May 25th is almost here, and GDPR is on everyone’s mind. While most of the attention (and most likely, enforcement) is directed at large companies hoarding information on millions of users, it will quickly trickle down to smaller entities and even smaller devices. Although GDPR architects did not have IoT devices, service providers or users in mind when writing the regulations, the legislation will have substantial impact on the IoT world.
A quick reminder- what is GDPR and is it relevant to my business?
The GDPR (General Data Privacy Regulation) is a European Union regulation aimed at improving digital privacy. Although born in the EU, it impacts not only all members of the European Union, but anyone doing business with an individual who is a citizen of and/or physically in a country that is a member of the European Union. The GDPR also specifies that there does not need to be a transactional nature to the collection of personal data or behavioral information. In general, any entity that collects or processes personal information could be affected by GDPR, IoT services included.
Impact on IoT consumer devices
Consumer IoT devices like personal assistants, smart TVs, refrigerators and home security cameras are subject to GDPR because they collect information about their owners. In this regard, they are not very different from an e-commerce website or social network that collects personal information and uses it to improve customer experience. The IoT service providers operating these devices should pay close attention to receiving consent from their users and strictly adhere to all the articles regarding the safekeeping of personal data. They must protect the information stored in their database and secure the devices to the best of their efforts.
Public IoT devices: they don’t all fall under GDPR
Moving from the private to the public environment is where things get complicated. Some IoT devices are merely sensors or actuators, and therefore either do not collect any personal information or do so in an anonymous manner, like a parking or lighting sensor that identifies a person approaching but is unable to determine who it is, and at any rate, does not store or process this information. However, some IoT devices are designed exactly for this purpose: surveillance cameras, license plate readers, and access control devices either identify the person or vehicle, or capturehigh-resolutionn imagery that enables identification. As such, these fall under the GDPR umbrella.
Access control systems contain the information of individuals registered to enter a certain location. While most access control systems are installed on private premises, and therefore do not necessarily fall under GDPR (which is less relevant for collecting information on employees), there are some large-scale access control systems, usually deployed in relation to public transportation. The Oyster Card, used to access most public transport in London, is a good example. The routes of a person who travels regularly can easily be understood from analyzing their data, so the authorities should consider this as sensitive, private data and protect it as such. Even enterprises that operate access control systems to secure their premises for employees only should consider adhering to GDPR, because some systems also process the data of visitors and contractors, and others utilize biometric identification information (like face footage or palm recognition). If this information is leaked, it could be used elsewhere for nefarious purposes.
One of the most intrusive technologies is video surveillance. Regulators have long recognized this and have imposed strict codes of conduct on authorities, organizations and enterprises operating CCTV. For instance, in the UK (perhaps the most advanced nation, both in terms of regulation and deployment of public surveillance means) CCTV system operators are subject to the Data Protection Act 1998. However, since identifiable imagery is considered personal data under the GDPR, CCTV and LPR operators should now also comply with it. Any act of storage or access is considered processing, so it is imperative that business owners and CCTV operators uphold the confidentiality and integrity of any footage, as follows:::
- CCTV recordings and other logs must be stored securely and encrypted, and access must be restricted to authorized personnel. This means that both the connected-devices themselves, the video management systems (VMS) and physical databases or cloud storages should be secured and monitored to identify hacking attempts and data leaks.
- Screens displaying live or recorded footage should only ever be viewed by authorized personnel. This includes both the VMS itself and the actual cameras, which can be accessed online if not properly secured.
- Appropriate security safeguards must be in place to prevent interception and unauthorized access, including access to the devices, copying of recordings or viewing the footage. This also covers malicious insiders, which can access sensitive customer imagery if it is not monitored and secured properly.
What should you do next?
If you are consuming IoT services or providing such services, we suggest the following:
- Proper assessment: The Information Commissioner’s Office (ICO) recommends that organizations carry out a data protection impact assessment (DPIA) to assess the extent to which monitoring is required, where it is required, and at what times.
- Adopt cloud-based solutions: The migration of video management and storage systems to the cloud facilitates compliance and contributes to the overall security posture.
- Deploy appropriate IT security solutions, including database encryption, access control, cloud access control, network traffic analysis, and all other means necessary to safeguard IT data, prevent unauthorized access, and quickly identify a breach.
- Deploy IoT security solutions, including encryption, authentication, and real-time monitoring of the devices and users to ensure that the data is being viewed only by those who need to access it, that the devices themselves are resistant to hacking, and that cyber attacks can be detected and mitigated in real time.