Data protection and Internet of Things: How will GDPR impact your business?

What is ‘The Internet of Things’ (IoT)?

Loosely speaking, the IoT refers to a whole class of day-to-day objects. Cars, umbrellas, kettles, light bulbs and health devices sold with built-in network connectivity. This means that you can pair them directly with the internet, without plugging them into a computer first. It is estimated that there will be 20 billion connected devices by 2020[1], collecting more and more data. This helps businesses stay relevant, understand their customers and try to improve their lives.

General Data Protection Regulation (GDPR)

However, as society becomes increasingly connected, the threats to the privacy of personal data are growing. This hasn’t gone unnoticed by EU regulators, which has invested €192 million in IoT research as part of its Horizon 2020 Programme[2]. This has led to the creation of a privacy overhaul that includes the General Data Protection Regulation (GDPR), which becomes applicable in May 2018.

GDPR is a shake-up of current data protection laws, designed to enhance the rights of individuals and the protection of their personal information in our increasingly digital world. It will force businesses to shed light on the data they store and how they use it, giving the consumer unprecedented rights over their personal information being held. The GDPR will require businesses to report most data security breaches within 72 hours. If they don’t comply, they could face fines of up to €10 million or 2% annual global turnover, whichever’s higher. Other breaches of the GDPR could attract even higher fines of up to €20 million or 4% annual global turnover, whichever is higher[3].

Did you know?[4]

  • 59% of IoT devices failed to adequately explain to customers how their personal information was collected, used and disclosed
  • 72% failed to explain how customers could delete their information from the device
  • 38% failed to include easily identifiable contact details if customers had privacy concerns.

Preparing your business for GDPR

On first glance, the GDPR can seem a bit daunting. Here are a few tips and things to think about when considering the security of your data[5].

  • Understand your information flows. Look closely at what personal data you have, what use you make of it, where it is being stored and who has access to it so you can put a plan in place!
  • Review how you protect the personal data you hold and make sure you have policies and procedures in place to detect, report and investigate any data breaches
  • Assess whether you are required to hire a Data Protection Officer. If so can you can expand the role of a current employee?
  • Educate staff and users on the new law, it is essential for everyone to be on-board and in the know
  • Enhanced rights of individuals. Make sure you are able to comply with requests from individuals to delete their personal data and/or to receive a copy of their data electronically and in a commonly used format
  • Review your agreements with both customers and suppliers to ensure they comply with the new requirements

GDPR can be confusing, if you are unsure about what your company should be doing to make sure you are ready for May 2018, there is some useful guidance on the Information Commissioner’s Office’s website. You could also seek expert advice from a data protection lawyer.

The information contained in this document is not intended as legal advice, which we are not authorised to provide.



[1] https://www.gartner.com/imagesrv/books/iot/iotEbook_digital.pdf 

[2] https://ec.europa.eu/digital-single-market/en/research-innovation-iot

[3] http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=EN

[4] https://inform.tmforum.org/cybersecurity-privacy/2016/09/60-iot-devices-falling-short-privacy-data-protection/

[5] https://www.clearswift.com/sites/default/files/documents/technical-guides/clearswift_gdpr_faq_v3.pdf