The European Union’s General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is already the most discussed piece of regulation in the IoT industry. It is considered “the most important change in data privacy regulation in 20 years,” and will affect all products and services that collect user data.
The regulation, which will be fully enforceable on May 18, 2018, was widely discussed in the last Mobile World Congress in Barcelona and is a recurring topic in many forums and at board level meetings of the largest US and European corporations.
Pay attention! It's not just Europe
The GDPR requires products to incorporate data protection by design and for companies to disclose any data breach immediately, reporting it to European regulators regardless of the company’s location as long as the data collected is on European citizens or residents. Fines for noncompliance start at € 20 million ($21 million) and can be up to 4% of the global revenue of the company.
Hardware products, especially IoT devices that collect and transmit data, are especially affected by the regulation, as many of them are collecting and sending information in real time. When the GDPR becomes fully enforceable next year, all data containing personally identifying information needs to be anonymized and encrypted by the device. IoT devices also need to be secured against unauthorized access that can compromise information on the network.
While this is a European regulation, it has global impact. “It will apply to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not,” according to the European Union website.
Data protection by design & default
This is the title of Article 25 of the regulation. The legislators couldn’t have been more clear: Privacy and security should be implemented in any product or service by design. Companies collecting data on individuals can no longer be reacting to data breaches when they occur, they need to be proactive from the beginning when developing any product.
While service providers such as banks and retailers can use a mix of encryption, private clouds, pseudonymization (a term used 14 times in the regulation), and private key management to ensure the privacy and security of data, hardware vendors need to go further and incorporate security features within their devices. And, as most experts agree “software cannot protect hardware.”
IoT devices are especially affected by the regulation. The data protection authorities will be able to leverage fines against vendors, OEMs, and data controllers who do not incorporate the necessary safeguards in their devices. For example, sending unencrypted personal data by WiFi won’t be accepted.
Obviously incorporating new security mechanisms in new IoT devices will make them more expensive. However, companies need to realize that the potential cost of a data breach, reputation loss, and the subsequent fines by regulators, could be disastrous and even more costly in the long run.
“The vendor just wants to get their new model out there,” said Gareth Noyes of Wind Riverand at last year’s IoT Solutions World Congress in Barcelona, and network security is their last concern. “Device manufacturers tend to be motivated by a business model that is volume driven, and therefore any penny that is shaved off the bill of materials is something those guys avoid paying for [security].”
The GDPR asks for specific data protection best practises, including “application of the general data protection principles, in particular purpose limitation, data minimization, limited storage periods, data quality, data protection by design and by default, […] measures to ensure data security, and the requirements in respect of onward transfers to bodies not bound by the binding corporate rules.”
Data controllers –the ones collecting and storing data– should use all efforts to collect only the amount of data necessary to perform the services their product offers to consumers, and request explicit authorization to collect any additional data (opt-in). Consumers cannot be denied a service or product because they refuse to allow collection of unnecessary data.
No grace period after May 2018
The GDPR was approved by the European Parliament and Council in April 2016. It became effective on May 18, 2016. In fact, the regulation is already mandatory. A two-year post-adoption grace period was agreed, and the GDPR will become fully enforceable throughout the European Union on May 18, 2018.
Industry says good regulation
There has been a significant change on the industry approach about regulation in the past two years. Most industry leaders, when asked two years ago about regulations and standards for IoT, argued in favor of self-regulation to boost development and services. Now they favor regulation to level the playing field.
In a special session about GDPR at the recent Mobile World Congress, NXP Executive Vice President Steve Owen said that until now most companies have only worried about security after something happens, and legislation forces them to implement security in advance. “Most of the [NXP] technology that we have in government or banking space around the world, only moves forward when legislation exist,” he said. “Business takes place because legislation exists. Where it doesn’t, companies tend to act on their own, for their own self-interest, and IoT will fail without regulation. […] IoT will fail if regulation does not create a standard where we all work, and find a business model to work together.”
Let us know what you think of the new regulations in the comments section below.