IoT and the GDPR – How to stay compliant

Adindu Nwichi Headshot
Adindu Nwichi
Data Protection Consultant
23rd June 2022

Businesses that incorporate Internet of Things (IoT) into their daily operations have rarely, if ever, had access to so many resources to help improve your customer reach, collect more personal data and reduce your internal operational expenses due to IoT automation. IoT devices are ubiquitous, and as technology advances, so does the invention and use of connected devices within workplaces and our homes.

With the excitement of transforming our daily lives to become smarter, more efficient and improve your business processes, IoT also poses challenges to your business in relation to data protection and security breaches. In this blog, we define Internet of Things, discuss the pros and cons of IoT to businesses, and why GDPR matters when we talk about IoT.

Industries, including healthcare, have already embraced connected devices.

What is Internet of Things (IoT)

Internet of Things is a term that describes a network of devices that are connected to the internet and transmit data in real-time, with the aim of obtaining information, analysing it, and taking an action via automation. IoT devices include CCTV cameras, smart devices such as watches, thermostats and security alarms, and doorbells, to name a few.

Many years ago, IoT used to be seen as a thing for the future, but not anymore. Of the 29 billion devices predicted to be connected to the internet in 2022, telecommunications company Ericsson estimate that 18 billion of those will be web-enabled IoT devices used to process data.

Industries, including healthcare, have already embraced connected devices and are using them to enhance their products and services to customers. For example, IoT devices are streamlining the control medical professionals have over their patients' treatment by using monitoring devices to record an individual's vital signs, such as heart rate, blood pressure, pulse, and respiratory rate.

A futoristic wireframe of a house with IoT devices connected

Advantages and disadvantages of IoT

The importance of IoT cannot be overstated. Companies that have adopted IoT technologies are able to reduce overheads, save time, and improve both employee productivity and the customer experience. Additional advantages of IoT include:

  • The ability to access information from any device anytime, anywhere
  • Automating tasks that help to improve efficiency and reduces the need for human involvement, allowing valuable resources to be allocated elsewhere
  • Allowing businesses to access information in real-time can vastly improve how they monitor their inventory and the performance of their IoT devices against business objectives

During the COVID-19 pandemic, IoT made it possible for many businesses to continue to trade even when staff were working remotely. However, IoT technology just like any other, has its drawbacks. Considering the high number of devices that would have to communicate with one another for its potential to be maximised, potential vulnerabilities are automatically created thereby making it possible for a malicious actor to gain unauthorised access to the system.

Through one compromised device, it is possible for all the devices on a network to be corrupted in one fell swoop. That is why there is an ever-increasing number of security and privacy incidents occurring due to vulnerabilities found in IoT devices, such as:

  • Insecure networks, such as free public wi-fi, make it easy for cybercriminals to exploit and access sensitive data and user credentials via man-in-the-middle (MITM) attacks
  • Weak passwords that are short and easy to guess, are one of the most common attack vectors for cybercriminals to compromise IoT devices
  • Outdated components and legacy systems are likely to contain software vulnerabilities that if they are not updated or can no longer be patched, present cybercriminals with weaknesses to exploit and launch cyber attacks
Even the most unlikely of IoT devices are susceptible to a data breach.
The word case study being written with a marker

Case study – The fish tank hack

Even the most unlikely of IoT devices are susceptible to a data breach, including a fish tank. In 2017, hackers managed to gain access to a casino's network and database via a thermostat in one of their internet-connected fish tanks. The smart thermostat consisted of sensors that helped to regulate the tank's water temperature, cleanliness and food supply. By hacking into the fish tank, the cybercriminals were able to steal 10GB of data that was transferred to a device in Finland.

One of the most ingenious methods of gaining access to personal information is also an example of how vulnerable IoT devices can be, especially if they're not adequately protected. This incident highlights the importance for businesses to understand IoT devices and how they can provide opportunities for hackers to infiltrate networks to access unauthorised data. Also, it shows why GDPR matters for IoT, as compliance shows businesses can be entrusted with customer data, no matter what devices or applications are being deployed across the organisation.

Why GDPR matters for IoT

Data protection legislation states that personal data should be processed in a manner that ensures appropriate security is attained. Therefore, it is the responsibility of businesses to ensure that any IoT technologies are protected by security controls, and that they are GDPR compliant if they collect personal data.

GDPR applies to the entire data supply chain, including IoT devices. So, it's wise to raise awareness around data collection to both employees, customers, and partners, detailing what data is being collected, how, and why. Also, customers should be made aware of how data will be protected from a data breach. To remain GDPR compliant, any organisation that incorporates IoT should be aware of the following:

  • Understand the data:
    Ensure you understand the data being collected and processed and whether the information is personal data. Businesses should be aware of where the data is held, how it is protected, and what to do if there is a breach or security incident.
  • Understand consent:
    Understand the basis of consent under GDPR and the rights data subjects have to withdraw consent and have their data permanently removed.
  • Keep a record of data processing
    Businesses are required to keep a record of data processing activities. This is to ensure that businesses can produce a record of actions that were taken to remediate an issue with IoT, if they are investigated.
  • Maintain basic security hygiene:
    IoT devices can be particularly vulnerable to cyber attacks, for example, out-of-the-box smart devices that come with default passwords. Changing these credentials or updating the device's firmware is crucial to protecting the device and mitigating the chance of a cyber attack or data breach.

Given that Internet of Things has enabled organisations to collect more personal data than ever before, the potential for the misuse of the data has grown. Consequently, besides the need to have appropriate security measures in place to protect personal data from hackers, organisational measures like policies and regular security awareness training are also required. Additionally, if your business uses third-party processors to carry out tasks that involves the use of personal data, third parties are legally required, under Article 28 of the GDPR, to guarantee that adequate security controls are in place to protect the personal data and the rights of the data subjects.

In summary

Internet of Things is prevalent across many industries and organisations, and with IoT devices providing businesses with another method to capture personal data, it is important for companies to understand how to maintain GDPR compliance. As well as the number of benefits IoT devices provide businesses, let's not disregard the pitfalls that can be exploited by cybercriminals to gain access to personal data. Businesses need to ensure they understand the risks posed by IoT to customer data, and what can be done to remediate any vulnerabilities that may exist with IoT devices to secure personal data against a breach.

Adindu Nwichi Headshot

Meet the author

Adindu Nwichi Data Protection Consultant

As an experienced DPO and Data Protection Consultant, Adindu has a wealth of insight into helping businesses overcome their compliance challenges through expert advice and guidance.

Meet your GDPR & data protection obligations

Our GDPR consultants are certified and experienced data protection experts. Find out more about how we support organisations across a range of industry sectors, successfully guiding them through the complex responsibilities of GDPR and data protection.

Learn more

Related resources

Trusted cyber security & compliance services from a certified provider

Get a quote today

If you are interested in our services, get a free, no obligation quote today by filling out the form below.

(1,500 characters limit)

For more information about how we collect, process and retain your personal data, please see our privacy policy.