GDPR and IoT: The Implications and Considerations


GDPR and IoT


The GDPR applies to both personal data and personal sensitive data, and it is therefore crucial that those involved in the Internet of Things (IoT) field be aware of the implications that the new data regulations will have upon IoT devices, systems and applications. We take a look at this in this article.




What is GDPR?

The General Data Protection Regulation (GDPR) was brought in by the European Union (EU) on 24 May 2016 and will come in to effect from 25 May 2018, applying to all EU member states. It is worth noting that the UK’s decision to leave the EU will not affect the commencement of GDPR in the country. The UK will still be an EU member state when GDPR is first introduced and the regulation will also be written into domestic UK law via the Data Protection Bill (published September 2017) – making it easier for the UK to secure a transitional arrangement for data flows between it and the rest of the EU after Brexit takes place.

The GDPR will introduce tougher fines for non-compliance and breaches, and gives people more say over what companies can do with their data. It also makes data protection rules more or less identical throughout the EU, giving businesses a simpler and clearer legal environment in which to operate. The EU estimates that this will save businesses a collective €2.3 billion a year (IT Pro).

The implementation of GDPR will allow people to have more control over how their personal data is used. Currently companies like Facebook and Google swap access to people’s data for use of their services, for example, and as a result the EU wants to give people more control over how this data is being used. The current Data Protection Act was put in place before technologies such as the Cloud and Internet of Things were created and the EU hopes that by implementing GDPR, it will seek to address data exploitation issues and improve trust in the emerging digital economy.

GDPR will apply to “controllers” and “processors” of data. The data controller states how and why the personal data is being processed, whilst the processor is the party actually processing the data. It’s the controller’s responsibility to ensure their processor abides by data protection law and processors must themselves abide by rules to maintain records of their processing activities. A breach or data misuse under GDPR could result in a significant fine of up to €20Million or 4% of annual global turnover. For the full General Data Protection Regulation, click here.


GDPR and IoT: What it means.

The GDPR applies to both personal data and personal sensitive data, and it is therefore crucial that those involved in the Internet of Things (IoT) field be aware of the implications that the new data regulations will have upon IoT devices, systems and applications. It is worth noting of course that personal data doesn’t touch all IoT applications, particularly in regards to the IIoT (Industrial Internet of Things), and so GDPR is not a concern for all.

The main aspects of the GDPR that will have a substantial effect on the IoT are security breaches and consent:


Security Breaches

IoT devices and systems which hold personal data could include a consumer device, such as a smart watch, or an organisation application, such as connected medical equipment. Any security breach of such must be reported straight away. A security breach is classed as such when the breach is likely to result in a risk to the rights and freedoms of individuals, for example the data has been accessed by an unauthorised source. Security breaches must be reported to the relevant supervisory authority within 72 hours of the organisation becoming aware of it, or the organisation could face GDPR fines.



According to the GDPR text, “consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement”. Tighter restrictions will be held over data subject consent and data controllers must demonstrate that consent has been given to process his or her personal data. If the data subject has had no choice but to give data, data controllers cannot presume that this data can be used. Any Personal Data can only be used for the purposes for which it was collected.

Consent will be critical to many IoT applications as it is the collation, processing and decision-making capabilities of such that often derives the value case for that application. Without the user’s consent to do so, the benefits of most IoT applications will become redundant.


Processing Personal Data Relating to Children

The GDPR will also implement stricter laws regarding the processing of personal data relating to children. It will be impossible for children under the age of 13 to consent on their own behalf to the processing of their personal data in relation to online services and consent may need to be obtained from a parent or guardian. Online services that are directly targeted to children must have a privacy notice that is in a context that is clear for children to understand.

The GDPR emphasises that protection is particularly significant where a child’s personal information is used for the purposes of marketing and creating online profiles. Parental/guardian consent is not required where the processing is related to preventative or counselling services offered directly to a child. For IoT manufacturers therefore, GDPR poses several challenges relating to smart IoT devices that have the potential to be used by a child. They need to consider that a parental consent mechanism will need to be implemented in some devices, whilst being aware that guardians will not always be there to monitor their child’s use of smart devices and to give proper consent.


Other key areas to consider of the GDPR are privacy by design, privacy by default and enhanced data subject rights.

Privacy by design and privacy by default will impose obligations on data controllers to adopt significant new technical and organisational measures to demonstrate their compliance with the requirements of GDPR. It will also mean that organisations that use IoT systems may have to conduct data protection impact assessments in certain circumstances. Enhanced data subject rights will mean that the data subject will have more power over how their personal data is used. It also means they can express the right for it to be forgotten, as well as the right to object to automated decision making.

IoT device, application and systems developers will have to take these additional factors into consideration as well, and demonstrate that their applications are compliant with the GDPR.


What is the ePrivacy Regulation?

It is also worth noting another EU regulation that is set to come into place around the same time as GDPR, the ePrivacy Regulation, which will replace the ePrivacy Directive that was formed in 2009. This new regulation is no longer just about the use of web cookies however, and is instead concerned with all electronic communication channels, including newer ones such as messaging apps (Snapchat Messenger, Facebook Messenger, and so on). The ePrivacy Regulation proposal states “the principle of confidentiality which is enshrined in the Regulation should also apply to the transmission of machine-to-machine communications”, and therefore, like GDPR, it will also shape how IoT developers implement and run their applications.


How 4G LTE, IoT and hybrid networking solutions can help.

While networking solutions cannot help organisations to comply with all elements of the GDPR, our enhanced network security features can help to protect against data breaches and limit risk of GDPR fines in this area as a result.

For example, the software-defined perimeter provided by Cradlepoint’s NetCloud Perimeter enables things to be securely connected across any public or private cloud within minutes. Creating a virtual network overlay which can easily expand and contract to reach wherever the network does, it ensures that all data transacted across the network is kept completely secure. Available as a client to run on PCs, servers and mobile devices, and as a gateway version to run on Cradlepoint routers and gateways, it can be used to secure data transactions for all of the network’s applications – including the Internet of Things.


Speak to your account manager today to find out more about the advanced security capabilities of our Internet of Things networking solutions: or +44 (0) 1291 437 567.