As if data privacy rules and regulations weren’t complicated enough already, the European Union has adopted the General Data Protection Regulation (GDPR), which goes into effect on May 25, 2018. Be forewarned that the fines for violating the GDPR are substantial, and ignorance of the regulation is not a defense. Any company that handles personally identifiable information (PII) from EU individuals—which theoretically includes everyone participating in the Internet of Things (IoT) market—needs to prepare for the GDPR, even if you don’t collect end-user data directly, or you don’t intend to do business in the EU. That’s because the pervasive nature of IoT technology means that personal data can be processed across geopolitical borders without your awareness.

privacy-security-iot.jpeg

We are working to make sure that our Ayla IoT platform complies with the GDPR. But there are also things that Ayla’s customers need to do, separately. While Ayla Networks cannot address all your GDPR compliance issues, nor are we qualified to provide specific advice, we have asked Craig Payne, Security and Privacy Officer at Ayla, to highlight some things you need to know as the 2018 GDPR deadline approaches. This is a two-part blog post.

Question: What is the purpose of the GDPR?

Craig Payne: The intent of the GDPR is to reinforce the privacy rights of EU-based individuals amidst today’s vast technology changes, including the IoT, and to simplify administration of those data protections. The GDPR replaces the EU’s Data Protection Directive from 1995—which provided only guidelines as opposed to enforceable regulations, and which was implemented differently by various EU member countries. 

The GDPR focuses on the following:

  • Reinforcing individual rights and providing individuals with more control over their personal data
  • Strengthening privacy and security legislation within the EU
  • Ensuring that entities transmitting PII to third parties provide “adequate protection” of the PII, at least as strong as if that data had remained in the EU

Q: What companies are subject to the new EU data privacy regulations?

Payne: Any organization that gathers, transmits, retains, or otherwise processes any information relating to an EU-based individual—which could include a name, email address, computer IP address, photo, social media posts, medical information, or financial information—must comply with the GDPR. The geographic location of the organization doesn’t matter, nor does it matter if the PII relates to an individual’s private, professional, or public life.

The GDPR covers both any “controller” and any “processor” of the data. Ayla is a data processor, while Ayla customers—the ones that own the data generated by their IoT products and their end users—are considered data controllers.

Q: What happens to businesses that do not comply with the GDPR?

Payne: Strict sanctions, in the form of big fines, will be the result of failure to comply with the new data privacy regulations. The GDPR includes two tiers of fines:

  • Up to €20 million or 4% of annual worldwide revenues, whichever is larger
  • Up to €10 million or 2% of annual worldwide revenues, whichever is larger

The severity of the sanctions is based on:

  • The nature, gravity, and duration of the non-compliance
  • The intentional or negligent character of the infringement
  • The degree of responsibility or control over the PII
  • Whether the infraction was a single or repeat occurrence
  • The categories of personal data affected
  • The level of damage suffered by the individuals
  • The action taken to mitigate the damages
  • The financial benefits intended or gained from the infringement

Regardless of how you slice and dice the details, the main message is that you do NOT want to test the flexibility of the GDPR sanctions, considering that the smaller maximum fine fine of €10 million could put many companies out of business.

Beyond the fines, there’s also the issue of brand reputation to consider. Building customer trust is paramount for success in a market such as the IoT. Manufacturers can inspire confidence among their customers by being as transparent as possible about their implementation of industry best practices and conforming to data privacy rules. On the flip side, sanctions for non-compliance with the GDPR could destroy that trust..

 To be continued in Part 2...

 For more information:

White Paper: Mitigating Security Risk in the IoT