FEATURE data is only processed in these defined ways . It ’ s important to get this right as you can ’ t change the basis under which data is processed once collected .
The best advice for GDPR compliance is to get outside help from GDPR specialists who can guide you through the complexities and make sure you are implementing GDPR in a way that ’ s appropriate for your organisation .
Can you explain the link between complying to the GDPR regulations and leveraging for IoT ?
SARAH BAILEY – CLIENT
DIRECTOR , IT SECURITY & GRC
, SERVICENOW
IoT is essentially about the always connected customer . As an always connected customer , the company that provides the IoT device has access to vast amounts of your data . Let ’ s take an energy smart meter , as an example ; the energy company captures everything about energy usage and as a consequence will know when your cooling comes on , when you wake up in the morning and make a cup of tea because of the spike in the energy consumption , etc .
I imagine that it would not be a stretch for them to sell this information to manufacturers of a certain brand of tea and one fine morning you wake up , make a cup of tea and the same instant , get a text on your phone from that tea manufacturer introducing their latest flavour . This is where the concept of privacy by design is absolutely critical ; when you design these IoT systems , how do you build privacy in to it ? How do you opt people out by default , as opposed to opting them in and how do you manage subject access requests , which is one of the core tenets of GDPR ?
I think if we look at the scale of IoT devices , this might be one of the biggest challenges for the industry .
HARRIET HARRIET COHEN COHEN , HEAD , HEAD OF COMPLIANCE OF COMPLIANCE AND AND CERTIFICATIONS CERTIFICATIONS , DIGITAL , DIGITAL GUARDIAN . GUARDIAN
Complying with GDPR means , at a minimum , complying with the rights of data subjects as defined in GDPR Articles 14 through to 22 , for example , the right for an EU citizen or resident to require incorrect information to be corrected and the right to object to having their information used at all by a company . GDPR does not specify or limit in any way the manner in which that data is being gathered . If the data is gathered by an IoT device , it is still subject to the same GDPR regulations as if it were gathered through entry in a form on the web . That said , the EU citizen and resident rights are not absolute and there are exceptions ( specified in Article 6 ) that allow a company to process personal data . Those exceptions include the data subjects having given their consent to the use of the data . Ultimately , the courts will need to decide whether an EU citizen , by purchasing an IoT device for their home , has implicitly given consent to the use of their data .
ROLAND DACCACHE , ROLAND SENIOR DACCACHE REGIONAL , SENIOR SALES REGIONAL ENGINEER SALES MENA ENGINEER , FIDELIS MENA , FIDELIS CYBERSECURITY CYBERSECURITY
GDPR will require that companies constantly monitor all their devices .
Anyone in the business of leveraging IoT – such as the healthcare industry – already has to work particularly hard to ensure that the vast amount of data they are in charge of stays secure and that the right for their users to be forgotten is respected .
GDPR will require that companies constantly monitor all their devices and have the ability to report on both inbound and outbound network traffic , data security , vulnerability management and any unusual behaviour or trends that could indicate an attack or compromise of data . The complexity of the data networks involved in IoT deployments makes it even more crucial for their security infrastructures to be compliant with the new regulations in order to avoid the repercussions of data being breached . After all , it could be a matter of life and death if a healthcare company was the victim .
BRIAN CHAPPELL , SENIOR BRIAN CHAPPELL DIRECTOR , , SENIOR ENTERPRISE & DIRECTOR SOLUTION , ENTERPRISE ARCHITECTURE & , SOLUTION ARCHITECTURE BEYONDTRUST , BEYONDTRUST
It ’ s likely that the IoT community will quickly embrace GDPR .
One of the biggest challenges with IoT and GDPR lays in achieving consent , where consent is one of or the only basis under which personal data is being processed . This is particularly an issue in the case of children , where those under 13 cannot give consent on their own behalf . When you are interacting with a platform that may have no clear way in which to gain unambiguous consent for the user ’ s personal data to be processed in the specific ways required , you lay yourself open to GDPR non-compliance . Depending on how the IoT platform is designed and what services it ’ s providing , there may be a number of legal bases under which processing can fall but it ’ s vitally important to have that properly defined and documented .
Given the versatility of IoT devices we already see in our homes and our workplaces , it ’ s likely that the IoT community will quickly embrace GDPR and incorporate mechanisms to enable consent to be accurately obtained . u www . intelligentciso . com | Issue 01
39