Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
The Internet of Things: Privacy, security and GDPR
Paul ComerfordPrincipal Technology Policy AdviserUses and Misuses of Connected Devices, 4 April 2019
“Upholding information rights in the public interest”
• FOIA 2000• EIR 2004• INSPIRE 2009• RPSI 2015
• GDPR/DPA 2018• PECR 2003• eIDAS 2016
Openness by public bodies Privacy for individuals
NIS 2018Security of Digital Service Providers
Before we go any further:
_________________________________________________________________________________________________________________________________________________________________________________________________________
S T A T U T O R Y I N S T R U M E N T S_________________________________________________________________________________________________________________________________________________________________________________________________________
2003 No. 2426
ELECTRONIC COMMUNICATIONS
The Privacy and Electronic Communications (EC Directive) Regulations 2003
Made - - - - 18th September 2003Laid before Parliament 18th September 2003Coming into force - - 11th December 2003
Brussels. 10.1.2017COM(2017) 10 final2017/0003 (COD)
Proposal for a
REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
concerning the respect for private life and the protection of personal data in electronic communications and repealing
Directive 2002/58/EC (Regulation on Privacy and Electronic Communications)
2. Personal data must be processed for specific, explicit and legitimate
purposes
3. Personal data must be adequate, relevant, and limited to what is
necessary
4. Personal data must be accurate and, where necessary, kept up to date
5. Personal data must not be kept for longer than is necessary
1. Personal data must be processed fairly, lawfully and transparently
6. Personal data must be processed securely
Accountability Principle:The data controller shall be able to demonstrate
compliance with the above
GDPR: The Data Protection Principles
What is “personal data”?
What is personal data in IoT?
What is not personal data in IoT?
How many data controllers in IoT?
1. Device manufacturers
2. Social platforms
IoT3. Third party
app developers
4. Other third parties
5. Data platforms
Key challenges
Transparency Security
GPEN survey (2016)
41%
59%
Fair processing32%
68%
Storage
28%
72%
Deletion of data
62%
38%
Contact details
When things go wrong
Common issues
General DataProtection RegulationEU 2016/679
What does the GDPR say?
Article 6: Lawfulness of processing
• Consent
• Performance of a contract
• Data controller’s legal obligations
• Data subject’s vital interests
• Tasks carried out in the public interest
• Data controller’s legitimate interests (except PAs)
What does the GDPR say?
Article 7: Consent (also Recital 32)
GDPR consent:
• “A clear affirmative act”• “Freely given, specific, informed and unambiguous indication of the
data subject’s agreement”• “Silence, pre-ticked boxes or inactivity” do not constitute consent
And:• Consent must be as easy to withdraw as it is to give
What does the GDPR say?
Article 12: Transparent information
The data controller must provide information:
• Concisely and transparently• In an intelligible and easily accessible form• Using clear and plain language
And:• The controller must also facilitate the exercise of data subject
rights
What does the GDPR say?
Data subject rights
• Right of access (Article 15)• Right of rectification (Article 16)• Right of erasure (Article 17)• Right of restriction (Article 18)• Right of data portability (Article 20)• Right of objection (Article 21)• Automated decision making (Article 22)
What does the GDPR say?
Controller and processor
• Data protection by design and by default
• Joint controllers must determine compliance obligations
• If using a processor, the controller must ensure sufficient guarantees
What does the GDPR say?
Security, breach notification and DPIAs
• Article 32o Technical and organisational measureso Confidentiality, integrity, availability and resilienceo Process for testing and assessing effectivenesso Pseudonymisation and encryption
• Notify the ICO of breaches within 72 hours of “having become aware” of them
What does the GDPR say?
Security, breach notification and DPIAs
• Article 35 - “Data protection impact assessment”o Systematic and extensive evaluationo Processing on a large scaleo Systematic monitoring
• Article 36 – prior consultation in “high risk” cases
Why bother?
Enforcement action
Reputational damage
Fines
GDPR
Max fine: 4% of turnover or €20 million, whichever
is higher
Guidance
OWASP IoT Top Ten
!Make sure that:• you know what your thing
needs to do;
• you know why your thing needs to do this;
• your thing does do what you want it to do;
• your thing does not do what you don’t want it to do; and
• your end users know all of this.
Keep in touch
Paul ComerfordPrincipal Technology Policy [email protected]
Subscribe to our e-newsletter at www.ico.org.ukor find us on:
@iconews