Guest Blog: “I keep six honest serving men…”

Sean Gulliford, Principal Consultant - Connected Devices, Gemserv.

Imagine the GDPR in the context of the poem by Rudyard Kipling, “I keep six honest serving men (they taught me all I knew); Theirs names are What and Why and When and How and Where and Who.”

It defines the What (the rights to privacy of an individual), Why (to ensure the right to privacy is enforced), When (we all know when), Where (anywhere in the EU) and Who (all businesses, both in and outside the EU, offering services to EU citizens). Security provides the “How”

Now imagine an IoT device that collects personal information, let’s say location data. GDPR tells us that we are obligated to protect that data from the point of collection until its deletion.

So how do we protect the location data collected? First, we ensure that no one (other than those authorised) can read it, so we encrypt the data. To encrypt data, we need a secret (or key) and that secret must be known to the data receiver, so they can decrypt the data. We now have the data encrypted, no one without the secret can read it. Job Done! Except for the fact we now have another piece of data, the secret. If someone gains access to the secret, they can read our data. So, we store the secret in a safe. Job Done? Not quite. The secret in the safe is not the only copy, there is a copy held on the device, so now we need to think about how we ensure the copy of the secret, held on the IoT device is secure; and come to think of it, how do we securely get the copy of the secret from the safe to store it in the device in the first place? This is an example of the mindset that needs to be place when considering IoT security, and the emergence of the GDPR will aid the transition to this mindset. There is no privacy without security.

Fortunately, there are a number of standard processes, policy’s and technologies readily available to address the challenges considered above. The GDPR requires that businesses adopt a risk-based approach to assess their organisation and establish business and technical measures to safeguard the integrity and confidentiality of the data.

As the GDPR comes into effect it is important that IoT businesses address their security challenges to effectively enable privacy.

This blog is part of a series of guest blogs on consumer facing IoT. Read techUK's response to Government's Secure by Design announcement here

For more information on techUK's work on securing the IoT please contact:

FROM SOCIAL MEDIA

.@stanboland says we must set high standards and have robust regulation around autonomous vehicles to keep us all s… https://t.co/1MMthI47Sr
Technology must work for us, not the other way around - a key message from both @ChiOnwurah and @darrenpjones at ou… https://t.co/53YY8ZqfdR
.@ChiOnwurah says she wants UK to be an innovation nation but that means investing in skills #DrivingtheFuture #Lab18
Another fringe, another absolutely packed room for @techUK and @_FiveAI discussing autonomous vehicles… https://t.co/v5X8uNpHGy
Autonomous vehicles represent first tangible disruptive use of new tech in transport says @darrenpjones #DrivingtheFuture #Lab18
.@stanboland says three technologies (matching supply and demand of transport - sharing vehicles), electric cars an… https://t.co/6zoOlvAyJU
We are kicking off our final fringe of the day discussing autonomous vehicles with .@_FiveAI. We will be hearing fr… https://t.co/fOztRqv4lK
Caroline Gray @Agilisys explains how to embed a culture that will support ongoing change through clear accountabili… https://t.co/V6Q4gc8lAA
We don't need to fear tech we need to seize it and take the advantages for ourselves says @LiamByrneMP #WorkForAll
"We can learn more public policy lessons from the East than the West" when it comes to making the future of work… https://t.co/mVz6YJmVJ0