Internet of Things Privacy: What GDPR Means For IoT Data

eu GDPR IoT Privacy

New EU data regulations in the form of the General Data Protection Regulation (GDPR) will begin to apply in May 2018 and could drastically influence the Internet of Things and how data is collected and protected on IoT devices. The vast majority of IoT devices make use of an extraordinary amount of data while also being some of the easiest to remotely access or infiltrate due to having multiple attack vectors. In response to the swift evolution in both the way data is collected and then used, the GDPR aims to expand on existing regulations as well as improve data handling practices in order to keep up with this ever-changing landscape. From May 2018, any companies that deal with personal data will need to comply with the GDPR, which means assessing what data they have, where they are storing it, how they are using it, and who has access to it.

IoT devices such as smartphones and IP cameras collect, analyze and store a huge amount of data and so companies that use these technologies will be required to assess their handling and storage of data and implement any necessary changes in order to become compliant with GDPR. Wearable technology for health and fitness, IoT medical devices, even connected cars all have the potential to data that makes an individual identifiable and thus, producers of such technologies will need to follow a privacy-by-design framework, one where privacy is taken into account at every stage of the engineering process. The GDPR puts this privacy-focused framework at the forefront and will expect data handlers to adopt new measures to prove their compliance with the new regulations. So, how does the General Data Protection Regulation affect IoT data collection?

GDPR IoT Data Privacy

How GDPR Affects IoT Data

There are several challenges associated with the expansion of the Internet of Things and data protection, as well as personal privacy and data security. The EU’s GDPR will look to ensure that personal data is protected through obligating data handlers to become compliant with the new regulations, however, this will mean they are also obliged to secure any devices that handle personal data. This could shape the future of IoT products and they way in which they collect and use data. The following list details some of the main ways in which the GDPR affects IoT data.


Security Breaches

Security breaches are, unfortunately, a common occurrence in today’s world.

Iot Health Band

In order to comply with the GDPR, organizations handling personal data will need to ensure that they are in a position to identify and deal with security breaches while also introducing a mandatory notification system in the event of any breaches of personal data. It will also become mandatory that data handlers notify their supervisory authority no later than 72 hours after becoming aware of the event and may also be required to inform the affected individuals should the situation require such notifications.


Companies that store data for any period of time will also have to adjust or implement storage systems to take into account the privacy-by-design framework. Companies that store data, either in the cloud or with in-house hardware, will need to ensure that they comply with access regulations and data minimization principles as well as providing adequate cyber security and protection measures such as encrypting data at every possible opportunity. Application to storage mapping will also ensure that any application can be mapped to the physical storage it occupies with data being identified as containing personal information.

Children and Consent

The General Data Protection Regulation will also require organizations to acquire and demonstrate a subject’s consent to their data being processed and specifies that consent cannot be presumed through a subject not challenging the use of their data. The new regulations also state that children under the age of 13 cannot give consent on their own behalf for the processing of their personal data, with consent for children between the ages of 13 and 15 being subject to the individual laws of each member state, though the default position will usually be that they are unable to consent.

Subject Rights

One of the most expansive aspects of the GDPR is the new rights it gives subjects with regard to the use, access, and storage of their personal data. The right to data portability gives subjects the right to access and reuse their personal data across multiple online services. The right to erasure allows subjects the express right to be “forgotten”, meaning subjects can request the removal or deletion of personal data where there is no specific reason for its continued processing or storage. Subjects are also given the right to object to automated decision making for use in scenarios when a potentially damaging decision could be made without human intervention.


IoT Data In The Future

As we can see from the details above, the new GDPR regulations will have a transformative effect on how IoT devices capture and store personal data and, with further regulations regarding robotics, AI, and automation expected, could shape the future of Internet of Things products, devices, and applications. Consent regulations regarding the personal data of children under the age of 13, for example, could force retailers and manufacturers to adapt their products to include parental controls or restricted online services when devices and products are being used by children of 13 and under. It could also change the way in which businesses and organizations gain subjects consent, with scenarios such as consent being a condition of sale or service use not qualifying as freely given consent. With large fines for those that do not comply, how well IoT developers, retailers, and manufacturers respond to the new regulations remains to be seen, however.

Related Posts