Preparing for the new EU data laws in the IoT space

Steven Farmer of Pillsbury Law

Another day, another story of a cyber breach hits the news. Recent reports suggest that Uber was one of the latest victims, with 2.7 million people in the UK being affected by a cyber attack that took place in 2016, says Steven Farmer of Pillsbury Law.

With the most significant overhaul of EU data protection laws scheduled to come into effect in May 2018, data protection stories look set to remain in the headlines. The new General Data Protection Regulation (GDPR) will have direct effect throughout the EU, and the UK Government has committed to retaining the law post-Brexit. The new law not only requires private organisations and public entities to report data breaches to regulators in most circumstances, but also empowers those regulators to issue significant fines where breaches occur.

What does the new law say?

The new law changes the existing legal framework and empowers regulators to issue fines of up to four percent of global corporate turnover or €20 million for each breach, whichever is greater. Organisations in the IoT space are particularly vulnerable given the amount of information collected, and the potential weakness in wireless technologies, which can be exploited by hackers.

Businesses in the IoT space should be aware of the following key points:

  • Accountability – crucially, those caught will be required to show compliance e.g. (i) maintain certain documents; (ii) carry out Privacy Impact Assessments; (iii) implement Privacy by Design and Default (in all activities), requiring a fair amount of upfront work. For example, when developing an IoT product, a risk assessment will be required to review the sensitivity of the data collected and detect potential risks.
  • Consent – new rules will also be introduced relating to the collection of data, e.g., consent must be “explicit” for certain categories. Existing consents may no longer therefore be valid and consents obtained should be purged going forward. In addition, IoT products, which incorporate privacy settings, should, by default, be set on the most privacy-friendly setting, although users can be given the option to change these settings as part of an initial set-up process.
  • Enhanced rights for individuals – new rights will be introduced around (i) subject access; (ii) objecting to processing; (iii) data portability; and (iv) objecting to profiling, among others. The right to data portability empowers individuals to request that their data be transferred to a third party, likely a competitor, in a machine-readable form.
  • Privacy policies – fair processing notices will now need to be more detailed and providers of IoT products will need to ensure that policies are updated.

  • International transfers – Binding Corporate Rules for controllers and processors as a means of legitimising transfers will be expressly recognised for the first time and so should be considered as a transfer mechanism. Also, if the UK leaves the European Union without a “data-deal”, transfers of personal data between the UK and Europe may not be permitted unless safeguards are in place. Businesses should examine affected data flows now and develop contingency plans for data transfers post-Brexit.
  • Breach notification – new rules requiring breach reporting to regulators within 72 hours, and the individuals affected (subject to conditions), will be introduced and so processes in place (or not) will need to be revisited to accommodate these rules.

What should businesses be doing?

With the risk of heavy fines under the GDPR, not to mention the reputational damage and potential loss of consumer confidence caused by non-compliance, nothing should be left to chance.

In terms of key first steps, IoT companies might consider prioritising the following as a minimum:

  • Review privacy notices and policies – ensure these are GDPR compliant. Do they provide for the new rights individuals have?
  • Prepare and update the data security breach plan – to ensure new rules can be met if needed.
  • Audit your consents – are you lawfully processing data? Will you be permitted to continue processing data under the GDPR? What are the default privacy settings on your IoT products?
  • Set up an accountability framework – e.g., monitor processes, procedures, train staff.
  • Audit your international transfers – do you have a lawful basis to transfer data? How will transfers continue post-Brexit?

As the 25th May 2018 draws ever closer, the advice to firms in the IoT sector that are yet to consider their obligations is to start thinking about compliance sooner rather than later. Falling foul of the GDPR could not only damage customer trust, but could also have profound financial implications. As the adage goes: ‘those who fail to prepare are preparing to fail’.

The author of this blog is Steven Farmer, counsel at Pillsbury Law

Comment on this article below or via Twitter: @IoTNow_OR @jcIoTnow 

FEATURED IoT STORIES

9 IoT applications that will change everything

Posted on: September 1, 2021

Whether you are a future-minded CEO, tech-driven CEO or IT leader, you’ve come across the term IoT before. It’s often used alongside superlatives regarding how it will revolutionize the way you work, play, and live. But is it just another buzzword, or is it the as-promised technological holy grail? The truth is that Internet of

Read more

Which IoT Platform 2021? IoT Now Enterprise Buyers’ Guide

Posted on: August 30, 2021

There are several different parts in a complete IoT solution, all of which must work together to get the result needed, write IoT Now Enterprise Buyers’ Guide – Which IoT Platform 2021? authors Robin Duke-Woolley, the CEO and Bill Ingle, a senior analyst, at Beecham Research. Figure 1 shows these parts and, although not all

Read more

CAT-M1 vs NB-IoT – examining the real differences

Posted on: June 21, 2021

As industry players look to provide the next generation of IoT connectivity, two different standards have emerged under release 13 of 3GPP – CAT-M1 and NB-IoT.

Read more

IoT and home automation: What does the future hold?

Posted on: June 10, 2020

Once a dream, iot home automation is slowly but steadily becoming a part of daily lives around the world. In fact, it is believed that the global market for smart home automation will reach $40 billion by 2020.

Read more
RECENT ARTICLES

Scality’s 2022 forecast: Storage solutions get AI/MLOps upgrade, enhanced ransomware protection

Posted on: December 8, 2021

London, UK. 7 December 2021 – Scality announced its data storage predictions for 2022, coming off a year when ransomware attacks have exploded, skills shortages remain, and cloud adoption continues. This year’s forecast homes in on how storage solutions will evolve to meet these challenges and how emerging technologies will impact the data storage landscape.

Read more

Virtana free tier offering lets enterprises experience simplified hybrid cloud optimisation at no cost

Posted on: December 8, 2021

Virtana announced the immediate availability of a free version of Virtana Optimize, its cloud optimisation solution. The Free Tier offering complements the Premium version of Virtana Optimize, allowing for frictionless customer adoption.

Read more