When considering privacy in relation to the Internet of Things (IoT), it begs the question: how do we control, monitor and manage the huge amount of data being gathered by the devices we use and interact with?
With more and more everyday devices connected to the internet, privacy issues are multiplying. Gartner has predicted that there will be 20 billion connected devices by 2020. Couple that with the introduction of the General Data Protection Regulation (GDPR) in the EU and the size of the challenge balloons.
It's a truism that people don't read privacy policies. And, because of that, many data controllers take it for granted that users are okay with their data being collected and processed. This is particularly true when the data is used to to improve the user's experience.
It's also true that regulators historically have been playing catch up in a fast-changing digital world. They are attempting to rectify that with the GDPR.
The Cyber Counsel sums up the GDPR in one sentence:
"Ask permission, respect the privacy of the subject, value and protect their data."
Most people view the GDPR as primarily affecting the personal contact and financial data that is held by an organisation - things like name, address, email address, credit card numbers, etc.
It also specifically covers "sensitive personal data" - genetic and biometric data that can uniquely identify an individual.
But many argue that the GDPR is as much about security as it is protection, which is something to be considered with the Internet of things. IoT devices are arguably soft targets for hackers and security breaches, and with so much data available, security needs to be robust, comprehensive and sufficiently encrypted.
Since the GDPR is intended to put the power back in the hands of the data subject, consumers will have more power over where and how their personal data is accessed.
Fitness trackers, security systems, smart phones, smart TVs, thermostats, and even doorbells can are linked to other sources of data that enable the providers to maximise consumer experience and whilst they may serve the customers interest.
Here, we discuss the fundamentals of GDPR in relation smart devices and technology as a part of the Internet of Things.
The argument that open data helps improve and shape the world we live in often is met with the concern for how that data is used. However, 6 out of 10 IoT devices don’t properly tell their customers how their data is being used. Article 5 of the GDPR sets out that you must “be able to demonstrate that personal data are processed in a transparent manner in relation to the data subject.”
Collecting data regarding the habits and preferences of individuals is often used to further tailor and improve the experience with a device. Which is why the transparency and consent requirements set out by the GDPR are perhaps the most pertinent in this case. These obligations apply to the life cycle of processing.
The GDPR requires full transparency for data collection. Subjects must be clearly and explicitly informed of what data will be collected, why it is being collected (what it will be used for), and how long it will retained. The subject should also be made aware of their 'right to be forgotten' and how that they are entitled to withdraw consent at any time.
If we take smart wearable trackers for example, permission must be clearly given. Inactivity does not constitute as consent, and ‘passively not ticking a box’ will not meet new standards.
Data controllers must be able to demonstrate that the data subject has consented to the processing of his/her data.
Any data controller should have clear, unambiguous policy relating to the processing of data which should be transparent and easily accessible.
There has been some doubt about the ability to obtain consent of a sufficient nature with IoT devices, but the same rules apply even to smart device manufacturers. Consent should be freely given, specific, informed and unambiguous and cannot be assumed by inactivity.
Collection of data should be limited to absolutely what is necessary and nothing more. So once the data has been used for its intended purpose, it should be deleted unless the subject previously consented otherwise.
If consent has previously been obtained, but the data controllers are unsure as to whether it was clear or affirmative, as long as the data is being processed in the same way, this is okay. But the data subject should be given the option to withdraw consent at every opportunity.
All data handlers, processors and controllers are obliged to meet the new privacy regulations. For more information, you can read the full ICO guide to the GDPR, and ensure you are well prepared ahead of its commencement on 25th May 2018.