Sean Gulliford, Principal Consultant - Connected Devices, Gemserv.
Imagine the GDPR in the context of the poem by Rudyard Kipling, “I keep six honest serving men (they taught me all I knew); Theirs names are What and Why and When and How and Where and Who.”
It defines the What (the rights to privacy of an individual), Why (to ensure the right to privacy is enforced), When (we all know when), Where (anywhere in the EU) and Who (all businesses, both in and outside the EU, offering services to EU citizens). Security provides the “How”
Now imagine an IoT device that collects personal information, let’s say location data. GDPR tells us that we are obligated to protect that data from the point of collection until its deletion.
So how do we protect the location data collected? First, we ensure that no one (other than those authorised) can read it, so we encrypt the data. To encrypt data, we need a secret (or key) and that secret must be known to the data receiver, so they can decrypt the data. We now have the data encrypted, no one without the secret can read it. Job Done! Except for the fact we now have another piece of data, the secret. If someone gains access to the secret, they can read our data. So, we store the secret in a safe. Job Done? Not quite. The secret in the safe is not the only copy, there is a copy held on the device, so now we need to think about how we ensure the copy of the secret, held on the IoT device is secure; and come to think of it, how do we securely get the copy of the secret from the safe to store it in the device in the first place? This is an example of the mindset that needs to be place when considering IoT security, and the emergence of the GDPR will aid the transition to this mindset. There is no privacy without security.
Fortunately, there are a number of standard processes, policy’s and technologies readily available to address the challenges considered above. The GDPR requires that businesses adopt a risk-based approach to assess their organisation and establish business and technical measures to safeguard the integrity and confidentiality of the data.
As the GDPR comes into effect it is important that IoT businesses address their security challenges to effectively enable privacy.
This blog is part of a series of guest blogs on consumer facing IoT. Read techUK's response to Government's Secure by Design announcement here.
For more information on techUK's work on securing the IoT please contact: