Internet of Things (IoT) objects are often equipped with sensors that enable them to collect information from their environment and subsequently channel it through machine to machine transmitters. Whenever personal data is processed, i.e. any information relating to an identified or identifiable natural person, you should be on the lookout for GDPR.
IoT is a broad term that refers to internet-enabled objects which can communicate directly with other internet-enabled objects by using electronic communications networks without human intermediation. IoT objects can include baby monitors, fitness and health wearables, smart medication dispensers, home automation technologies, car systems, and even children's toys.
Consent is necessary for the processing of sensitive data, such as e.g. health data. In addition, unless necessary for the performance of a contract with the user, all automated decision-making without consent (which is arguably one of the core features of IoT) is prohibited by the GDPR if it produces “significant effects” on an individual, i.e. if it has potential to significantly influence the circumstances of the individuals concerned.
The very core of IoT relies on the lack of human intermediation when it comes to M2M communications, rendering consent hard to achieve. Furthermore, IoT devices do not usually feature an interface for the display of the required privacy information and the consent form.
The GDPR gives individuals substantial rights to their personal data, such as the “right to be forgotten". IoT developers often face obstacles when designing IoT devices to build in the ability to comply with these new rights, such as interoperability. In addition, as data processing and analytics on the cloud means a chain involving multiple parties, and the relationships between the various parties are complicated, data processing agreements should be drafted carefully to ensure assistance in complying with data subject requests. As the Article 29 Working Party suggests, communication between IoT devices often takes place without the individual being aware of it, rendering the control of the generated flow of data nearly impossible.
Provide granular choice over data capture
Limit data distribution
Enforce local control
Implement adequate security measures
Minimise the collection of data
In short, data protection presents a challenge to IoT developers: ensuring freely given consent and granting data subject rights are just some of the obstacles that developers must face. Implementing consent mechanisms, providing granular choice over data capture, limiting data distribution, enforcing local control and implementation of security measures are a good start on your GDPR-compliance journey.