The challenges of IoT and the influence of GDPR
IoT is all around us in our daily life, even more than we can imagine. We have probably all heard about Google Home, Alexa, Siri and Smart TV’s, but next to these a lot of other devices are also connected to internet. Most of the time we are not even aware that those devices are connected. Did you know that motion detectors in supermarkets or retail stores; baby monitors; climate control and maybe your LED bulbs, your audio receiver, your PlayStation etc. are connected to your network? In many cases these devices are also connected over the internet to other users, servers of the manufacturer or third party service providers for your devices.
And we are not there yet! The number of devices keeps growing, certainly now even cities would like to become ‘smart’. Our health can be tracked with connected devices such as heart rate sensors, patient monitoring, fall detection sensors… These devices are very often connected to capture and share information with medical personnel, who can evaluate the results over a larger dataset and develop better care for the patient or even automatically take action in case of a “man down” alert.
This evolution however has major privacy related challenges:
1. In the future the amount and type of connected devices will increase
2. The amount and type of data the connected devices will capture will increase as well (a heartrate monitor that can detect if your skin needs to be hydrated)
Now what is the right balance? On the one hand, a lot of these new services primarily help us and can be beneficial to us (or at least that is what we are told). On the other hand, our personal data and behaviour might be used secondarily in an (un-)identifiable way for product development and direct marketing.
Let’s take a closer look at the challenges concerning IoT devices. First of all, let’s investigate the development of the devices. As always, the market is under a lot of pressure. Failing to be in time with a product launch can result in a disaster for any business. And when a business is under pressure, mistakes are often made. The Security of a device comes, in the best case, on the second place (more often even lower on the priority list). First of all, the focus is on the functionality of the products and all the other features. Take the time for a moment to think how many software and hardware updates (for de-bugging and for enhancement, for security and for added functionality) are sent with newly launched products. It is almost on a weekly basis that you need to update the apps that come with your device. Even after an established working time, updates and patches keep coming in. Although these patches and updates mean more safety, it makes us think how the situation was before these patches and updates, especially when too many updates have the sole purpose of improving security. This we can read in the release notes.
Secondly, a lot of these devices might capture or process more information than needed for the purpose for which we bought them in the first place. The new heartbeat sensor you use today, maybe already captures the hydration of your skin, sometimes without even notifying you. When companies would like to develop their products while gathering “new” data they have to inform the user beforehand otherwise they are (amongst other things) not respecting the purpose limitation and data minimisation principles of the GDPR.
It shouldn’t be a surprise to you that data is becoming the most valuable asset in our economy. The data captured by your smart watch, can be a good source for health insurance companies to analyse your health better based on real personal data. This evolution is possible, but parties have to take into account the data protection challenges:
• Is the user aware of what (personal) data the sensor can capture?
• Is the user informed about the processing that will be done on this data, by whom and for what purposes?
• How long are the data kept?
• Under what conditions can others get access to this data?
• Can I view all my data?
• Did the user (explicitly) consent to the processing the right way or is the processing based on a contract or something else?
• Is your data anonymised or pseudonymised at some stage in the processing?
At the start of a development, a company might have an idea where the value of the product and the data can be found. But over time, more and more value come from sources a lot of us couldn’t think of at the start of the development. Next to that we need to consider how the data is exchanged and who the different processors are. How secure is the data exchange? The appropriate measures need to be taken based on the sensitivity of the data. In all stages data protection has to be part of the design.
Last but not least is the growth of the IoT market. Everything is considered to be connected to the internet. On every device we believe there is a use to get it connected. Even the consumption of energy of your fridge can be monitored. If you combine all this and start transferring and exchanging the data between different organisations, the set of data that can be gathered from one individual is enormous. Besides personal data these datasets also consist of behavioural data, data about our preferences, data about interactions with others and so on. This, of course, is all to be considered personal data (in many cases even special categories of data) and can do big harm to an individual when it gets in the wrong hands.
To conclude, GDPR is not fighting IoT and these evolutions. These evolutions are there to serve us and are beneficial to us, but the speed of development and the key points during development need to be reconsidered. Data Protection by Design and by Default need to be part of the R&D from the start: data minimisation and retention are topics that need a place in the development plan and anonymization or scrambling of data needs to be built in to the security of hardware and systems, where possible. We really value the new IOT era, it will bring so many advantages to all of us. Let’s make sure the security of personal data captured comes first and we will all sleep better at night… (Do you already have a sleep monitor? 🙂 )