ArticlePDF Available

Internet of things data protection and privacy in the era of the General Data Protection Regulation

Authors:

Abstract and Figures

The emerging internet of things (IoT) technology has immense potential for unprecedented business offerings in various domains. To provide reliable IoT products and services that comply with regulatory demands, businesses must meet users’ data protection and privacy needs. With the General Data Protection Regulation (GPDR) coming into force from 24th May, 2016 and applicable from 25th May, 2018, IoT businesses must strategise privacy alignment for their products or services by incorporating in their design the privacy and data protection capabilities necessary for regulatory compliance and gaining user trust. This paper discusses the associated data protection and user privacy concerns, making reference to such IoT service offerings as smart retail, the smart home, smart wearables, smart health devices, smart television and smart toys. The three steps to privacy alignment strategy discussed in this paper comprise the privacy inquisition (PI) analysis model, the IoT privacy impact assessment (iPIA) and the privacy state transition process through which IoT businesses pass on their path to attaining ‘perfect alignment’ with respect to the GDPR data protection requirements and user privacy needs. Privacy inquisition, iPIA and privacy state transition should be performed on a periodic basis, preferably under the guidance of a privacy governance board with supervisory authority and representation from the organisation’s board of directors, the controller and the data protection officer. Available at: http://www.ingentaconnect.com/content/hsp/jdpp/2016/00000001/00000001/art00009
Content may be subject to copyright.
11
© Henry Stewart Publications 2398-1679 (2016) Vol. 1, 1 000–000 Journal of Data Protection & Privacy
Internet of things data protection
and privacy in the era of the
General Data Protection
Regulation
Received: 8th May, 2016
Abhik Chaudhuri
is Chevening Fellow and Domain Consultant in Cyber Security, Privacy and Policy at Tata Consultancy
Services. Abhik has more than 14 years of IT consulting experience and holds an MBA from the Indian
Institute of Management at Kozhikode. Abhik provides thought leadership in developing global cyber
security and privacy standards at ISO/IEC JTC1/SC27. He is a Corporate Member of Cloud Security
Alliance’s International Standardization Council, and an IEEE member of the IoT Community and Experts
in Technology and Policy Forum.
Tata Consultancy Services
E-mail: abhik.chaudhuri@gmail.com
Abstract The emerging internet of things (IoT) technology has immense potential for
unprecedented business offerings in various domains. To provide reliable IoT products
and services that comply with regulatory demands, businesses must meet users’ data
protection and privacy needs. With the General Data Protection Regulation (GPDR) coming
into force from 25th May, 2016 and applicable from 25th May, 2018, IoT businesses must
strategise privacy alignment for their products or services by incorporating in their design
the privacy and data protection capabilities necessary for regulatory compliance and
gaining user trust. This paper discusses the associated data protection and user privacy
concerns, making reference to such IoT service offerings as smart retail, the smart home,
smart wearables, smart health devices, smart television and smart toys. The three steps
to privacy alignment strategy discussed in this paper comprise the privacy inquisition (PI)
analysis model, the IoT privacy impact assessment (iPIA) and the privacy state transition
process through which IoT businesses pass on their path to attaining ‘perfect alignment’
with respect to the GDPR data protection requirements and user privacy needs. Privacy
inquisition, iPIA and privacy state transition should be performed on a periodic basis,
preferably under the guidance of a privacy governance board with supervisory authority
and representation from the organisation’s board of directors, the controller and the data
protection offi cer.
KEYWORDS: GDPR, internet of things, IoT privacy, data protection, privacy inquisition
analysis, privacy transition state, privacy alignment strategy
INTRODUCTION
As internet of things (IoT) technology is
becoming increasingly powerful with the
integration of advanced data sensing, network
communication, information technology (IT)
infrastructure capabilities and analytics-based
inferences of user data, the technology is
demonstrating the potential to provide
fascinating insights into various facets of
societal living and businesses. Although
JDPP0009_Chaudhuri_1_1.indd 1 27/10/16 12:23 pm
2Journal of Data Protection & Privacy Vol. 1, 1 000–000 © Henry Stewart Publications 2398-1679 (2016)
Internet of things data protection and privacy in the era of the GDPR
IoT is in the early stages of adoption in
various applications across the globe, we
are also seeing increased concerns among
stakeholders, specifically users and regulatory
bodies, about the security and privacy of
data collected, stored and processed for
such service offerings. While the research
and engineering communities are working
with businesses to address the data security
and privacy concerns, regulatory bodies
are also working to come up with relevant
regulations. The General Data Protection
Regulation (GDPR) is a significant effort
in this direction to protect user data and
privacy in the EU region.
This paper concentrates on data protection
and user privacy concerns with reference to
specific potential IoT service offerings like smart
retail, the smart home, smart wearables,
smart health devices, smart television
and smart toys. It discusses the relevance of
specific articles of the GDPR on IoT services
in the EU region. A strategy is also proposed
for the alignment of user privacy and data
protection needs with IoT business needs
for regulatory compliance and end-user
satisfaction.
This paper proposes a privacy inquisition
(PI) analysis model for aligning user privacy
needs with IoT business needs. A three-stage
transition process for privacy alignment is
also explained for regulatory compliant and
trustworthy IoT service offerings.
IOT DATA PROTECTION AND PRIVACY
CONCERNS
As shown in Figure 1, an IoT business
application can be enabled with various
infrastructure and functional components,1
such as the sensors that capture contextual
data based on predefined parameters, gateway
devices that gather the data from a bunch of
sensors, a centralised data storage that can
be at the edge or hosted in the cloud where
the gateways devices flush the gathered
data intermittently, analytical processing
functions, application programming
interface (API) based business functions,
command and control function for the
actuators in sensors, and wired or wireless
network communications connecting
these components. From a data protection
and privacy perspective, each of these
Figure 1: Infrastructure and functional components for the internet of things
JDPP0009_Chaudhuri_1_1.indd 2 27/10/16 12:23 pm
3
© Henry Stewart Publications 2398-1679 (2016) Vol. 1, 1 000–000 Journal of Data Protection & Privacy
Chaudhuri
components represents a potential breach
point2 if adequate security and privacy
measures are not embedded in the end-
to-end architecture of the IoT product
or service.
IoT data privacy can be broadly classified
into the following six categories:
Identity privacy: IoT devices are ultimately
owned by individuals and organisations.
Hence, the identity of the owners can be
tracked down from the device ownership
information. To preserve the identity privacy3
of the IoT device owners, the metadata
concerning device ownership should be
masked or locked down for authorised
access only.
Location privacy: Data about the location
of IoT devices can be used to infer the
location of the user. Such data may be
leveraged for unscrupulous activities and
hence should be considered private
and not to be used without the user’s
consent.
Search query privacy: By tracking the IP
address of a search query from a search
engine and analytically processing the
search queries from a specific user through
combinatorial means, inferences can be
derived regarding various personal traits
of the person who initiated the search
queries. For example, a smart refrigerator
that makes online queries for food items
liked by its owner can reveal specific
information regarding the person’s
fondness for specific food items. Such data
can then be used for targeted advertising
without the individual’s consent.
Digital footprint privacy: As IoT devices are
almost always online, they can leave a trail
of data on the internet. Such data can be
accumulated to create a digital footprint of
the devices and the device owners. Cookie
invasion of IoT devices can also cause
operational privacy breaches.
Personal behaviour privacy: Sensor-enabled
IoT applications can gather data regarding
personal behaviour based on various
parameters, mostly without user consent,
to derive business benefits like targeted
marketing.
Personal health data privacy: Smart fitness
tracking devices can gather data about the
user’s health parameters without consent
and such data can be sent to health
insurers. Based on continuous gathering
of health data and analytics, the health
insurance company can infer information
about the various health disorders that the
person might face in future and change
health premiums accordingly.
IoT technology is showing immense
potential across various business domains,
including smart retail, smart homes, smart
wearables, smart healthcare and smart toys,
to name a few. Smart retail4 is seeing new
business applications like contactless point-of-sale,
smart shelves tracking consumer response
and behaviour toward specific items on
display, smart dressing rooms and beacon-based
marketing initiatives. However, these IoT
enabled offerings are also raising privacy and
security concerns. For example, shelf-based
sensors can track user gestures and behaviour
patterns, and the data they gather can be
stored and analysed further for marketing
purpose. If such user-specific sensor data
are stored in the cloud, then concerns can
be raised regarding the sharing of such data
with other retailers and third parties without
user consent. At a time when major retailers
are experiencing security and privacy
breaches, with consumer and cardholder data
being stolen from their databases,5 consumers
can raise questions regarding the capability
of smart retail opportunities to safeguard
their privacy where the attack surface is far
greater due to the multidimensional
data-gathering by sensors.
For smart home solutions, IoT sensors on
home appliances can be connected directly
to the internet or through a gateway or
central hub to monitor and regulate various
functions like smart energy management,
room ambience control, security and access
JDPP0009_Chaudhuri_1_1.indd 3 27/10/16 12:23 pm
4Journal of Data Protection & Privacy Vol. 1, 1 000–000 © Henry Stewart Publications 2398-1679 (2016)
Internet of things data protection and privacy in the era of the GDPR
control, healthcare, assisted living and other
potential offerings.6 Smart appliances can
also be connected over the internet or Wi-Fi
to talk to each other. However, continuous
data-gathering by the interlinked sensors
and activity logs in smart homes can provide
inferences on the behaviour and activities of
the inhabitants which can result in privacy
breach.7 Users may be unaware about the
embedded features in smart home systems
and how these operate by default or what
personal data are captured.
According to European Union Agency for
Network and Information Security (ENISA):
‘Privacy issues in smart homes are not
limited to confidentiality and access
control. Smart home sensors in particular
will generate a large amount of highly
personal data about activities within
the home. The multiple streams of data
combined together in a smart home
system create the possibility of deeper
contextual background and reveal patterns
of behaviour of the inhabitants. The
visibility of the smart home occupant
is increased by the large network of
third parties who may be involved in
providing smart home functionality.
Smart home functions may have serious
impacts upon privacy of the person,
privacy of behaviour and action, privacy
of communication, privacy of data and
image, privacy of location, and privacy
of association … Smart home systems
may include embedded features that are
opaque to the user, and do not inform the
user about the status of their operation.’8
The Center for Information Technology
Policy at Princeton University has found
that popular IoT devices being used today
leak sensitive user information when sent
unencrypted to the cloud.9 The researchers
have also observed that when two IoT enabled
devices talk to each other, the cloud is used
as the intermediary. This also enhances the
chance of data breach in motion.
Wrist-mounted IoT devices10,11 like
smart watches, head-mounted devices
and other smart wearable devices have
gained popularity in recent times, with
functionalities beyond timekeeping. Some
of these perform as health tools to track and
display vital data about a person’s fitness
based on various health parameters that are
monitored on a continuous basis. Most of
these devices can be paired with smartphone
apps to operate in sync. However, some
smart watches have been found to send
outbound communications to unmapped
and unknown IP addresses.12 Security
vulnerabilities in smart watches and pairing
apps can be used to siphon personal data,
including physiological data, to undisclosed
or unintended recipients, resulting in severe
privacy breach.
IoT enabled smart health devices are
also available in the market for gathering user
health data. These devices include glucose
monitors that gather blood glucose data,
thermometers, respiratory meters, heart
monitors and smart plasters, and many more
devices with new healthcare functionalities
are in the offing. While the data gathered
by these devices can help in analysing
trends for the early detection of anomalies
and intervention through continuous
monitoring, there are concerns regarding the
misuse of personal health data without user
consent.13
Today, there are smart toys that are
Wi-Fi enabled and capable of conversing
with the children or adults that own
them. The human–toy conversations can
be transmitted wirelessly to the cloud for
storage and analytical processing.14 Such
smart toys can capture private conversations
and transmit to third-party vendors and
service providers without user cognisance
and consent. Similarly, voice-activated
smart home appliances and smart televisions
have been reported to record conversations
of users to the cloud without users’
consent.15
The privacy concerns from the above IoT
application scenarios have been mapped to
the six IoT privacy types in Table 1.
JDPP0009_Chaudhuri_1_1.indd 4 27/10/16 12:23 pm
5
© Henry Stewart Publications 2398-1679 (2016) Vol. 1, 1 000–000 Journal of Data Protection & Privacy
Chaudhuri
GDPR AND I
O
T DATA PROTECTION
The GDPR16 came into force on 25th May,
2016 and will be applicable from 25th May,
2018 following a two-year implementation
period. IoT businesses will also come under
the purview of the GDPR. This paper will
discuss those Articles and recitals within the
GDPR that are relevant for IoT data protection
Table 2: GDPR Articles relevant to IoT data protection
Article no. Context
7 Conditions for consent
13 Information to be provided where personal data are collected from the data subject
15 Right of access by the data subject
17 Right to erasure (‘right to be forgotten’)
18 Right to restriction of processing
21 Right to object
22 Automated individual decision-making, including profi ling
25 Data protection by design and by default
28 Processor
30 Records of processing activities
32 Security of processing
33 Notifi cation of a personal data breach to the supervisory authority
34 Communication of a personal data breach to the data subject
35 Data protection impact assessment
37 Designation of the data protection offi cer
40 Codes of conduct
42 Certifi cation
45 Transfers on the basis of an adequacy decision
46 Transfers subject to appropriate safeguards
Table 1: Smart applications mapped to IoT privacy types
Privacy type
Smart application
home appliances Watches Television Retail Health devices Toys
Identity X X X X X
Location X X X X
Search query X X X
Digital footprint X X
Personal behaviour X X X
Personal health data X X
and privacy. For quick reference, these specific
Articles and recitals are listed in Tables 2 and 3.
As per Article 7 of the GDPR, the
processing of user data should be based on
consent from the data subject, which the
controller must be able to demonstrate on
request. For an IoT service offering, the
IoT service provider must ensure that the
JDPP0009_Chaudhuri_1_1.indd 5 27/10/16 12:23 pm
6Journal of Data Protection & Privacy Vol. 1, 1 000–000 © Henry Stewart Publications 2398-1679 (2016)
Internet of things data protection and privacy in the era of the GDPR
Table 3: GDPR recitals relevant to IoT data protection
Recital no. Context
28 Application of pseudonymisation to personal data
35 Personal data concerning health
39 Processing of personal data
49 Availability, authenticity, integrity and confi dentiality of stored or transmitted personal data
60 Principles of fair and transparent processing
65 Right to have personal data rectifi ed and ‘right to be forgotten’
70 Personal data processed for the purposes of direct marketing
71 Automated processing of personal data evaluating personal aspects
78 Appropriate technical and organisational measures
79 Clear allocation of responsibilities
83 Ensuring appropriate level of security, including confi dentiality
85 Notifying personal data breach to supervisory authority without undue delay
86 Communication of personal data breach from controller to data subject
90 Data protection impact assessment
101 Personal data transfer from EU to third countries or international organisations
user (data subject) has consented to the
processing of his or her personal data for
obtaining the service output.
Moreover, Article 7 also stresses that
while assessing whether the data subject
has given the consent freely, there should
be appropriate reason if the service is
provisioned on the condition of processing
personal data that are not necessary for
the performance of the contract. For
compliance, the IoT service provider
must ensure that the IoT devices gather
only as much metadata as is necessary as to
provide the IoT offering, even if the end
user has consented to share personal data.
For example, the metadata obtained by a
smart thermostat device should be relevant
only for the processing necessary for the
end result, such as controlling the room
temperature and ambience parameters.
Were the thermostat to gather user-specific
data not relevant to the thermostat’s
functionality, this will constitute a regulatory
non-compliance if said data can be the basis
for inferring user preferences and behaviour
for direct marketing or other purposes not
mentioned in the service contract of the
IoT device.
To comply with Article 13(1c) and
Article 13(1f ), IoT service providers
must ensure that the business intent of
processing the metadata gathered by the
IoT devices has been conveyed clearly by
the controller to the user and the same
is followed in principle. IoT services
might store personal data in the cloud
across geographical boundaries for service
availability and data redundancy. In such
situations, the user should be informed
about the appropriateness or suitability of
the safeguards established in the process
for his or her personal data and there must
be provision to obtain a copy of said data
on request.
Article 15 emphasises the right of access
to the personal data of the data subject. As
per the Article, the data subject shall have
the right to access to any of his or her
personal data that are being processed for
the IoT service and can request information
regarding the purpose of processing,
categorisation of those data, the recipients to
JDPP0009_Chaudhuri_1_1.indd 6 27/10/16 12:23 pm
7
© Henry Stewart Publications 2398-1679 (2016) Vol. 1, 1 000–000 Journal of Data Protection & Privacy
Chaudhuri
whom his or her personal data have been or
will be disclosed and the envisaged storage
period.
The data subject using a IoT device
or smart service shall have the right of
erasure (Article 17(1b), recital 65) of his/
her personal data following their withdrawal
of consent on which the data processing
is based or if the personal data have been
unlawfully processed by the IoT service
provider (Article 17(1d)). If the processing is
unlawful then the data subject can exercise
his/her right to restriction of processing as
per Article 18(1b). In a smart retail outlet,
the implications of this Article can be
objection from customers about collection
and processing of their personal data
collected by sensors from smart shelves,
smart dressing rooms and other locations
within the outlet. Such incidents of
non-compliance can affect the IoT enabled
business financially.
The data subject can exercise the right to
object to the processing of his/her personal
data and profiling (recital 71) for direct
marketing or other purposes (Article 21,
recital 70) and automated decision-making
without explicit consent that significantly
affects him/her (Article 22). This has
implications for proximity marketing
businesses using beacons if customers raise
objections to them processing their personal
data without consent for automated decision
making based on their likes and purchasing
behaviour.
Article 25(1) and recital 78 mention the
implementation of appropriate technical
and organisational measures for data
protection by designing measures like
‘pseudonymisation’ for data minimisation.
Article 25(2) requires ensuring by default
that only as much personal data as are
necessary for the purpose of processing
are actually processed. This regulatory
obligation applies to ‘the amount of
personal data collected, the extent of their
processing, the period of their storage and
their accessibility’. Article 42 refers to an
approved certification mechanism that can
be used to demonstrate compliance with
Article 25(1 and 2). Article 28 mentions
that the controllers can use processors
who provide sufficient guarantees to
implement appropriate technical and
organisational measures to meet the
regulatory requirements and to ensure the
data protection rights of the data subject.
The processor may adhere to an approved
code of conduct for data protection
(Article 40, recital 60) or an approved
certification mechanism (Article 42)
for compliance, with clear allocation of
responsibilities (recital 79). All records of
data processing, including the purpose,
should be available with the controller
(Article 30). For IoT enabled smart services,
these requirements will ensure that
personal data that are non-relevant for
the IoT functionality will not be collected,
processed, stored or be made accessible to
other individuals or businesses.
Article 32, recital 49 and recital 83
emphasise the security of data processing
based on the relevant risks that can impact
the confidentiality, integrity, availability
and resilience of processing systems and
services. Data processing should be done
with approved authority from the controller
or the processor. In an IoT data processing
scenario, complying with this regulatory
requirement requires a risk assessment to
understand the robustness of data security
in the existing IoT functional processes,
devices and infrastructure components and
addressing the vulnerabilities by designing,
testing and implementing adequate control
measures. This will help to prevent
accidental or unlawful data loss, alteration
of data, destruction of data, incidents of
unauthorised disclosure or access to personal
data in transmission or storage. Effective
encryption of IoT data from the sensors
to the gateways devices, from gateways
to centralised storage and for control data
flowing back to the sensors is a prime
necessity for ensuring confidentiality.
JDPP0009_Chaudhuri_1_1.indd 7 27/10/16 12:23 pm
8Journal of Data Protection & Privacy Vol. 1, 1 000–000 © Henry Stewart Publications 2398-1679 (2016)
Internet of things data protection and privacy in the era of the GDPR
‘Pseudonymisation’ of personal data
captured by IoT devices and smart services
will increase personal data protection from
inference and user profiling. Steps should
also be taken to implement restoration
and data-recovery mechanisms to provide
on-demand access to personal data to
data subjects during physical or technical
incidents of system failure.
For any incident of personal data breach,
the IoT data processor must convey the
same to the controller without any delay
along with the mitigation measures taken
or proposed. The controller must notify
the supervisory authority within 72 hours
of becoming aware of the data breach
(Article 33, recitals 85, 86). For critical
IoT services like smart healthcare, this
Article, in conjunction with recital 35,
acquires greater significance to reduce
the adverse effects of sensitive health data
exploitation. The controller must inform
the data subject about the personal data
breach from the IoT infrastructure or
application components if any adverse
effect on the data subject is anticipated
(Article 34).
As a precautionary measure, the data
controller can carry out a data protection
impact assessment on the operational flow
of data for the smart service, in compliance
with Article 35 and recital 90. The IoT
service provider can have a designated data
protection officer (Article 37), who can
be consulted by the controller regarding
the data protection impact assessment and
relevant safeguards.
For storage and redundancy of IoT
data in the cloud across geographical
boundaries, care should be taken so that
any transfer of personal data (Article 44,
recital 101) collected from IoT devices
and smart services for processing to third
countries or international organisations,
including onward transfers, comply with
the adequacy decision as per Article 45
and has appropriate safeguards compliant
with Article 46.
THE I
O
T PRIVACY ALIGNMENT
STRATEGY
With the IoT still being an emerging
technology, there are multiple product
vendors and service providers in various
domains offering new functionalities with
early-to-market strategies aiming for
first-mover advantage. As discussed previously,
user privacy is a key challenge for these
IoT offerings.
IoT businesses must pay attention to
user privacy concerns if they are to gain
user confidence for their smart offerings.
With the advent of the GDPR, regulatory
compliance of user privacy needs for IoT
services and products is also becoming
mandatory. A stakeholder approach to
IoT data protection and privacy is the
need of the hour.17
Aligning the IoT service or product design
with users’ privacy needs is necessary to
provide a trustworthy IoT offering. IoT
service providers and product vendors
must strategise means to incorporate
privacy-enhancing capabilities in their
service or product design as default
functionality. An IoT privacy alignment
strategy, as described here and depicted
in Figure 2, can be utilised to address
the data protection needs and privacy
concerns of IoT offerings from the
perspectives of the user and regulator.
Figure 2: The three steps of internet of things privacy
alignment strategy
JDPP0009_Chaudhuri_1_1.indd 8 27/10/16 12:23 pm
9
© Henry Stewart Publications 2398-1679 (2016) Vol. 1, 1 000–000 Journal of Data Protection & Privacy
Chaudhuri
The strategic three steps to IoT privacy
alignment are:
1. perform privacy inquisition (PI) analysis;
2. conduct IoT privacy impact assessment
(iPIA); and
3. privacy state transition toward perfect
alignment.
The privacy inquisition (PI) analysis model
is the first step for aligning user privacy
needs with IoT business needs. The six
queries in the PI model (Figure 3) are the
basic privacy concerns of users regarding
Personally identifiable information (PII)
collected for the IoT functionality; specific
details of PII collected; if the user’s consent
has been obtained before PII collection;
storage and safety of gathered PII; details of
recipients with whom the PII is shared; and
capabilities established to return or erase PII
based on user request. IoT service providers
and product vendors must provide satisfactory
answer to these queries in order to gain
customer confidence for their offering.
If, for any of the queries in the PI analysis
model, the IoT service or product does
not align with the user privacy need, then
the next step is to conduct an IoT privacy
impact assessment (iPIA) to understand the
causes for non-alignment and the inherent
privacy risks. A well-planned iPIA will help
to understand the business impact in terms
of associated costs of IoT service or product
redesign, financial impact for regulatory
non-compliance, damage to reputation and
trustworthiness.
The path to perfect IoT privacy
alignment for businesses can be considered
as a three-stage process, as shown in Figure 4,
starting from ‘zero alignment’ (Scenario 1)
to ‘perfect alignment’ (Scenario 3), with
an intermediary state of ‘partial alignment’
(Scenario 2). In the ‘zero alignment’ state,
the IoT business needs of the organisation
are not aligned to user privacy needs and
regulatory compliance needs. A state of
‘partial alignment’ is attained when the IoT
business needs have incorporated some user
privacy needs and the business complies
Figure 3: The privacy inquisition model for aligning user privacy needs with internet of things business needs
JDPP0009_Chaudhuri_1_1.indd 9 27/10/16 12:23 pm
10 Journal of Data Protection & Privacy Vol. 1, 1 000–000 © Henry Stewart Publications 2398-1679 (2016)
Internet of things data protection and privacy in the era of the GDPR
with some regulatory requirements.
‘Perfect alignment’ is achieved when the
IoT business needs have incorporated all
regulatory compliance requirements and user
privacy needs.
For example, an IoT business can be
in a state of ‘zero alignment’ if it has not
considered user privacy needs and regulatory
needs in the service or product design
phase. For such a business, the first step
will be a privacy capability assessment based
on the PI analysis model to determine the
privacy gaps based on user needs. Next, a
regulatory compliance audit with reference
to the relevant clauses in GDPR must be
conducted to identify the privacy gaps. A
consolidated list of gaps identified from
user needs and regulatory requirements
will be the basis for conducting the iPIA
to identify the privacy risks. Evaluation
of target solution and implementation
by incorporation in the IoT service or
product design is then required to reduce
or eliminate these risks. In this process, the
IoT business organisation moves from ‘zero
alignment’ to ‘partial alignment’ and finally
to a state of ‘perfect alignment’.
Privacy inquisition, iPIA and privacy
state transition should be performed on a
periodic basis, preferably under the guidance
of a privacy governance board having
supervisory authority and representation
Figure 4: The transitions to perfect privacy alignment
JDPP0009_Chaudhuri_1_1.indd 10 27/10/16 12:23 pm
11
© Henry Stewart Publications 2398-1679 (2016) Vol. 1, 1 000–000 Journal of Data Protection & Privacy
Chaudhuri
from the organisation’s board of directors,
the controller and the DPO. The privacy
governance board should continuously
evaluate the effectiveness of data protection
and privacy policies; direct the IoT business
in taking appropriate steps toward regulatory
compliance; and monitor the alignment of
IoT business needs with user privacy needs.
To address data breach incidents, a proper
privacy incident management plan should be
established to ensure concerned stakeholders
are notified without delay and steps should
be taken to provide adequate level of data
protection. Any cross-border transfer of
user data for IoT business need should have
appropriate user consent with an adequate
level of protection, as suggested in GDPR.
CONCLUSION
Today’s digital society does not like to
live in a black box.18 While emerging
technologies like the IoT are providing
immense opportunities for smart living and
western society is gradually shifting to a
sensor-dominated and data-driven world,
data subjects are also raising concerns
regarding privacy and the protection of their
valuable data. The GDPR has now brought
in regulatory focus on data protection and
privacy measures. In the current scenario,
IoT businesses must align with regulatory
requirements and user privacy needs to
prevent financial loss and to gain customer
confidence in their offerings. The privacy
alignment strategy discussed in this paper
will provide IoT businesses with the
necessary guidance to comply with GDPR
and to provide trustworthy smart services.
References
1. Cloud Security Alliance (2015) ‘Security guidance for
early adopters of the internet of things’, available at:
https://downloads.cloudsecurityalliance.org/
whitepapers/Security_Guidance_for_Early_
Adopters_of_the_Internet_of_Things.pdf (accessed
8th May, 2016).
2. Giannoni-Crystal, F. and Haynes Stuart, A. (2016)
‘The internet-of-things (IoT) (or internet of
everything) — privacy and data protection issues
in the EU and the US’, available at: http://apps.
americanbar.org/webupload/commupload/
ST230002/sitesofinterest_files/INFORMATION_
LAW_ JOURNAL-volume7_issue2.pdf (accessed
8th May, 2016).
3. Chaudhuri, A. (2015) ‘Address security and privacy
concerns to fully tap into IoT’s potential’, available at:
http://www.tcs.com/SiteCollectionDocuments/
White%20Papers/Address-Security-Privacy-
Concerns-Fully-Tap-IoT-Potential-1015-1.pdf
(accessed 4th May, 2016).
4. Courtin, G. (2015) ‘Five ways retailers can start using
IoT today’, ZDNet, available at: http://www.zdnet.
com/article/five-ways-retailers-iot-today/ (accessed
4th May, 2016).
5. CBC (2016) ‘56 million cards likely hit by Home
Depot hack’, available at: http://www.cbc.ca/news/
business/home-depot-admits-56-million-cards-hit-
by-security-breach-1.2770827 (accessed 4th May,
2016).
6. Brodsky, I. (2016) ‘The race to create smart homes
is on’, Computer World, available at: http://www.
computerworld.com/article/3062002/home-tech/
the-race-to-create-smart-homes-is-on.html (accessed
4th May, 2016).
7. Sullivan, B. (2016) ‘Data breaches give rise to
“privacy conscious” smart home hubs’, Techweek
Europe, available at: http://www.techweekeurope.
co.uk/e-regulation/data-breaches-privacy-conscious-
smart-home-hub-190295 (accessed 4th May, 2016).
8. Bar nard-Wills, D., Marinos, L. and Portesi, S.
(2014) ‘Threat landscape and good practice guide
for smart home and converged media’, available at:
https://www.enisa.europa.eu/publications/
threat-landscape-for-smart-home-and-media-
convergence/at_download/fullReport (accessed
4th May, 2016).
9. Davis, J.S. (2016) ‘Nest, other IoT devices, sent user
info in the clear’, SC Magazine, available at: http://
www.scmagazine.com/nest-other-iot-devices-sent-
user-info-in-the-clear/article/466616/ (accessed 4th
May, 2016).
10. Motti, V.G. and Caine, K. (2015) ‘Users’ privacy concerns
about wearables: impact of form factor, sensors and
type of data collected’, available at: http://fc15.ifca.
ai/preproceedings/wearable/paper_2.pdf (accessed
8th May, 2016).
11. Thierer, A. D. (2015) ‘The internet of things and
wearable technology: addressing privacy and security
concerns without derailing innovation’, available at:
http://dx.doi.org/10.2139/ssrn.2494382 (accessed
8th May, 2016).
12. The Register (2016) ‘$17 smartwatch sends something to
random Chinese IP address’, The Register, available
at: http://www.theregister.co.uk/2016/03/02/
chinese_backdoor_found_in_ebays_popular_cheap_
smart_watch/ (accessed 4th May, 2016).
13. Lexology (2016) ‘Privacy commissioner targets IoT
health devices in sweep’, available at: http://www.
lexology.com/library/detail.aspx?g=eec63029-2ea2-
4ad2-aa16-b2af935edbbd (accessed 4th May, 2016).
JDPP0009_Chaudhuri_1_1.indd 11 27/10/16 12:23 pm
12 Journal of Data Protection & Privacy Vol. 1, 1 000–000 © Henry Stewart Publications 2398-1679 (2016)
Internet of things data protection and privacy in the era of the GDPR
14. Lexology (2016) ‘These toys have eyes (and ears too):
VTech security breach raises “internet of things”
privacy fears’, available at: http://www.lexology.com/
library/detail.aspx?g=e9fc4a57-4bbb-43d7-a414-
24c72b383ac4 (accessed 4th May, 2016).
15. Malinga, S. (2016) ‘Smart home appliances come
with security risks’, IT Web, available at: http://
www.itweb.co.za/index.php?option=com_
content&view=article&id=152108 (accessed
8th May, 2016).
16. ‘Regulation (EU) 2016/679 of the European
Parliament and of the Council of 27th April, 2016
on the protection of natural persons with regard
to the processing of personal data and on the free
movement of such data, and repealing Directive
95/46/EC (General Data Protection Regulation)’,
Official Journal of the European Union (2016), available at:
http://eur-lex.europa.eu/legal-content/EN/TXT/
PDF/?uri=CELEX:32016R0679&qid=
1462359521758&from=EN (accessed
8th May, 2016).
17. Levitt, T. (2015) ‘IoT governance, privacy and
security issues’, available at: http://www.internet-of-
things-research.eu/pdf/IERC_Position_Paper_IoT_
Governance_Privacy_Security_Final.pdf (accessed
8th May, 2016).
18. Pasquale, F. (2015) ‘The Black Box Society’, Harvard
University Press. Cambridge, Massachusetts.
JDPP0009_Chaudhuri_1_1.indd 12 27/10/16 12:23 pm
...  Personal Health Data Privacy: Mitigating potential misuse of sensitive health data by health insurers [4]. ...
...  Data Portability: Enables receiving personal data in machine-readable format.  Data Breach Notification: Swiftly notifies authorities and individuals about breaches [4]. ...
Article
Full-text available
In Industry 4.0, data is enormously exchanged through wireless devices. Ensuring data privacy and protection is vital. The proposed review paper explores how AI techniques can safeguard sensitive information and ensure compliance. It explores fundamental technologies such as cyber-physical systems and the complex application of AI in analytics and predictive maintenance. The issues with data security are then emphasized and privacy concerns resulting from human-machine interaction are shown. Regulatory frameworks that direct enterprises are touted as essential defenses, coupled with AI-powered solutions and privacy-preserving tactics. Examples from everyday life highlight the constant battle for equilibrium. The review continues with a look ahead to future developments in interdisciplinary research and ethical issues that will influence Industry 4.0's responsible growth. In essence, this paper synthesizes a nuanced understanding of the sophisticated challenges surrounding privacy and data protection within Industry 4.0, underscoring the pivotal role of AI as a custodian of sensitive information and offering an indispensable resource for professionals, policymakers, and researchers navigating the intricate and evolving terrain of Industry 4.0 with technical precision and ethical responsibility.
... Adhering to these regulations isn't mandatory only to evade the legal consequences, but it also is very important for the users' trust. Some of the key points that must be incorporated in compliance strategies to make IoT more secure are; data protection that involves use of secure data encryption, subsequent storage and proper handling [113]. In the same manner, compliance is another issue which organizations need to consider This article has been accepted for publication in IEEE Access. ...
Article
Full-text available
The advent of the Internet of Things (IoT) marks a significant milestone in digital innovation, transforming numerous aspects of daily life. As IoT continues to proliferate, ensuring robust security becomes increasingly critical, drawing attention from both academic and industry circles. This study seeks to systematically identify and categorize the primary success factors essential for securing IoT systems. By synthesizing insights from comprehensive literature reviews and detailed questionnaires, we have identified 21 pivotal success factors frequently referenced in both scholarly research and practical implementations. These success factors are organized into four key categories: Security protocols and Standards, Threat Detection and Prevention Mechanisms, Device Security management and Governance, Risk and Compliance (GRC). To evaluate the relative importance of these factors, we employ the fuzzy Analytic Hierarchy Process (fuzzy-AHP), a method recognized for its effectiveness in addressing complex decision-making challenge within IT contexts. This innovative application of fuzzy-AHP in the IoT security domain facilitates the nuanced prioritization of these success factors. Our research offers a structured hierarchy of IoT security success factors, providing critical guidance for practitioners and academics in developing more resilient and effective security strategies for the evolving IoT ecosystem.
... Non-compliance may also result in the loss of customer trust, hinder business opportunities, and attract increased scrutiny from regulatory authorities. Organizations prioritise strong compliance measures, regular security audits, and employee training to address these risks, uphold data protection regulations, and safeguard sensitive information (Chaudhuri, 2016). Most respondents indicated they do not find specific data compliance regulations particularly challenging to implement in their Organizations. ...
Article
Full-text available
In today's landscape, safeguarding sensitive data is crucial for Organizations, but navigating data protection regulations and ensuring compliance is increasingly challenging. This research project explores Organizations' hurdles in achieving data protection compliance, offering insights to develop more effective strategies. A survey via Google Forms gathered insights from data protection experts and professionals, revealing key challenges such as difficulty understanding complex regulations, limited resources, and obstacles in implementing compliance measures. The study also reviewed the existing data protection regulatory framework and relevant literature, uncovering a common theme of confusion and a gap between regulatory requirements and practical application across Organizations. The research recognises that data protection extends beyond regulatory compliance, reflecting the evolving expectations of individuals and customers regarding the ethical handling of their data. This underscores the importance of data protection as both a legal and ethical responsibility closely tied to organisational reputation and public trust. The findings highlight the need for more precise, accessible guidelines and support mechanisms to bridge the gap between regulatory demands and organisational implementation. By addressing these challenges, Organizations can strengthen their data protection measures, foster trust, and ensure the security of sensitive information.
... • Data Breaches: Many Internet of Things (IoT) devices are susceptible to assaults that might result in serious data breaches because of their interdependence and sometimes insufficient protection. In addition to jeopardizing privacy, these violations can harm a person's finances and reputation (Borangiu, Trentesaux, Thomas, Leitão, & Barata, 2019;Chaudhuri, 2016;Dhanda, Singh, & Jindal, 2020). ...
Chapter
Full-text available
The chapter explores the critical aspects of data privacy and compliance within the rapidly expanding field of the internet of things (IoT). As IoT devices proliferate across consumer, industrial, and healthcare sectors, they bring with them significant challenges related to data security, privacy, and regulatory compliance. The integration of these devices into daily life raises substantial concerns about personal privacy, data breaches, and the ethical use of collected data. This discussion delves into the mechanisms IoT uses to collect, process, and store data; the associated privacy risks; and the comprehensive strategies necessary to mitigate these risks while ensuring compliance with global data protection regulations.
... Even though the Internet of Things (IoT) can make people's lives safer, failing to protect user data and privacy can have some bad effects [8]. Cybercriminals may be able to reprogram these unsecured IoT systems and cause malfunction by other malicious individuals through this method. ...
Article
Full-text available
The Internet of Things (IoT) is growing rapidly and impacting almost every aspect of our lives, from wearables and healthcare to security, traffic management, and fleet management systems. This has generated massive volumes of data and security, and data privacy risks are increasing with the advancement of technology and network connections. Traditional access control solutions are inadequate for establishing access control in IoT systems to provide data protection owing to their vulnerability to single-point OF failure. Additionally, conventional privacy preservation methods have high latency costs and overhead for resource-constrained devices. Previous machine learning approaches were also unable to detect denial-of-service (DoS) attacks. This study introduced a novel decentralized and secure framework for blockchain integration. To avoid single-point OF failure, an accredited access control scheme is incorporated, combining blockchain with local peers to record each transaction and verify the signature to access. Blockchain-based attribute-based cryptography is implemented to protect data storage privacy by generating threshold parameters, managing keys, and revoking users on the blockchain. An innovative contract-based DOS attack mitigation method is also incorporated to effectively validate devices with intelligent contracts as trusted or untrusted, preventing the server from becoming overwhelmed. The proposed framework effectively controls access, safeguards data privacy, and reduces the risk of cyberattacks. The results depict that the suggested framework outperforms the results in terms of accuracy, precision, sensitivity, recall, and F-measure at 96.9%, 98.43%, 98.8%, 98.43%, and 98.4%, respectively.
... Since GDPR came into effect, many studies have investigated its impact on smart home users and devices [13,21,45,57,59,73,81,94,97,103,121,177,178]. More research emerged into facilitating GDPR-compliant consent notices. ...
Article
Full-text available
Smart homes are dangerous - a sentiment arising from prior research exploring the user experience (UX) of data protection for smart home devices. While this research has explored data protection shortcomings for users, UX is a designed encounter reconciling development, economic, compliance and strategic business priorities. And so, in addition to studying user perspectives, there is a gap in understanding how designers and business leaders influence the UX of data protection. To address this gap, we study smart home users, designers and business leaders, exploring how they experience data protection interactions, regulation, and processes. Our findings confirm that users have poor data protection interactions (e.g., consent and data access requests). We also find that business leaders and designers experience difficulties in identifying, applying, and tailoring suitable processes and practices for data protection for which some have developed "discount data protection": shortcuts, heuristics, and common sense practices to overcome these challenges.
Article
Artificial Intelligence (AI) is reshaping international trade, presenting both challenges and opportunities for existing global legal frameworks. This research explores the intersection of AI and international trade laws, focusing on key areas such as data protection, intellectual property rights (IPR), trade barriers, and regulatory harmonisation. The cross-border flow of data in trade activities raises concerns about privacy and data protection, necessitating the balance between trade liberalisation and regulatory compliance. Moreover, the emergence of AI-generated intellectual property assets poses novel questions regarding ownership, liability, and enforcement mechanisms. Discriminatory practices and trade barriers fueled by AI-driven automation and predictive analytics threaten market access and fair competition. Harmonising regulatory approaches to AI governance is imperative to promote interoperability, innovation, and market integration. Despite these challenges, AI offers significant opportunities to enhance trade facilitation, efficiency, and dispute resolution mechanisms. Embracing AI technologies can streamline supply chains, reduce transaction costs, and expedite customs procedures. Additionally, AI-driven dispute resolution mechanisms offer innovative solutions to resolve trade disputes promptly and efficiently. To address these complexities, policymakers must enhance data governance frameworks, promote IPR harmonisation, and foster regulatory cooperation at both domestic and international levels. By embracing the transformative potential of AI while upholding fundamental principles of fairness and transparency, stakeholders can build a more resilient and inclusive global trading system. The qualitative research methodology has been applied to the following article.
Article
Full-text available
This review article explores the transformative advancements in wearable biosignal sensors powered by machine learning, focusing on four notable biosignals: electrocardiogram (ECG), electromyogram (EMG), electroencephalogram (EEG), and photoplethysmogram (PPG). The integration of machine learning with these biosignals has led to remarkable breakthroughs in various medical monitoring and human–machine interface applications. For ECG, machine learning enables automated heartbeat classification and accurate disease detection, improving cardiac healthcare with early diagnosis and personalized interventions. EMG technology, combined with machine learning, facilitates real‐time prediction and classification of human motions, revolutionizing applications in sports medicine, rehabilitation, prosthetics, and virtual reality interfaces. EEG analysis powered by machine learning goes beyond traditional clinical applications, enabling brain activity understanding in psychology, neurology, and human–computer interaction, and holds promise in brain–computer interfaces. PPG, augmented with machine learning, has shown exceptional progress in diagnosing and monitoring cardiovascular and respiratory disorders, offering non‐invasive and accurate healthcare solutions. These integrated technologies, powered by machine learning, open new avenues for medical monitoring and human–machine interaction, shaping the future of healthcare.
Article
Public Internet of Things (IoT) platforms, such as Thingspeak, significantly increased the availability of open IoT data and enabled faster and cheaper development of novel IoT applications by reducing or even eliminating the need for deploying their own IoT sensors and platforms. However, open IoT data is often heterogeneous, sparse, fuzzy, and lacks accurate description (which we refer to as IoT metadata). These limitations make open IoT data challenging to integrate and use, and prevent the efficient development of IoT applications. In fact, while several sensor data description models have been proposed and standardized, open IoT data currently lack or include only partial metadata description. Therefore, novel techniques for automatically annotating open IoT data are needed to fully unleash the power of open IoT. This paper proposes a novel Metadata-Assisted Cascading Ensemble classification framework (MACE) for the automatic annotation of IoT data. MACE is capable of sequentially combining standalone classifiers, enabling it to cope with heterogeneous IoT data and different domains of information (e.g. numerical and textual), which have not been considered previously. MACE incorporates a novel ensemble approach for automatically selecting, sorting, filtering, and assembling classifiers in a way that improves annotation performance. The paper presents extensive experimental evaluations of MACE using public IoT datasets. Results demonstrate that the MACE framework significantly outperforms existing solutions for open IoT data by as much as 10% in classification accuracy.
Article
Full-text available
This paper explores the potential of IoT enabled smart offerings and smart city services. It identifies security and privacy concerns for a variety of scenarios and discusses ways to address these concerns effectively. Link to acess (no registration required): http://www.tcs.com/SiteCollectionDocuments/White%20Papers/Address-Security-Privacy-Concerns-Fully-Tap-IoT-Potential-1015-1.pdf
Book
Full-text available
This position paper is an output of the Activity Chain 05 in the Internet of Things Cluster (IERC). The IERC has created a number of activity chains to support close cooperation between the projects addressing IoT topics and to form an arena for exchange of ideas and open dialog on important research challenges. The activity chains are defined as work streams that group together partners or specific participants from partners around well-defined technical activities that will result into at least one output or delivery that will be used in addressing the IERC objectives. IERC Activity Chain 05 is the crossproject activity, which has the objective to investigate how research can foster a trustworthy IoT at European level, identify solutions to protect the security and privacy of the citizens. These objectives can be quite challenging at the regulatory, ethical, market and technical levels. Next to Trusted IoT, privacy, data protection and security, which is at the core of policy issues already addressed today by the IERC, there are also other policy issues of concern that will need to be addressed if IoT is to be accepted by society, and wanted to make a difference where it can. These issues in particular include global governance (how are we going to make this all happen, in the full understanding that the way forward will need to involve multiple stakeholders around the globe), ethics (what would we expect those “global IoT solutions” to respect, and how will the way IoT is implemented potentially affect the understanding of ethical impact), and radio frequency spectrum. What can we do to make sure those issues are addressed, and how can we assure citizens and policy makers are well informed, thus to be able to take conscious decisions when moving forward. In this context, this position paper identifies relevant IoT challenges and describes solutions defined by the cluster projects, which can be used to address these challenges. FP7 projects have spent considerable effort in the definition of technical solutions and frameworks for the IoT domain. In some case, these solutions may overlap or they may leave gaps, which might become a basis for proposals for future IERC research activities and research programs like H2020. These research opportunities are identified and described in this position paper. Future activities of AC05 must address the integration of the identified solutions in this position paper with the results from the other Activity Chains in the IERC.
Conference Paper
Full-text available
In this work, we present a generic open-source software framework that can evaluate the correctness and performance of homomorphic encryption software. Our framework, called HEtest, automates the entire process of a test: generation of data for testing (such as circuits and inputs), execution of a test, comparison of performance to an insecure baseline, statistical analysis of the test results, and production of a LaTeX report. To illustrate the capability of our framework, we present a case study of our analysis of the open-source HElib homomorphic encryption software. We stress though that HEtest is written in a modular fashion, so it can easily be adapted to test any homomorphic encryption software.
Article
Hidden algorithms drive decisions at major Silicon Valley and Wall Street firms. Thanks to automation, those firms can approve credit, rank websites, and make myriad other decisions instantaneously. But what are the costs of their methods? And what exactly are they doing with their digital profiles of us? Leaks, whistleblowers, and legal disputes have shed new light on corporate surveillance and the automated judgments it enables. Self-serving and reckless behavior is surprisingly common, and easy to hide in code protected by legal and real secrecy. Even after billions of dollars of fines have been levied, underfunded regulators may have only scratched the surface of troublingly monopolistic and exploitative practices. Drawing on the work of social scientists, attorneys, and technologists, The Black Box Society offers a bold new account of the political economy of big data. Data-driven corporations play an ever larger role in determining opportunity and risk. But they depend on automated judgments that may be wrong, biased, or destructive. Their black boxes endanger all of us. Faulty data, invalid assumptions, and defective models can’t be corrected when they are hidden. Frank Pasquale exposes how powerful interests abuse secrecy for profit and explains ways to rein them in. Demanding transparency is only the first step. An intelligible society would assure that key decisions of its most important firms are fair, nondiscriminatory, and open to criticism. Silicon Valley and Wall Street need to accept as much accountability as they impose on others. In this interview with Lawrence Joseph, Frank Pasquale describes the aims and methods of the book.
Article
This paper highlights some of the opportunities presented by the rise of the so-called “Internet of Things” and wearable technology in particular, and encourages policymakers to allow these technologies to develop in a relatively unabated fashion. As with other new and highly disruptive digital technologies, however, the Internet of Things and wearable tech will challenge existing social, economic, and legal norms. In particular, these technologies raise a variety of privacy and safety concerns. Other technical barriers exist that could hold back IoT and wearable tech — including disputes over technical standards, system interoperability, and access to adequate spectrum to facilitate wireless networking — but those issues are not dealt with here. The better alternative to top-down regulation is to deal with these concerns creatively as they develop using a combination of educational efforts, technological empowerment tools, social norms, public and watchdog pressure, industry best practices and self-regulation, transparency, and targeted enforcement of existing legal standards (especially torts) as needed. This “bottom-up” and “layered” approach to dealing with problems will not preemptively suffocate experimentation and innovation in this space. This paper concludes by outlining these solutions. Finally, and perhaps most importantly, we should not overlook the role societal and individual adaptation will play here, just as it has with so many other turbulent technological transformations.
The internet-of-things (IoT) (or internet of everything) -privacy and data protection issues in the EU and the US
  • F Giannoni-Crystal
  • A Haynes Stuart
Giannoni-Crystal, F. and Haynes Stuart, A. (2016) 'The internet-of-things (IoT) (or internet of everything) -privacy and data protection issues in the EU and the US', available at: http://apps. americanbar.org/webupload/commupload/ ST230002/sitesofinterest_files/INFORMATION_ LAW_ JOURNAL-volume7_issue2.pdf (accessed 8th May, 2016).
Five ways retailers can start using IoT today
  • G Courtin
Courtin, G. (2015) 'Five ways retailers can start using IoT today', ZDNet, available at: http://www.zdnet. com/article/five-ways-retailers-iot-today/ (accessed 4th May, 2016).
56 million cards likely hit by Home Depot hack
CBC (2016) '56 million cards likely hit by Home Depot hack', available at: http://www.cbc.ca/news/ business/home-depot-admits-56-million-cards-hitby-security-breach-1.2770827 (accessed 4th May, 2016).
The race to create smart homes is on
  • I Brodsky
Brodsky, I. (2016) 'The race to create smart homes is on', Computer World, available at: http://www. computerworld.com/article/3062002/home-tech/ the-race-to-create-smart-homes-is-on.html (accessed 4th May, 2016).
Data breaches give rise to "privacy conscious" smart home hubs
  • B Sullivan
Sullivan, B. (2016) 'Data breaches give rise to "privacy conscious" smart home hubs', Techweek Europe, available at: http://www.techweekeurope. co.uk/e-regulation/data-breaches-privacy-conscioussmart-home-hub-190295 (accessed 4th May, 2016).