The Internet of Things (IoT) is growing at a rapid pace and we are seeing its reach becoming increasingly diverse, crossing multiple functions and sectors. Be it for personal wellness, smart energy, smart cities or smart mobility, IoT applications continue to emerge and change the way we live and interact with our surroundings. A natural consequence of this is an increase in the amount of data being collected. Personal, location and health data are all used to personalise a customers’ experience and, in some cases, to ensure that IoT devices function correctly.
The IoT in a nutshell, is an eco-system of connected devices which collects data about an end user and makes it available to a service provider. To enable this exchange of data, the end user needs to be identified and linked whilst interacting with various interfaces and devices. The IoT potentially increases the threat surface of a network and therefore can pose serious risks to an individual’s privacy. If the data is exposed over the course of these exchanges it can allow unauthorised parties to create a profile of an individual(s) which can be used for marketing or criminal activities. Steps are being taken to ensure there are best practices in place to tighten security and the EU’s Data Protection Regulation (GDPR) is likely to help govern the risks around the IoT, a much welcomed piece of legislation.
Smart meters provide a great case study to highlight some of these potential risks. By 2020 they are to be installed in the homes of energy consumers nationwide and their key feature is that they provide data via remote communications. Unlike the days of ‘Dumb Meters’, where readings were carried out by a physical inspection of the meter, ideally on a quarterly basis, readings can now be carried out remotely, in near real time. Whilst making the domestic energy market more user friendly and reducing the reliance on estimated billing, the regular transmission of user data can reveal very sensitive information about people’s habits and usages.
The risks created by this infrastructure go way beyond criminals simply obtaining usage data to see whether families are at home or away. Information regarding usage can determine when people are asleep, when they’re awake, whether they use TV, how often they do their laundry and even down to whether anyone suffers from insomnia or whether people sleep in the same room when connected with other devices. There is more – analysis of our patterns of usage can be very useful for other purposes such as marketing and advertising. For example, usage information could be used to understand when, and how, we are using products, allowing for more targeted marketing campaigns.
It is clear that legislation is needed and the GDPR is very welcome. In brief, the GDPR creates principles around data processing (articles 5 and 24) and sets out new data protection standards which will be very relevant to the IoT. These include data protection impact assessments, algorithmic transparency, automated decision making, privacy by design and by default, informed consent, notification duties, and profiling. Whilst exact details are still to be decided it will help to govern risks and create a privacy framework around the use of IoT (including smart meters).
If we refer back to the idea of smart meters, the principles mentioned above would mean strengthening the privacy requirements around the smart metering network. One of the larger benefits which it would enable however, is that (as the GDPR is rights based) it will equip users with the necessary tools to manage their data and put them in control.
Users will have clear information related to the sharing of their data on request. Users would also be able to exercise their rights of access, rectification and erasure. These rights foster the implementation of the GDPR’s guiding principle of transparency. Smart meters providers will have to adopt a user-centric access approach, and the GDPR requirement of privacy by design will make sure that this approach is embedded at the onset, and no longer an after-thought.
Ultimately, processing data in a way that complies with a data subject’s rights and expectations will enhance user trust, and the GDPR is a welcome piece of legislation which will enhance data subject rights. Companies, including those in the energy sector, which will adapt to the new requirements and implement the right solutions, will ultimately edge their competitors and build stronger and longer lasting relationship with their customer base.
Ivana Bartoletti, Principal Privacy and Data Protection Consultant at Gemserv