The Internet of Things (IoT) does not escape the requirements of the General Data Protection Regulation (GDPR). Bringing connected objects into compliance with this regulation, which entered into force almost six months ago, is a major challenge, in particular helping to restore consumer confidence in connected objects.
Securing connected objects: a real challenge
IoT and connected objects represents a real gold mine for companies in terms of data on consumer preferences, their activities and behaviors. All which help companies develop suitable business strategies to boost profits. The ultra-connected world of IoT opens up a wide field of innovation for companies, which is not without consumer suspicion of possible invasions of their privacy. According to a BVA survey, 12% of respondents consider the use of connected objects “a danger” to “collect and analyze personal and confidential information”.
Correctly supervising and virtuously managing the personal data collected by connected objects is therefore a major challenge for the world of IoT, both in terms of security and confidentiality. The adoption of the GDPR in May 2018 strengthened the rights of European citizens to use and protect their personal data. A necessary good, given the vast sets of user data collected by connected objects: sports assistants, connected health equipment, personal fitness objects, consumption sensors, household and home automation sensors, etc. Now, all are subject to the requirements of the General Data Protection Regulation. Bringing the IoT into compliance with this regulation, a major challenge for companies’ teams, has called into question the design and security of connected objects, but also the internal processes for collecting and protecting user data. If these tools are not sufficiently secure and do not properly protect the data captured, and then their commercial failure is almost guaranteed.
IoT and GDPR: designing connected objects differently
The entry into force of the GDPR has prompted companies to apply the concept of “privacy by design”, which consists of taking into account several privacy and security standards from the very design of products. It is in particular at this stage that the teams play a primordial role, taking into account, from the outset of a project, the protection of personal data. The goal is to anticipate the impact of this processing on the data collected by connected objects, which can impact the privacy of users.
With the adoption of the General Data Protection Regulation, the designers of a product or service must now systematically identify and adopt the measures necessary for data protection. Users, and this throughout their cycle of use: from encryption to secure identification, through anonymization and firewall, etc. A particularly complex research task, given that a connected object is most of the time linked to a service or a platform, most often hosted in the Cloud, or to network connectivity. Compliance with the requirements of the GDPR, which must apply to all suppliers involved in the personal data cycle, namely in the collection, storage and processing of this user information. A vast work that is not limited to IoT since the development of applications is also constrained by the rules of the RGPD relating to the rights of users relating to their data: access, modification, portability, right to be forgotten, etc. The company complying with the GDPR therefore follows a real path of progressive and continuous optimization, resulting in a better design of services and technologies as well as enhanced security.
Personal data management: a key issue
Companies that develop or use connected objects internally must, since the entry into force of the GDPR, properly manage the personal data collected so as to ensure their security, collection and processing, in accordance with the principles of European regulations. Where is this private and sensitive data stored? Who is responsible for this? Questions those are not easy to answer, in particular because of the dispersion of data between different platforms or entities.
Questions that apply both to the R&D teams in charge of designing connected products and to the various services that internally use IoT. It therefore becomes essential to identify exactly the path followed by the personal data processed, but also to look at their hosting and security conditions. In compliance with the GDPR requiring the reconciliation of all stored data including those from IoT, the company will thus be able to enjoy a unified vision of their users’ profiles.
The most important impact of the GDPR on the IoT, happens to be the move from posteriori control, to a state of mind based on the notion of “privacy by design”, carried out in self-regulation by companies developing connected objects. Self-regulation that places corporate responsibility at the heart of the success of the GDPR project and that will allow the world of IoT to gain the trust of users over the long term.