Guest Blog: “I keep six honest serving men…”

Sean Gulliford, Principal Consultant - Connected Devices, Gemserv.

Imagine the GDPR in the context of the poem by Rudyard Kipling, “I keep six honest serving men (they taught me all I knew); Theirs names are What and Why and When and How and Where and Who.”

It defines the What (the rights to privacy of an individual), Why (to ensure the right to privacy is enforced), When (we all know when), Where (anywhere in the EU) and Who (all businesses, both in and outside the EU, offering services to EU citizens). Security provides the “How”

Now imagine an IoT device that collects personal information, let’s say location data. GDPR tells us that we are obligated to protect that data from the point of collection until its deletion.

So how do we protect the location data collected? First, we ensure that no one (other than those authorised) can read it, so we encrypt the data. To encrypt data, we need a secret (or key) and that secret must be known to the data receiver, so they can decrypt the data. We now have the data encrypted, no one without the secret can read it. Job Done! Except for the fact we now have another piece of data, the secret. If someone gains access to the secret, they can read our data. So, we store the secret in a safe. Job Done? Not quite. The secret in the safe is not the only copy, there is a copy held on the device, so now we need to think about how we ensure the copy of the secret, held on the IoT device is secure; and come to think of it, how do we securely get the copy of the secret from the safe to store it in the device in the first place? This is an example of the mindset that needs to be place when considering IoT security, and the emergence of the GDPR will aid the transition to this mindset. There is no privacy without security.

Fortunately, there are a number of standard processes, policy’s and technologies readily available to address the challenges considered above. The GDPR requires that businesses adopt a risk-based approach to assess their organisation and establish business and technical measures to safeguard the integrity and confidentiality of the data.

As the GDPR comes into effect it is important that IoT businesses address their security challenges to effectively enable privacy.

This blog is part of a series of guest blogs on consumer facing IoT. Read techUK's response to Government's Secure by Design announcement here

For more information on techUK's work on securing the IoT please contact:

FROM SOCIAL MEDIA

Two weeks left to apply for the Mayor’s first ever #LDNcivicchallenge! Get involved to share your innovative ideas… https://t.co/AbNSPPW6kg
We held a great workshop this week w/ @foreignoffice looking at how tech & digital can combat illegal wildlife traf… https://t.co/qXDqWkngtC
We are looking forward to hearinh from @nicolag71, President of @SOCITM at our #techUKSmarterState conference. Last… https://t.co/Y7MVlGpzRY
Seen the Future of Mobility Challenge at the @SMMT yet? If you’ve got solutions to key mobility challenges, then do… https://t.co/aJ3W5ttky4
The @IoCoding will enable companies to build workforces fit for the future, by offering high quality learning, buil… https://t.co/hsXZUD0eS5
Catch up on this week's digital and tech policy news with a new Policy Pulse, hot off the presses! https://t.co/Y37B0i9hel
Another congratulations to our Data Centre lead on the win! There will be more to come, we are sure! https://t.co/JZLPxtuc1d