Protecting the “I” in the IoT: GDPR and Future Challenges

The pervasive use of connected devices has improved safety and convenience in all aspects of our lives, and fueled a new wave of innovation by product and service developers. At the same time, we are confronted with a rise in cyber-attacks and data breaches, as well as with new legal provisions to which industry needs to comply. Expanding security around the “identities” in IoT now gains new meaning and a political dimension. The new EU General Data Protection Regulation (GDPR), which goes into effect for all EU member states in May 2018, is a first and important step in creating trust in the Internet of Things. The GDPR is strengthening the rights of individuals whose personal data is being processed, including through

• the need for the individual’s clear consent to the processing of personal data;
• easier access by the subject to his or her personal data;
• the rights to rectification, to erasure and ‘to be forgotten’;
• the right to object, including to the use of personal data for the purposes of ‘profiling’;
• the right to data portability from one service provider to another.

Here some recent examples of privacy breaches: In February 2017, a SmartTV company was convicted for collecting data on 11 Million Smart TVs without user’s consent. In January 2017 camera security flaws were detected from a company failing to protect its IoT devices from widely known and reasonably foreseeable risks of privacy data lost. In December 2016, the Norwegian Consumer Council carried out an investigation about how the talking doll ‘my friend Cayla’ operates and interacts with children. Before, in October 2016, a massive botnet of hacked IoT-devices had been caused a significant Internet outage due to an irresponsible security posture of embedded device manufacturers. Those IoT devices were used for the biggest DDoS ^[1] attack so far.

Hence, in the future it is getting even more important for companies to set up measures to prevent privacy violation. In case of a breach, the GDPR requires administrative fines of up to 4% of global turnover for companies responsible for the incident. Meaning a high financial threat to all data processors in the EU but also to those who are based outside Europe targeting EU consumers.

This creates not only the need to take privacy and data protection into account in the design and set-up of products and services. Furthermore, security-by-design with respect to the storage, transfer, use and processing of data is an essential precondition to protect privacy. Organizations need to take technical and organizational measures which meet trust principles. Thus, the GDPR is obliging companies to integrate security and privacy by design features in their products, for example,

• Secure storage of keys, for example, in tamper resistant HW
• Individual Device Identity
• Secure User Identities respecting user’s privacy settings
• Secure Communication channels

The lack of trust in connected solutions already is a severe market problem. With the growing number of hacked devices and formerly unregulated and non-transparent data usage, consumers are becoming more and more reluctant to invest in smart appliances. Companies being able to prove compliance with GDPR will have the chance to create trust in the IoT and fully exploit respective market opportunities. Making trust a core principle in the development of IoT-products and services will also help companies to become future-proof since further regulatory initiatives are under preparation at EU-level. The development of so-called “baseline requirements” for security and privacy for IoT devices as well as a certified “EU-trust label” are only two examples which are currently discussed intensively among political and industrial stakeholders.

NXP is actively involved in those discussions and will hold an in-depth panel discussion on Trust in the IoT era at Mobile World Congress (MWC) on March 1, 2017 starting at 10:00 AM in CC1 Meeting Room. Key government and industry leaders from NXP, Qualcomm and Deutsche Telekom will discuss privacy and security requirements which will be necessary to not only comply with GDPR but to prepare for further regulation. Panelists include Nikolaos Isaris (Deputy Head of Unit Internet of Things, European Commission) Arthur van der Wees (Managing Director, Arthur’s Legal), Steve Owen (Executive Vice President Global Sales and Marketing, NXP), Dr. Claus Ulmer (Senior Vice President and Global Data Privacy Officer, Deutsche Telekom AG), Estelle Massé (Senior Policy Analyst, ACCESSNOW) as well as Anne-Lise Thieblemont (Senior Director Government Affairs, Qualcomm).

¹ lnkd.in/drrVcF8 and lnkd.in/dDPC_Hu for the same type of attack 7 years ago