devices connected, the possibility to lose track of data is inevitable.

Data controllers should be able to look at every angle of the regulation and every possibility brought along by it through “privacy by design and by default”. This is admittedly a very tough job for IoT and if it may seem unclear on how this will be approached in order to be GDPR compliant, it is! This is because of the number of devised connected, the storage methods and the presence of multiple departments. But do not fret just yet, while this may be a lot of work, every data controller, however, is given a month-long allowance to come up with an answer to any access requests. While it doesn’t really provide a solution, it does, however, buy them some time.

How is it going for IoT so far you may ask? According to a research conducted by the Global Privacy Enhancement Network: 59% of the devices failed to educate their data subjects about how their personal data is being collected, used and/or disclosed; 68% failed to inform how their data is being stored; 72% neglected to explain how the information of data subjects could be erased from a device and; 38% did not have contact details that can be identified easily in case privacy concerns would arise.

Statistically, this is definitely bad news for IoT devices. The bad will then become worse if we put GDPR into the picture. But inevitable since our lives are now co-dependent with technology.

We should have a more positive outlook with GDPR in general and we should never see it as an obstruction. GDPR is there to help provide people with better rights to security and privacy. Plus, with GDPR, this would challenge companies to provide a better service to its data users. If we look at the brighter side of GDPR rather than focusing on the fines that will be given for non-compliance, abiding by the regulation would be easier and that includes complex systems like the Internet of Things.