Avoid the chaos of GDPR in the realm of IoT

Interpretation of GDPR in IoT devices - Man holding Ipad

Faced with stricter regulations on data processing under the EU’s GDPR (General Data Protection Regulation) and a growing demand for IoT-functionality within the field of consumer devices, companies now have an important decision to make when it comes to choosing the correct IoT platform.

In this blog post, we’ll boil it down to just one important choice you have to make.

The EU’s GDPR has entailed major changes in the way companies handle their data, spanning various sectors. Failing to comply with these new regulations can result in a hefty fine of up 20 million Euros or 4 percent of gross annual turnover, depending on which sum is higher. In addition to a financial penalty, non-compliance can severely tarnish a company’s reputation and reduce trust among its customer base.

There are still grey areas, and this is particularly true when it comes to IoT. But it’s clear that GDPR and other regulatory initiatives have, and will continue to complicate the collection, storage, analysis and sharing of data related to IoT.

The degree to which GDPR complicates data processing depends on the type of data collected and the way it is processed. GDPR applies to sensitive personal data, but in the field of IoT it is not always clear what this constitutes. In addition, your choice of platform dictates whether you will be affected by GDPR.


Database-driven or P2P IoT: an important decision for any company

When we use the term IoT we are talking about enabling consumers to control electronic devices through an end-user client such as an app on a smartphone or tablet. According to Gartner, the number of connected things will reach 20.4 billion by 2020, with consumer applications as the biggest segment.

The interaction between devices and data is by no means simple. It involves multiple parties and GDPR has implications for the whole chain. With that in mind, let’s look at some options. If your company is considering making your products internet accessible, roughly speaking there are two different types of IoT application platforms to choose from:

  1. Database-driven IoT

  2. P2P-based IoT


There are hybrids as well, but we will focus on the above as these are the dominant choices.


Trouble in the cloud

Database-driven IoT platforms store and process all data in a centralized cloud database that mediates all interaction between the client and the device. This entails a series of challenges.

How do you store data? What about backup? Access control? This increases complexity and poses a significant challenge to ensuring full compliance with GDPR, both in terms of data security and privacy. It also makes you vulnerable to leaks and cyber-attacks. Because of the centralized nature of database-driven platforms, any leak will automatically affect the entirety of data you have stored.

 

Illustration of the flow of database-driven iot

 

You may be able to carry out big data analysis, but this is by no means relevant for all consumer applications. When you collect and store personal data you also have to ask for consent from the consumer. This is equally important to assume the responsibility for the security of the data that gets stored in the server, as it does with a database-driven IoT solution.

Read more about how database-driven IoT works here

This is worth considering if your primary goal is to increase value for your customers by enabling them to control and monitor devices with an IoT application. By not pressuring the end user to accept data collection, you are also making life easier for them.


Keep it simple – and secure

The alternative to the cloud is a P2P IoT platform. Here, the client interacts directly with the device and no data is stored in the cloud. This is the solution we provide at Nabto.

 

Illustration of the flow of P2P IoT connection

 

We also use the cloud, but the P2P technology we run simply acts like a telephone switchboard – mediating direct, end-to-end encrypted connections between the client (app on a smartphone or tablet) and the IoT device. Once this connection is established, the cloud server is out of the loop, and the connection is only between the client and the IoT device.

Read more about how P2P IoT works here

This means that data from IoT devices like sensors, cameras, and thermostats is stored only on a tiny hard drive installed within the IoT device itself. This means no personal data is stored in a central database for a malicious party to break into. As such, leaks will only affect data stored on the individual device. In short, only the owner of the device and the owner of the data have access to the data. This infrastructure will spare companies headaches and resources, since data security issues and requirements are minimized when compared to database-driven platforms.  

Another upside is minimal latency, since no central service mediates the interaction between the client and the device. Communication latency in many cloud-based IoT products is easily more than five seconds – a long time in this day and age.

Leave a Reply

Your email address will not be published.