Preparing for the new EU data laws in the IoT space

Steven Farmer of Pillsbury Law

Another day, another story of a cyber breach hits the news. Recent reports suggest that Uber was one of the latest victims, with 2.7 million people in the UK being affected by a cyber attack that took place in 2016, says Steven Farmer of Pillsbury Law.

With the most significant overhaul of EU data protection laws scheduled to come into effect in May 2018, data protection stories look set to remain in the headlines. The new General Data Protection Regulation (GDPR) will have direct effect throughout the EU, and the UK Government has committed to retaining the law post-Brexit. The new law not only requires private organisations and public entities to report data breaches to regulators in most circumstances, but also empowers those regulators to issue significant fines where breaches occur.

What does the new law say?

The new law changes the existing legal framework and empowers regulators to issue fines of up to four percent of global corporate turnover or €20 million for each breach, whichever is greater. Organisations in the IoT space are particularly vulnerable given the amount of information collected, and the potential weakness in wireless technologies, which can be exploited by hackers.

Businesses in the IoT space should be aware of the following key points:

  • Accountability – crucially, those caught will be required to show compliance e.g. (i) maintain certain documents; (ii) carry out Privacy Impact Assessments; (iii) implement Privacy by Design and Default (in all activities), requiring a fair amount of upfront work. For example, when developing an IoT product, a risk assessment will be required to review the sensitivity of the data collected and detect potential risks.
  • Consent – new rules will also be introduced relating to the collection of data, e.g., consent must be “explicit” for certain categories. Existing consents may no longer therefore be valid and consents obtained should be purged going forward. In addition, IoT products, which incorporate privacy settings, should, by default, be set on the most privacy-friendly setting, although users can be given the option to change these settings as part of an initial set-up process.
  • Enhanced rights for individuals – new rights will be introduced around (i) subject access; (ii) objecting to processing; (iii) data portability; and (iv) objecting to profiling, among others. The right to data portability empowers individuals to request that their data be transferred to a third party, likely a competitor, in a machine-readable form.
  • Privacy policies – fair processing notices will now need to be more detailed and providers of IoT products will need to ensure that policies are updated.

  • International transfers – Binding Corporate Rules for controllers and processors as a means of legitimising transfers will be expressly recognised for the first time and so should be considered as a transfer mechanism. Also, if the UK leaves the European Union without a “data-deal”, transfers of personal data between the UK and Europe may not be permitted unless safeguards are in place. Businesses should examine affected data flows now and develop contingency plans for data transfers post-Brexit.
  • Breach notification – new rules requiring breach reporting to regulators within 72 hours, and the individuals affected (subject to conditions), will be introduced and so processes in place (or not) will need to be revisited to accommodate these rules.

What should businesses be doing?

With the risk of heavy fines under the GDPR, not to mention the reputational damage and potential loss of consumer confidence caused by non-compliance, nothing should be left to chance.

In terms of key first steps, IoT companies might consider prioritising the following as a minimum:

  • Review privacy notices and policies – ensure these are GDPR compliant. Do they provide for the new rights individuals have?
  • Prepare and update the data security breach plan – to ensure new rules can be met if needed.
  • Audit your consents – are you lawfully processing data? Will you be permitted to continue processing data under the GDPR? What are the default privacy settings on your IoT products?
  • Set up an accountability framework – e.g., monitor processes, procedures, train staff.
  • Audit your international transfers – do you have a lawful basis to transfer data? How will transfers continue post-Brexit?

As the 25th May 2018 draws ever closer, the advice to firms in the IoT sector that are yet to consider their obligations is to start thinking about compliance sooner rather than later. Falling foul of the GDPR could not only damage customer trust, but could also have profound financial implications. As the adage goes: ‘those who fail to prepare are preparing to fail’.

The author of this blog is Steven Farmer, counsel at Pillsbury Law

Comment on this article below or via Twitter: @IoTNow_OR @jcIoTnow 

RECENT ARTICLES
5th Edition Connected Africa announces Telecom Innovation & Excellence Awards 2024 banner

5th Edition Connected Africa announces Telecom Innovation & Excellence Awards 2024

Posted on: April 19, 2024

The International Center for Strategic Alliances (ICSA) has announced the 5th Edition Connected Africa- Telecom Innovation & Excellence Awards 2024, set to be held on 22 May 2024 in Johannesburg, South Africa. Under the theme “Building a Connected Global Economy,” the summit aims to influence the telecom in Africa. With a focus on fostering forward-thinking

Read more
local retailer taking care his business

Facilio launches refrigerant tracking and leak detection software

Posted on: April 19, 2024

Property operations software firm Facilio has announced the launch of its ready-to-deploy refrigerant tracking and leak detection software solution. This is meant for all grocery and convenience store operators who want to implement an automatic leak detection system to identify and mitigate potential refrigerant leaks to achieve 100% compliance.

Read more
FEATURED IoT STORIES
What is IoT answer

What is IoT? A Beginner’s Guide

Posted on: April 5, 2023

What is IoT? IoT, or the Internet of Things, refers to the connection of everyday objects, or “things,” to the internet, allowing them to collect, transmit, and share data. This interconnected network of devices transforms previously “dumb” objects, such as toasters or security cameras, into smart devices that can interact with each other and their

Read more
iot adoption

The IoT Adoption Boom – Everything You Need to Know

Posted on: September 28, 2022

In an age when we seem to go through technology boom after technology boom, it’s hard to imagine one sticking out. However, IoT adoption, or the Internet of Things adoption, is leading the charge to dominate the next decade’s discussion around business IT. Below, we’ll discuss the current boom, what’s driving it, where it’s going,

Read more

9 IoT applications that will change everything

Posted on: September 1, 2021

Whether you are a future-minded CEO, tech-driven CEO or IT leader, you’ve come across the term IoT before. It’s often used alongside superlatives regarding how it will revolutionize the way you work, play, and live. But is it just another buzzword, or is it the as-promised technological holy grail? The truth is that Internet of

Read more
IoT Now Enterprise Buyers’ Guide Which IoT Platform 2021

Which IoT Platform 2021? IoT Now Enterprise Buyers’ Guide

Posted on: August 30, 2021

There are several different parts in a complete IoT solution, all of which must work together to get the result needed, write IoT Now Enterprise Buyers’ Guide – Which IoT Platform 2021? authors Robin Duke-Woolley, the CEO and Bill Ingle, a senior analyst, at Beecham Research. Figure 1 shows these parts and, although not all

Read more
CAT-M1 vs NB-IoT

CAT-M1 vs NB-IoT – examining the real differences

Posted on: June 21, 2021

As industry players look to provide the next generation of IoT connectivity, two different standards have emerged under release 13 of 3GPP – CAT-M1 and NB-IoT.

Read more
internet of things isometric illustration of connected things

IoT and home automation: What does the future hold?

Posted on: June 10, 2020

Once a dream, home automation using iot is slowly but steadily becoming a part of daily lives around the world. In fact, it is believed that the global market for smart home automation will reach $40 billion by 2020.

Read more
iot challenges and issues

5 challenges still facing the Internet of Things

Posted on: June 3, 2020

The Internet of Things (IoT) has quickly become a huge part of how people live, communicate and do business. All around the world, web-enabled devices are turning our world into a more switched-on place to live.

Read more