The Internet of Things: Privacy, security and GDPR

Paul ComerfordPrincipal Technology Policy AdviserUses and Misuses of Connected Devices, 4 April 2019

“Upholding information rights in the public interest”

• FOIA 2000• EIR 2004• INSPIRE 2009• RPSI 2015

• GDPR/DPA 2018• PECR 2003• eIDAS 2016

Openness by public bodies Privacy for individuals

NIS 2018Security of Digital Service Providers

Before we go any further:

_________________________________________________________________________________________________________________________________________________________________________________________________________

S T A T U T O R Y I N S T R U M E N T S_________________________________________________________________________________________________________________________________________________________________________________________________________

2003 No. 2426

ELECTRONIC COMMUNICATIONS

The Privacy and Electronic Communications (EC Directive) Regulations 2003

Made - - - - 18th September 2003Laid before Parliament 18th September 2003Coming into force - - 11th December 2003

Brussels. 10.1.2017COM(2017) 10 final2017/0003 (COD)

Proposal for a

REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

concerning the respect for private life and the protection of personal data in electronic communications and repealing

Directive 2002/58/EC (Regulation on Privacy and Electronic Communications)

2. Personal data must be processed for specific, explicit and legitimate

purposes

3. Personal data must be adequate, relevant, and limited to what is

necessary

4. Personal data must be accurate and, where necessary, kept up to date

5. Personal data must not be kept for longer than is necessary

1. Personal data must be processed fairly, lawfully and transparently

6. Personal data must be processed securely

Accountability Principle:The data controller shall be able to demonstrate

compliance with the above

GDPR: The Data Protection Principles

What is “personal data”?

What is personal data in IoT?

What is not personal data in IoT?

How many data controllers in IoT?

1. Device manufacturers

2. Social platforms

IoT3. Third party

app developers

4. Other third parties

5. Data platforms

Key challenges

Transparency Security

GPEN survey (2016)

41%

59%

Fair processing32%

68%

Storage

28%

72%

Deletion of data

62%

38%

Contact details

When things go wrong

Common issues

General DataProtection RegulationEU 2016/679

What does the GDPR say?

Article 6: Lawfulness of processing

• Consent

• Performance of a contract

• Data controller’s legal obligations

• Data subject’s vital interests

• Tasks carried out in the public interest

• Data controller’s legitimate interests (except PAs)

What does the GDPR say?

Article 7: Consent (also Recital 32)

GDPR consent:

• “A clear affirmative act”• “Freely given, specific, informed and unambiguous indication of the

data subject’s agreement”• “Silence, pre-ticked boxes or inactivity” do not constitute consent

And:• Consent must be as easy to withdraw as it is to give

What does the GDPR say?

Article 12: Transparent information

The data controller must provide information:

• Concisely and transparently• In an intelligible and easily accessible form• Using clear and plain language

And:• The controller must also facilitate the exercise of data subject

rights

What does the GDPR say?

Data subject rights

• Right of access (Article 15)• Right of rectification (Article 16)• Right of erasure (Article 17)• Right of restriction (Article 18)• Right of data portability (Article 20)• Right of objection (Article 21)• Automated decision making (Article 22)

What does the GDPR say?

Controller and processor

• Data protection by design and by default

• Joint controllers must determine compliance obligations

• If using a processor, the controller must ensure sufficient guarantees

What does the GDPR say?

Security, breach notification and DPIAs

• Article 32o Technical and organisational measureso Confidentiality, integrity, availability and resilienceo Process for testing and assessing effectivenesso Pseudonymisation and encryption

• Notify the ICO of breaches within 72 hours of “having become aware” of them

What does the GDPR say?

Security, breach notification and DPIAs

• Article 35 - “Data protection impact assessment”o Systematic and extensive evaluationo Processing on a large scaleo Systematic monitoring

• Article 36 – prior consultation in “high risk” cases

Why bother?

Enforcement action

Reputational damage

Fines

GDPR

Max fine: 4% of turnover or €20 million, whichever

is higher

Guidance

OWASP IoT Top Ten

!Make sure that:• you know what your thing

needs to do;

• you know why your thing needs to do this;

• your thing does do what you want it to do;

• your thing does not do what you don’t want it to do; and

• your end users know all of this.

Keep in touch

Paul ComerfordPrincipal Technology Policy Adviserpaul.comerford@ico.org.uk

Subscribe to our e-newsletter at www.ico.org.ukor find us on:

@iconews