May 2, 2018

3 weeks to go: Have you considered the impact of IoT on GDPR?

We are in the GDPR home straight with the finish line in sight. However, that thing we see is not the finish line but the deadline. We are now only weeks away from the inception of the new GDPR regulation, that fundamentally changes the way organizations manage, process and protect personal information.

Are organizations ready to manage consent, reporting of a data breach, subject access requests etc., etc.?

Do organizations understand how exposed their business and brand could be?

When you consider the size of the challenge for organizations in their traditional business environments, it can range anywhere between disruptive to daunting. These are environments that are structured, known, planned and mature. Now throw in the concept of insecure connected devices and services, and cloud platforms that collate and manage the data flow from the edge. Welcome to the IoT paradigm.

Fundamentally, the impact that IoT will have to this environment is driven by how clear and defined the trust model is.

Although driven by the EU, it’s important to note that GDPR applies to organizations located outside the EU. If a U.S. based organization collects personal data from an EU-based individual, GDPR applies.

Here’s some questions to consider for GDPR and IoT:

Can you trust the device?

Does it have a managed, persisted identity that doesn’t end at “stuff in a PKI cert”. Can you change elements of the identity in the event of suspected compromise? Can you audit track access control?

Can you trust the data that flows from the device?

TLS is a great way to ensure that data transport is secure, but it does not protect data at either end of the journey. Nor does it secure data during service handoff processes such as MQTT broker transactions. The quandary comes in how you would then potentially encrypt data.

Do you know where the device should be and does it cross international borders?

Is the data you collect stored for long periods of time and subject to backup and archive?

How can you delete individual records upon request?

Data must be “secure by design”

These are a few examples of how companies are waking up to hidden time-bomb that IoT can represent with GDPR.  If you have a device that generates or collects any of the stipulated constituents of personal data then you should review and potentially revise what needs to be done for Compliance.

With an extensive network of technology partnerships and integrations, Device Authority can help accelerate the journey to GDPR compliance for IoT.

Please contact us to find out more.

Paul Lockley