If there’s one thing everyone’s talking about this year, it’s data privacy.
The COVID-19 pandemic and ensuing remote work shift have left workers more vulnerable to privacy breaches than ever before. And this couldn’t be more relevant to the IoT industry, which is fuelled by big data.
In order to regulate data privacy, the EU’s General Data Protection Regulation (GDPR) law was implemented in 2018, and importantly gives individuals and organizations the right to ask for their personal data to be deleted.
While it is difficult for IoT companies to be clear and transparent about the way in which they collect, store, analyze, and share personal data, regulations such as GDPR continue to wrestle with the industry.
If businesses fail to comply with GDPR, they could face fines of up to four percent of their gross annual turnover, or, depending on which sum is higher, the equivalent of millions of Euros.
In short, your IoT smart devices must be GDPR compliant, so we’ve put together a simple guide to show you how this can be done.
1. Avoid The Cloud
If you’re a database-driven IoT company storing data on a centralized cloud, it’s difficult to stay compliant with GDPR throughout the entire chain of interaction between the client and their device.
Cloud computing poses both security and privacy challenges, and if you experience a leak or a cyber-attack, all data on the centralized cloud will be affected. This will make it very difficult to comply fully with GDPR.
However, with peer-to-peer IoT platforms like Nabto, companies can avoid storing data on the cloud by using a decentralized IoT Application Enablement Platform (AEP). How does this side step this issue? When you use a “traditional” AEP solution – such as AWS IoT or Microsoft Azure – data pass through the cloud as you can see below:
This centralized database leaves your data vulnerable (not to mention how much it slows down transfers, leaving the end-users with high latency sluggish User Interfaces). However, with a decentralized AEP solution, data flows directly between the client and the IoT device. As you can see below:
This direct connectivity between the end-user client not only solves the latency issue, it also ensures that your data is stored securely in the IoT device rather than the cloud.
Learn more by reading our blog on Why IoT & the Cloud Aren’t Always a Perfect Match.
2. Reduce The Data You’re Collecting
Still Googling “what does GDPR mean for IoT?” Well, most IoT companies create, collect, organize, and store enormous volumes of data on a daily basis. If this isn’t monitored, it can easily get out of hand and lead to breaches that violate GDPR.
There are several ways to ensure your company simply collects less data from its clients. These include data aggregation, filtering, interpretation, and compression at the sensor or close to the data source.
It may sound simple, but another factor for IoT companies must be aware of is exactly what data they are collecting from clients.
A good way to identify and classify data if your IoT company hasn’t already done so is to carry out an audit. GDPR applies to non-personal data as well as personal information, so bear this in mind.
3. Build Awareness Around Data Protection
As we mentioned above, GDPR applies to the entire data supply chain so it’s a good idea to build awareness around data collection. IoT companies can do this by providing clear information in the form of a policy and making it available to both employees and customers.
Avoid using IoT GDPR industry jargon and make sure your policy is easy to understand.
4. See the Positives in GDPR
While the impact of GDPR on IoT does tend to make the lives of IoT companies fairly complicated, building a trustworthy relationship with clients is a vitally important part of the business world these days.
With cybersecurity skepticism levels at an all-time high, the future of the IoT industry could be compromised if the customer base isn’t on board.
Think of GDPR compliance as adding value to your business, or as an investment that will be worth the financial and time commitment in the long term.
5. Employ a Data Protection Officer
It’s always a good idea to designate someone responsible for GDPR compliance across your organization. Just as data protection officers are a mandatory requirement in some public organizations, their presence is also a good best practice for large IoT businesses to adopt.
According to EU guidelines, this person should have the power to evaluate and implement data protection policies. To make sure this job is in good hands, employ an expert in data protection who knows exactly where your company’s data is, how to protect it, and what to do if a problem arises.
However, when your IoT company chooses to comply with GDPR, one of the most important things to remember is that this is not a one-off task. In fact, far from it. Staying compliant with GDPR and IoT is instead a constant process that requires full-time attention. Without it, non-compliant companies will face the consequences.
Read Our Other Resources
We’ve also published a range of IoT resources for our community, including:
- Improve your device’s safety by reading A Developer’s Guide to IoT Encryption Algorithms
- Buying versus building an IoT platform, which discusses how to choose the best option for you.