This is Part Two on EU Data Privacy Regulations and our conversation with Craig Payne, Security and Privacy Officer at Ayla, to highlight some things you need to know as the 2018 GDPR deadline approaches.

In Part One, Payne explained what the General Data Protection Regulation (GDPR)is, who is subject to it, what the fines are for violating it and when it goes into effect (May 25, 2018). Ayla is working to make sure that our Ayla IoT platform complies with the GDPR. But there are also things that Ayla’s customers need to do, separately. While Ayla Networks cannot address all your GDPR compliance issues, nor are we qualified to provide specific advice, we want to highlight some things you need to know as the 2018 GDPR deadline approaches.

IoT_Security-2.jpeg

Question: What is Ayla doing to achieve GDPR compliance—and to help its customers comply?

Craig Payne: As a data processor under the GDPR, Ayla is responsible for implementing appropriate technical and organization measures to protect the PII of our customers’ end users while the data is being handled by the Ayla IoT platform. The Ayla IoT cloud operating in the EU already conforms to EU data privacy regulations.

While Ayla has no control over what data our customers collect, we can work with our manufacturer customers to help with GDPR compliance. For one thing, we ask that our customers use the Ayla EU IoT cloud for all their EU-based end users. That way, if PII from those EU individuals leaves EU soil, the data has what qualifies as “adequate protection” under the GDPR. In addition, the Ayla IoT platform maintains compliance with ISO 27001, SOC 2, and other pertinent industry standards.

Using the Ayla EU IoT cloud also means that PII will be encrypted in transit and at rest, which is another GDPR requirement, and that manufacturers’ end-user data activity in the cloud will be covered by Ayla’s data processing agreement describing what Ayla does with the cloud-based PII.

Q: What’s left for Ayla’s customers to do for themselves?

Payne: The GDPR requires that the data controller—the company owning the PII, which in our case means Ayla’s customers—be responsible for data protection and security. For instance, Ayla suggests that its customers start now to:

  • Meet what’s known as “reasonable expectations” of data privacy. In practice, this means that your data is authenticated, tokenized, encrypted, and/or pseudo-anonymized before it is handed off to Ayla or a cloud service provider.
  • Find out what’s necessary to achieve “adequate protection” of the PII you handle in conjunction with any EU-based individuals. Research what it will take to make the export of EU data to countries outside the EU legal. Remember that viewing PII of an EU-based person from a computer in the United States counts as an “export” of that data, making it subject to the GDPR.
  • If possible, move your data to the EU, or at least start using the Ayla IoT cloud in Europe.
  • Remember to consider what changes will be necessary for the mobile or web apps that you use with your IoT connected products. Mobile app changes for GDPR compliance cannot be accomplished through the Ayla IoT platform.
  • Consider implementing role-based access control (RBAC) as a way to help manage how your company handles PII from your IoT products. For example, let’s say you have a failed over-the-air (OTA) firmware update, and your system generated an email to alert the affected customers. You can use RBAC to limit who at your company can extract that email information. Another example of RBAC use might be during installation or service calls to a residence, enabling the installer or technician to write but not read information about the homeowners.
  • Designate, or possibly hire, a dedicated data protection officer. At the very least, make sure there is one person at your company whose job involves expertise in the details of GDPR compliance.
  • Become familiar with the GDPR and all the details that its compliance entails.

The May 25, 2018, data for GDPR compliance will arrive sooner than you think. For more information on finding competent legal representatives who are experienced in data privacy issues, visit the International Association of Privacy Professionals (IAPP) website. Find out more about the end-to-end security and data privacy capabilities of the Ayla IoT platform by downloading The Security of Things: Mitigating Risk in IoT white paper.

For more information:

White Paper: Mitigating Security Risk in the IoT