The IoT (Internet of Things), does not escape the requirements of the RGPD (General Data Protection Regulation). Bringing connected objects into compliance with this European regulation, which entered into force almost six months ago, is a major challenge, in particular helping to restore consumer confidence in connected objects.
Securing connected objects: a real challenge
With the IoT security and connected objects, customer relations know no bounds, users being permanently connected. A continuous connection represents a real gold mine for companies in terms of data on consumer preferences, their activities and their behaviors, allowing companies to develop suitable business strategies. The ultra-connected world of IoT therefore opens up a wide field of innovation for companies, which is not without a certain suspicion of consumers’ vis-à-vis possible invasions of their privacy. According to a BVA survey, 12% of respondents consider the use of connected objects “a danger” to “collect and analyze personal and confidential information”.
Correctly supervising and virtuously managing the personal data collected by connected objects is therefore a major challenge for the world of IoT, both in terms of security and confidentiality. The adoption of the GDPR in May 2018 strengthened the rights of European citizens to use and protect their personal data. A necessary good, given the vast sets of user data collected by connected objects: sports assistants, connected health equipment, personal fitness objects, consumption sensors, household and home automation sensors, etc. Now, all are subject to the requirements of the General Data Protection Regulation. Bringing the IoT into compliance with this regulation, a major challenge for companies’ teams, has called into question the design and security of connected objects, but also the internal processes for collecting and protecting user data. If these tools are not sufficiently secure and do not properly protect the data captured, and then their commercial failure is almost guaranteed.
IoT and GDPR: designing connected objects differently
The entry into force of the GDPR has prompted companies to apply the concept of “privacy by design”, which consists of taking into account several privacy and security standards from the very design of products. It is in particular at this stage that the teams play a primordial role, taking into account, from the outset of a project, the protection of personal data. The goal is to anticipate the impact of this processing on the data collected by connected objects, which can impact the privacy of users. For protecting consumer data this is important.
With the adoption of the General Data Protection Regulation, the designers of a product or service must now systematically identify and adopt the measures necessary for data protection. Users, and this throughout their cycle of use: from encryption to secure identification, through anonymization and firewall, etc. A particularly complex research task, given that a connected object is most of the time linked to a service or a platform, most often hosted in the Cloud, or to network connectivity. Compliance with the requirements of the GDPR, which must apply to all suppliers involved in the personal data cycle, namely in the collection, storage and processing of this user information. A vast work that is not limited to IoT since the development of applications is also constrained by the rules of the RGPD relating to the rights of users relating to their data: access, modification, portability, right to be forgotten, etc. The company complying with the GDPR therefore follows a real path of progressive and continuous optimization, resulting in a better design of services and technologies as well as enhanced security.
Personal data management: a key issue
Companies that develop or use connected objects internally must, since the entry into force of the GDPR, properly manage the personal data collected so as to ensure their security, collection and processing, in accordance with the principles of European regulations. Where is this private and sensitive data stored? Who is responsible for this? Questions those are not easy to answer, in particular because of the dispersion of data between different platforms or entities.
Questions that apply both to the R&D teams in charge of designing connected products and to the various services that internally use IoT. It therefore becomes essential to identify exactly the path followed by the personal data processed, but also to look at their hosting and security conditions. In compliance with the GDPR requiring the reconciliation of all stored data including those from IoT, the company will thus be able to enjoy a unified vision of the profiles of its users.
Work to be carried out by the R&D teams, in collaboration with the DPO (Data Protection Officer) and based in particular on data management tools and methods making it possible to achieve an overview, such as the Master Data Management. An innovative technology to optimize the interaction and synchronization of IS databases, offering consistent and unique information, shared throughout the company.
The most important impact of the GDPR on the IoT being to move from a posteriori control, to a state of mind based on the notion of “privacy by design”, carried out in self-regulation by companies developing connected objects. Self-regulation that places corporate responsibility at the heart of the success of the GDPR project and that will allow the world of IoT to gain the trust of users over the long term.