Guest Blog: “I keep six honest serving men…”

Sean Gulliford, Principal Consultant - Connected Devices, Gemserv.

Imagine the GDPR in the context of the poem by Rudyard Kipling, “I keep six honest serving men (they taught me all I knew); Theirs names are What and Why and When and How and Where and Who.”

It defines the What (the rights to privacy of an individual), Why (to ensure the right to privacy is enforced), When (we all know when), Where (anywhere in the EU) and Who (all businesses, both in and outside the EU, offering services to EU citizens). Security provides the “How”

Now imagine an IoT device that collects personal information, let’s say location data. GDPR tells us that we are obligated to protect that data from the point of collection until its deletion.

So how do we protect the location data collected? First, we ensure that no one (other than those authorised) can read it, so we encrypt the data. To encrypt data, we need a secret (or key) and that secret must be known to the data receiver, so they can decrypt the data. We now have the data encrypted, no one without the secret can read it. Job Done! Except for the fact we now have another piece of data, the secret. If someone gains access to the secret, they can read our data. So, we store the secret in a safe. Job Done? Not quite. The secret in the safe is not the only copy, there is a copy held on the device, so now we need to think about how we ensure the copy of the secret, held on the IoT device is secure; and come to think of it, how do we securely get the copy of the secret from the safe to store it in the device in the first place? This is an example of the mindset that needs to be place when considering IoT security, and the emergence of the GDPR will aid the transition to this mindset. There is no privacy without security.

Fortunately, there are a number of standard processes, policy’s and technologies readily available to address the challenges considered above. The GDPR requires that businesses adopt a risk-based approach to assess their organisation and establish business and technical measures to safeguard the integrity and confidentiality of the data.

As the GDPR comes into effect it is important that IoT businesses address their security challenges to effectively enable privacy.

This blog is part of a series of guest blogs on consumer facing IoT. Read techUK's response to Government's Secure by Design announcement here

For more information on techUK's work on securing the IoT please contact:

Share this

FROM SOCIAL MEDIA

Clear that the digital infrastructure sector cannot be complacent and may need to accelerate work engaging with dat… https://t.co/Ml3r2KhQ2W
Check out this guest blog from @CMS_law exploring the #dataprotection implications in Artificial Intelligence recru… https://t.co/8MpePEMZJs
Today the Ministry of Defence has published a report on the Modernising Defence Programme (MDP). Read more here:… https://t.co/pCE1Jx4bcG
We're supporting the @NHSDigAcademy to find mentors from industry for the first cohort of the Academy. A great oppo… https://t.co/8LM8aVRJFS
A full list of our recent events is here: https://t.co/0R30jnHjDG A big thanks to everyone who helped us along th… https://t.co/zGzO3wANtM
And we entered the festive season with a discussion about the Government’s new Vision for Digital Health and Care w… https://t.co/5ZWpHJHW3I
And as the nights closed in, we launched #Manifesto4Matt with 250+ people at our Industry Dinner. @MattHancock welc… https://t.co/c9WPSsGtNo
We began November with a Supplier Development Day to help companies to get on to @NHSEngland 's HSS Framework. 62 c… https://t.co/X1sCp8FbYZ
In October we headed to Liverpool to explore just how much 5G could transform the health and social care sector to… https://t.co/3WXKUkScmX
At the start of Sept we decamped to Manchester for @ExpoNHS and hosted two insightful discussions with… https://t.co/sbOD1ImvBt