Content uploaded by Abhik Chaudhuri
Author content
All content in this area was uploaded by Abhik Chaudhuri on Apr 23, 2022
Content may be subject to copyright.
11
© Henry Stewart Publications 2398-1679 (2016) Vol. 1, 1 000–000 Journal of Data Protection & Privacy
Internet of things data protection
and privacy in the era of the
General Data Protection
Regulation
Received: 8th May, 2016
Abhik Chaudhuri
is Chevening Fellow and Domain Consultant in Cyber Security, Privacy and Policy at Tata Consultancy
Services. Abhik has more than 14 years of IT consulting experience and holds an MBA from the Indian
Institute of Management at Kozhikode. Abhik provides thought leadership in developing global cyber
security and privacy standards at ISO/IEC JTC1/SC27. He is a Corporate Member of Cloud Security
Alliance’s International Standardization Council, and an IEEE member of the IoT Community and Experts
in Technology and Policy Forum.
Tata Consultancy Services
E-mail: abhik.chaudhuri@gmail.com
Abstract The emerging internet of things (IoT) technology has immense potential for
unprecedented business offerings in various domains. To provide reliable IoT products
and services that comply with regulatory demands, businesses must meet users’ data
protection and privacy needs. With the General Data Protection Regulation (GPDR) coming
into force from 25th May, 2016 and applicable from 25th May, 2018, IoT businesses must
strategise privacy alignment for their products or services by incorporating in their design
the privacy and data protection capabilities necessary for regulatory compliance and
gaining user trust. This paper discusses the associated data protection and user privacy
concerns, making reference to such IoT service offerings as smart retail, the smart home,
smart wearables, smart health devices, smart television and smart toys. The three steps
to privacy alignment strategy discussed in this paper comprise the privacy inquisition (PI)
analysis model, the IoT privacy impact assessment (iPIA) and the privacy state transition
process through which IoT businesses pass on their path to attaining ‘perfect alignment’
with respect to the GDPR data protection requirements and user privacy needs. Privacy
inquisition, iPIA and privacy state transition should be performed on a periodic basis,
preferably under the guidance of a privacy governance board with supervisory authority
and representation from the organisation’s board of directors, the controller and the data
protection offi cer.
KEYWORDS: GDPR, internet of things, IoT privacy, data protection, privacy inquisition
analysis, privacy transition state, privacy alignment strategy
INTRODUCTION
As internet of things (IoT) technology is
becoming increasingly powerful with the
integration of advanced data sensing, network
communication, information technology (IT)
infrastructure capabilities and analytics-based
inferences of user data, the technology is
demonstrating the potential to provide
fascinating insights into various facets of
societal living and businesses. Although
JDPP0009_Chaudhuri_1_1.indd 1 27/10/16 12:23 pm
2Journal of Data Protection & Privacy Vol. 1, 1 000–000 © Henry Stewart Publications 2398-1679 (2016)
Internet of things data protection and privacy in the era of the GDPR
IoT is in the early stages of adoption in
various applications across the globe, we
are also seeing increased concerns among
stakeholders, specifically users and regulatory
bodies, about the security and privacy of
data collected, stored and processed for
such service offerings. While the research
and engineering communities are working
with businesses to address the data security
and privacy concerns, regulatory bodies
are also working to come up with relevant
regulations. The General Data Protection
Regulation (GDPR) is a significant effort
in this direction to protect user data and
privacy in the EU region.
This paper concentrates on data protection
and user privacy concerns with reference to
specific potential IoT service offerings like smart
retail, the smart home, smart wearables,
smart health devices, smart television
and smart toys. It discusses the relevance of
specific articles of the GDPR on IoT services
in the EU region. A strategy is also proposed
for the alignment of user privacy and data
protection needs with IoT business needs
for regulatory compliance and end-user
satisfaction.
This paper proposes a privacy inquisition
(PI) analysis model for aligning user privacy
needs with IoT business needs. A three-stage
transition process for privacy alignment is
also explained for regulatory compliant and
trustworthy IoT service offerings.
IOT DATA PROTECTION AND PRIVACY
CONCERNS
As shown in Figure 1, an IoT business
application can be enabled with various
infrastructure and functional components,1
such as the sensors that capture contextual
data based on predefined parameters, gateway
devices that gather the data from a bunch of
sensors, a centralised data storage that can
be at the edge or hosted in the cloud where
the gateways devices flush the gathered
data intermittently, analytical processing
functions, application programming
interface (API) based business functions,
command and control function for the
actuators in sensors, and wired or wireless
network communications connecting
these components. From a data protection
and privacy perspective, each of these
Figure 1: Infrastructure and functional components for the internet of things
JDPP0009_Chaudhuri_1_1.indd 2 27/10/16 12:23 pm
3
© Henry Stewart Publications 2398-1679 (2016) Vol. 1, 1 000–000 Journal of Data Protection & Privacy
Chaudhuri
components represents a potential breach
point2 if adequate security and privacy
measures are not embedded in the end-
to-end architecture of the IoT product
or service.
IoT data privacy can be broadly classified
into the following six categories:
●Identity privacy: IoT devices are ultimately
owned by individuals and organisations.
Hence, the identity of the owners can be
tracked down from the device ownership
information. To preserve the identity privacy3
of the IoT device owners, the metadata
concerning device ownership should be
masked or locked down for authorised
access only.
●Location privacy: Data about the location
of IoT devices can be used to infer the
location of the user. Such data may be
leveraged for unscrupulous activities and
hence should be considered private
and not to be used without the user’s
consent.
●Search query privacy: By tracking the IP
address of a search query from a search
engine and analytically processing the
search queries from a specific user through
combinatorial means, inferences can be
derived regarding various personal traits
of the person who initiated the search
queries. For example, a smart refrigerator
that makes online queries for food items
liked by its owner can reveal specific
information regarding the person’s
fondness for specific food items. Such data
can then be used for targeted advertising
without the individual’s consent.
●Digital footprint privacy: As IoT devices are
almost always online, they can leave a trail
of data on the internet. Such data can be
accumulated to create a digital footprint of
the devices and the device owners. Cookie
invasion of IoT devices can also cause
operational privacy breaches.
●Personal behaviour privacy: Sensor-enabled
IoT applications can gather data regarding
personal behaviour based on various
parameters, mostly without user consent,
to derive business benefits like targeted
marketing.
●Personal health data privacy: Smart fitness
tracking devices can gather data about the
user’s health parameters without consent
and such data can be sent to health
insurers. Based on continuous gathering
of health data and analytics, the health
insurance company can infer information
about the various health disorders that the
person might face in future and change
health premiums accordingly.
IoT technology is showing immense
potential across various business domains,
including smart retail, smart homes, smart
wearables, smart healthcare and smart toys,
to name a few. Smart retail4 is seeing new
business applications like contactless point-of-sale,
smart shelves tracking consumer response
and behaviour toward specific items on
display, smart dressing rooms and beacon-based
marketing initiatives. However, these IoT
enabled offerings are also raising privacy and
security concerns. For example, shelf-based
sensors can track user gestures and behaviour
patterns, and the data they gather can be
stored and analysed further for marketing
purpose. If such user-specific sensor data
are stored in the cloud, then concerns can
be raised regarding the sharing of such data
with other retailers and third parties without
user consent. At a time when major retailers
are experiencing security and privacy
breaches, with consumer and cardholder data
being stolen from their databases,5 consumers
can raise questions regarding the capability
of smart retail opportunities to safeguard
their privacy where the attack surface is far
greater due to the multidimensional
data-gathering by sensors.
For smart home solutions, IoT sensors on
home appliances can be connected directly
to the internet or through a gateway or
central hub to monitor and regulate various
functions like smart energy management,
room ambience control, security and access
JDPP0009_Chaudhuri_1_1.indd 3 27/10/16 12:23 pm
4Journal of Data Protection & Privacy Vol. 1, 1 000–000 © Henry Stewart Publications 2398-1679 (2016)
Internet of things data protection and privacy in the era of the GDPR
control, healthcare, assisted living and other
potential offerings.6 Smart appliances can
also be connected over the internet or Wi-Fi
to talk to each other. However, continuous
data-gathering by the interlinked sensors
and activity logs in smart homes can provide
inferences on the behaviour and activities of
the inhabitants which can result in privacy
breach.7 Users may be unaware about the
embedded features in smart home systems
and how these operate by default or what
personal data are captured.
According to European Union Agency for
Network and Information Security (ENISA):
‘Privacy issues in smart homes are not
limited to confidentiality and access
control. Smart home sensors in particular
will generate a large amount of highly
personal data about activities within
the home. The multiple streams of data
combined together in a smart home
system create the possibility of deeper
contextual background and reveal patterns
of behaviour of the inhabitants. The
visibility of the smart home occupant
is increased by the large network of
third parties who may be involved in
providing smart home functionality.
Smart home functions may have serious
impacts upon privacy of the person,
privacy of behaviour and action, privacy
of communication, privacy of data and
image, privacy of location, and privacy
of association … Smart home systems
may include embedded features that are
opaque to the user, and do not inform the
user about the status of their operation.’8
The Center for Information Technology
Policy at Princeton University has found
that popular IoT devices being used today
leak sensitive user information when sent
unencrypted to the cloud.9 The researchers
have also observed that when two IoT enabled
devices talk to each other, the cloud is used
as the intermediary. This also enhances the
chance of data breach in motion.
Wrist-mounted IoT devices10,11 like
smart watches, head-mounted devices
and other smart wearable devices have
gained popularity in recent times, with
functionalities beyond timekeeping. Some
of these perform as health tools to track and
display vital data about a person’s fitness
based on various health parameters that are
monitored on a continuous basis. Most of
these devices can be paired with smartphone
apps to operate in sync. However, some
smart watches have been found to send
outbound communications to unmapped
and unknown IP addresses.12 Security
vulnerabilities in smart watches and pairing
apps can be used to siphon personal data,
including physiological data, to undisclosed
or unintended recipients, resulting in severe
privacy breach.
IoT enabled smart health devices are
also available in the market for gathering user
health data. These devices include glucose
monitors that gather blood glucose data,
thermometers, respiratory meters, heart
monitors and smart plasters, and many more
devices with new healthcare functionalities
are in the offing. While the data gathered
by these devices can help in analysing
trends for the early detection of anomalies
and intervention through continuous
monitoring, there are concerns regarding the
misuse of personal health data without user
consent.13
Today, there are smart toys that are
Wi-Fi enabled and capable of conversing
with the children or adults that own
them. The human–toy conversations can
be transmitted wirelessly to the cloud for
storage and analytical processing.14 Such
smart toys can capture private conversations
and transmit to third-party vendors and
service providers without user cognisance
and consent. Similarly, voice-activated
smart home appliances and smart televisions
have been reported to record conversations
of users to the cloud without users’
consent.15
The privacy concerns from the above IoT
application scenarios have been mapped to
the six IoT privacy types in Table 1.
JDPP0009_Chaudhuri_1_1.indd 4 27/10/16 12:23 pm
5
© Henry Stewart Publications 2398-1679 (2016) Vol. 1, 1 000–000 Journal of Data Protection & Privacy
Chaudhuri
GDPR AND I
O
T DATA PROTECTION
The GDPR16 came into force on 25th May,
2016 and will be applicable from 25th May,
2018 following a two-year implementation
period. IoT businesses will also come under
the purview of the GDPR. This paper will
discuss those Articles and recitals within the
GDPR that are relevant for IoT data protection
Table 2: GDPR Articles relevant to IoT data protection
Article no. Context
7 Conditions for consent
13 Information to be provided where personal data are collected from the data subject
15 Right of access by the data subject
17 Right to erasure (‘right to be forgotten’)
18 Right to restriction of processing
21 Right to object
22 Automated individual decision-making, including profi ling
25 Data protection by design and by default
28 Processor
30 Records of processing activities
32 Security of processing
33 Notifi cation of a personal data breach to the supervisory authority
34 Communication of a personal data breach to the data subject
35 Data protection impact assessment
37 Designation of the data protection offi cer
40 Codes of conduct
42 Certifi cation
45 Transfers on the basis of an adequacy decision
46 Transfers subject to appropriate safeguards
Table 1: Smart applications mapped to IoT privacy types
Privacy type
Smart application
home appliances Watches Television Retail Health devices Toys
Identity X X X X X
Location X X X X
Search query X X X
Digital footprint X X
Personal behaviour X X X
Personal health data X X
and privacy. For quick reference, these specific
Articles and recitals are listed in Tables 2 and 3.
As per Article 7 of the GDPR, the
processing of user data should be based on
consent from the data subject, which the
controller must be able to demonstrate on
request. For an IoT service offering, the
IoT service provider must ensure that the
JDPP0009_Chaudhuri_1_1.indd 5 27/10/16 12:23 pm
6Journal of Data Protection & Privacy Vol. 1, 1 000–000 © Henry Stewart Publications 2398-1679 (2016)
Internet of things data protection and privacy in the era of the GDPR
Table 3: GDPR recitals relevant to IoT data protection
Recital no. Context
28 Application of pseudonymisation to personal data
35 Personal data concerning health
39 Processing of personal data
49 Availability, authenticity, integrity and confi dentiality of stored or transmitted personal data
60 Principles of fair and transparent processing
65 Right to have personal data rectifi ed and ‘right to be forgotten’
70 Personal data processed for the purposes of direct marketing
71 Automated processing of personal data evaluating personal aspects
78 Appropriate technical and organisational measures
79 Clear allocation of responsibilities
83 Ensuring appropriate level of security, including confi dentiality
85 Notifying personal data breach to supervisory authority without undue delay
86 Communication of personal data breach from controller to data subject
90 Data protection impact assessment
101 Personal data transfer from EU to third countries or international organisations
user (data subject) has consented to the
processing of his or her personal data for
obtaining the service output.
Moreover, Article 7 also stresses that
while assessing whether the data subject
has given the consent freely, there should
be appropriate reason if the service is
provisioned on the condition of processing
personal data that are not necessary for
the performance of the contract. For
compliance, the IoT service provider
must ensure that the IoT devices gather
only as much metadata as is necessary as to
provide the IoT offering, even if the end
user has consented to share personal data.
For example, the metadata obtained by a
smart thermostat device should be relevant
only for the processing necessary for the
end result, such as controlling the room
temperature and ambience parameters.
Were the thermostat to gather user-specific
data not relevant to the thermostat’s
functionality, this will constitute a regulatory
non-compliance if said data can be the basis
for inferring user preferences and behaviour
for direct marketing or other purposes not
mentioned in the service contract of the
IoT device.
To comply with Article 13(1c) and
Article 13(1f ), IoT service providers
must ensure that the business intent of
processing the metadata gathered by the
IoT devices has been conveyed clearly by
the controller to the user and the same
is followed in principle. IoT services
might store personal data in the cloud
across geographical boundaries for service
availability and data redundancy. In such
situations, the user should be informed
about the appropriateness or suitability of
the safeguards established in the process
for his or her personal data and there must
be provision to obtain a copy of said data
on request.
Article 15 emphasises the right of access
to the personal data of the data subject. As
per the Article, the data subject shall have
the right to access to any of his or her
personal data that are being processed for
the IoT service and can request information
regarding the purpose of processing,
categorisation of those data, the recipients to
JDPP0009_Chaudhuri_1_1.indd 6 27/10/16 12:23 pm
7
© Henry Stewart Publications 2398-1679 (2016) Vol. 1, 1 000–000 Journal of Data Protection & Privacy
Chaudhuri
whom his or her personal data have been or
will be disclosed and the envisaged storage
period.
The data subject using a IoT device
or smart service shall have the right of
erasure (Article 17(1b), recital 65) of his/
her personal data following their withdrawal
of consent on which the data processing
is based or if the personal data have been
unlawfully processed by the IoT service
provider (Article 17(1d)). If the processing is
unlawful then the data subject can exercise
his/her right to restriction of processing as
per Article 18(1b). In a smart retail outlet,
the implications of this Article can be
objection from customers about collection
and processing of their personal data
collected by sensors from smart shelves,
smart dressing rooms and other locations
within the outlet. Such incidents of
non-compliance can affect the IoT enabled
business financially.
The data subject can exercise the right to
object to the processing of his/her personal
data and profiling (recital 71) for direct
marketing or other purposes (Article 21,
recital 70) and automated decision-making
without explicit consent that significantly
affects him/her (Article 22). This has
implications for proximity marketing
businesses using beacons if customers raise
objections to them processing their personal
data without consent for automated decision
making based on their likes and purchasing
behaviour.
Article 25(1) and recital 78 mention the
implementation of appropriate technical
and organisational measures for data
protection by designing measures like
‘pseudonymisation’ for data minimisation.
Article 25(2) requires ensuring by default
that only as much personal data as are
necessary for the purpose of processing
are actually processed. This regulatory
obligation applies to ‘the amount of
personal data collected, the extent of their
processing, the period of their storage and
their accessibility’. Article 42 refers to an
approved certification mechanism that can
be used to demonstrate compliance with
Article 25(1 and 2). Article 28 mentions
that the controllers can use processors
who provide sufficient guarantees to
implement appropriate technical and
organisational measures to meet the
regulatory requirements and to ensure the
data protection rights of the data subject.
The processor may adhere to an approved
code of conduct for data protection
(Article 40, recital 60) or an approved
certification mechanism (Article 42)
for compliance, with clear allocation of
responsibilities (recital 79). All records of
data processing, including the purpose,
should be available with the controller
(Article 30). For IoT enabled smart services,
these requirements will ensure that
personal data that are non-relevant for
the IoT functionality will not be collected,
processed, stored or be made accessible to
other individuals or businesses.
Article 32, recital 49 and recital 83
emphasise the security of data processing
based on the relevant risks that can impact
the confidentiality, integrity, availability
and resilience of processing systems and
services. Data processing should be done
with approved authority from the controller
or the processor. In an IoT data processing
scenario, complying with this regulatory
requirement requires a risk assessment to
understand the robustness of data security
in the existing IoT functional processes,
devices and infrastructure components and
addressing the vulnerabilities by designing,
testing and implementing adequate control
measures. This will help to prevent
accidental or unlawful data loss, alteration
of data, destruction of data, incidents of
unauthorised disclosure or access to personal
data in transmission or storage. Effective
encryption of IoT data from the sensors
to the gateways devices, from gateways
to centralised storage and for control data
flowing back to the sensors is a prime
necessity for ensuring confidentiality.
JDPP0009_Chaudhuri_1_1.indd 7 27/10/16 12:23 pm
8Journal of Data Protection & Privacy Vol. 1, 1 000–000 © Henry Stewart Publications 2398-1679 (2016)
Internet of things data protection and privacy in the era of the GDPR
‘Pseudonymisation’ of personal data
captured by IoT devices and smart services
will increase personal data protection from
inference and user profiling. Steps should
also be taken to implement restoration
and data-recovery mechanisms to provide
on-demand access to personal data to
data subjects during physical or technical
incidents of system failure.
For any incident of personal data breach,
the IoT data processor must convey the
same to the controller without any delay
along with the mitigation measures taken
or proposed. The controller must notify
the supervisory authority within 72 hours
of becoming aware of the data breach
(Article 33, recitals 85, 86). For critical
IoT services like smart healthcare, this
Article, in conjunction with recital 35,
acquires greater significance to reduce
the adverse effects of sensitive health data
exploitation. The controller must inform
the data subject about the personal data
breach from the IoT infrastructure or
application components if any adverse
effect on the data subject is anticipated
(Article 34).
As a precautionary measure, the data
controller can carry out a data protection
impact assessment on the operational flow
of data for the smart service, in compliance
with Article 35 and recital 90. The IoT
service provider can have a designated data
protection officer (Article 37), who can
be consulted by the controller regarding
the data protection impact assessment and
relevant safeguards.
For storage and redundancy of IoT
data in the cloud across geographical
boundaries, care should be taken so that
any transfer of personal data (Article 44,
recital 101) collected from IoT devices
and smart services for processing to third
countries or international organisations,
including onward transfers, comply with
the adequacy decision as per Article 45
and has appropriate safeguards compliant
with Article 46.
THE I
O
T PRIVACY ALIGNMENT
STRATEGY
With the IoT still being an emerging
technology, there are multiple product
vendors and service providers in various
domains offering new functionalities with
early-to-market strategies aiming for
first-mover advantage. As discussed previously,
user privacy is a key challenge for these
IoT offerings.
IoT businesses must pay attention to
user privacy concerns if they are to gain
user confidence for their smart offerings.
With the advent of the GDPR, regulatory
compliance of user privacy needs for IoT
services and products is also becoming
mandatory. A stakeholder approach to
IoT data protection and privacy is the
need of the hour.17
Aligning the IoT service or product design
with users’ privacy needs is necessary to
provide a trustworthy IoT offering. IoT
service providers and product vendors
must strategise means to incorporate
privacy-enhancing capabilities in their
service or product design as default
functionality. An IoT privacy alignment
strategy, as described here and depicted
in Figure 2, can be utilised to address
the data protection needs and privacy
concerns of IoT offerings from the
perspectives of the user and regulator.
Figure 2: The three steps of internet of things privacy
alignment strategy
JDPP0009_Chaudhuri_1_1.indd 8 27/10/16 12:23 pm
9
© Henry Stewart Publications 2398-1679 (2016) Vol. 1, 1 000–000 Journal of Data Protection & Privacy
Chaudhuri
The strategic three steps to IoT privacy
alignment are:
1. perform privacy inquisition (PI) analysis;
2. conduct IoT privacy impact assessment
(iPIA); and
3. privacy state transition toward perfect
alignment.
The privacy inquisition (PI) analysis model
is the first step for aligning user privacy
needs with IoT business needs. The six
queries in the PI model (Figure 3) are the
basic privacy concerns of users regarding
Personally identifiable information (PII)
collected for the IoT functionality; specific
details of PII collected; if the user’s consent
has been obtained before PII collection;
storage and safety of gathered PII; details of
recipients with whom the PII is shared; and
capabilities established to return or erase PII
based on user request. IoT service providers
and product vendors must provide satisfactory
answer to these queries in order to gain
customer confidence for their offering.
If, for any of the queries in the PI analysis
model, the IoT service or product does
not align with the user privacy need, then
the next step is to conduct an IoT privacy
impact assessment (iPIA) to understand the
causes for non-alignment and the inherent
privacy risks. A well-planned iPIA will help
to understand the business impact in terms
of associated costs of IoT service or product
redesign, financial impact for regulatory
non-compliance, damage to reputation and
trustworthiness.
The path to perfect IoT privacy
alignment for businesses can be considered
as a three-stage process, as shown in Figure 4,
starting from ‘zero alignment’ (Scenario 1)
to ‘perfect alignment’ (Scenario 3), with
an intermediary state of ‘partial alignment’
(Scenario 2). In the ‘zero alignment’ state,
the IoT business needs of the organisation
are not aligned to user privacy needs and
regulatory compliance needs. A state of
‘partial alignment’ is attained when the IoT
business needs have incorporated some user
privacy needs and the business complies
Figure 3: The privacy inquisition model for aligning user privacy needs with internet of things business needs
JDPP0009_Chaudhuri_1_1.indd 9 27/10/16 12:23 pm
10 Journal of Data Protection & Privacy Vol. 1, 1 000–000 © Henry Stewart Publications 2398-1679 (2016)
Internet of things data protection and privacy in the era of the GDPR
with some regulatory requirements.
‘Perfect alignment’ is achieved when the
IoT business needs have incorporated all
regulatory compliance requirements and user
privacy needs.
For example, an IoT business can be
in a state of ‘zero alignment’ if it has not
considered user privacy needs and regulatory
needs in the service or product design
phase. For such a business, the first step
will be a privacy capability assessment based
on the PI analysis model to determine the
privacy gaps based on user needs. Next, a
regulatory compliance audit with reference
to the relevant clauses in GDPR must be
conducted to identify the privacy gaps. A
consolidated list of gaps identified from
user needs and regulatory requirements
will be the basis for conducting the iPIA
to identify the privacy risks. Evaluation
of target solution and implementation
by incorporation in the IoT service or
product design is then required to reduce
or eliminate these risks. In this process, the
IoT business organisation moves from ‘zero
alignment’ to ‘partial alignment’ and finally
to a state of ‘perfect alignment’.
Privacy inquisition, iPIA and privacy
state transition should be performed on a
periodic basis, preferably under the guidance
of a privacy governance board having
supervisory authority and representation
Figure 4: The transitions to perfect privacy alignment
JDPP0009_Chaudhuri_1_1.indd 10 27/10/16 12:23 pm
11
© Henry Stewart Publications 2398-1679 (2016) Vol. 1, 1 000–000 Journal of Data Protection & Privacy
Chaudhuri
from the organisation’s board of directors,
the controller and the DPO. The privacy
governance board should continuously
evaluate the effectiveness of data protection
and privacy policies; direct the IoT business
in taking appropriate steps toward regulatory
compliance; and monitor the alignment of
IoT business needs with user privacy needs.
To address data breach incidents, a proper
privacy incident management plan should be
established to ensure concerned stakeholders
are notified without delay and steps should
be taken to provide adequate level of data
protection. Any cross-border transfer of
user data for IoT business need should have
appropriate user consent with an adequate
level of protection, as suggested in GDPR.
CONCLUSION
Today’s digital society does not like to
live in a black box.18 While emerging
technologies like the IoT are providing
immense opportunities for smart living and
western society is gradually shifting to a
sensor-dominated and data-driven world,
data subjects are also raising concerns
regarding privacy and the protection of their
valuable data. The GDPR has now brought
in regulatory focus on data protection and
privacy measures. In the current scenario,
IoT businesses must align with regulatory
requirements and user privacy needs to
prevent financial loss and to gain customer
confidence in their offerings. The privacy
alignment strategy discussed in this paper
will provide IoT businesses with the
necessary guidance to comply with GDPR
and to provide trustworthy smart services.
References
1. Cloud Security Alliance (2015) ‘Security guidance for
early adopters of the internet of things’, available at:
https://downloads.cloudsecurityalliance.org/
whitepapers/Security_Guidance_for_Early_
Adopters_of_the_Internet_of_Things.pdf (accessed
8th May, 2016).
2. Giannoni-Crystal, F. and Haynes Stuart, A. (2016)
‘The internet-of-things (IoT) (or internet of
everything) — privacy and data protection issues
in the EU and the US’, available at: http://apps.
americanbar.org/webupload/commupload/
ST230002/sitesofinterest_files/INFORMATION_
LAW_ JOURNAL-volume7_issue2.pdf (accessed
8th May, 2016).
3. Chaudhuri, A. (2015) ‘Address security and privacy
concerns to fully tap into IoT’s potential’, available at:
http://www.tcs.com/SiteCollectionDocuments/
White%20Papers/Address-Security-Privacy-
Concerns-Fully-Tap-IoT-Potential-1015-1.pdf
(accessed 4th May, 2016).
4. Courtin, G. (2015) ‘Five ways retailers can start using
IoT today’, ZDNet, available at: http://www.zdnet.
com/article/five-ways-retailers-iot-today/ (accessed
4th May, 2016).
5. CBC (2016) ‘56 million cards likely hit by Home
Depot hack’, available at: http://www.cbc.ca/news/
business/home-depot-admits-56-million-cards-hit-
by-security-breach-1.2770827 (accessed 4th May,
2016).
6. Brodsky, I. (2016) ‘The race to create smart homes
is on’, Computer World, available at: http://www.
computerworld.com/article/3062002/home-tech/
the-race-to-create-smart-homes-is-on.html (accessed
4th May, 2016).
7. Sullivan, B. (2016) ‘Data breaches give rise to
“privacy conscious” smart home hubs’, Techweek
Europe, available at: http://www.techweekeurope.
co.uk/e-regulation/data-breaches-privacy-conscious-
smart-home-hub-190295 (accessed 4th May, 2016).
8. Bar nard-Wills, D., Marinos, L. and Portesi, S.
(2014) ‘Threat landscape and good practice guide
for smart home and converged media’, available at:
https://www.enisa.europa.eu/publications/
threat-landscape-for-smart-home-and-media-
convergence/at_download/fullReport (accessed
4th May, 2016).
9. Davis, J.S. (2016) ‘Nest, other IoT devices, sent user
info in the clear’, SC Magazine, available at: http://
www.scmagazine.com/nest-other-iot-devices-sent-
user-info-in-the-clear/article/466616/ (accessed 4th
May, 2016).
10. Motti, V.G. and Caine, K. (2015) ‘Users’ privacy concerns
about wearables: impact of form factor, sensors and
type of data collected’, available at: http://fc15.ifca.
ai/preproceedings/wearable/paper_2.pdf (accessed
8th May, 2016).
11. Thierer, A. D. (2015) ‘The internet of things and
wearable technology: addressing privacy and security
concerns without derailing innovation’, available at:
http://dx.doi.org/10.2139/ssrn.2494382 (accessed
8th May, 2016).
12. The Register (2016) ‘$17 smartwatch sends something to
random Chinese IP address’, The Register, available
at: http://www.theregister.co.uk/2016/03/02/
chinese_backdoor_found_in_ebays_popular_cheap_
smart_watch/ (accessed 4th May, 2016).
13. Lexology (2016) ‘Privacy commissioner targets IoT
health devices in sweep’, available at: http://www.
lexology.com/library/detail.aspx?g=eec63029-2ea2-
4ad2-aa16-b2af935edbbd (accessed 4th May, 2016).
JDPP0009_Chaudhuri_1_1.indd 11 27/10/16 12:23 pm
12 Journal of Data Protection & Privacy Vol. 1, 1 000–000 © Henry Stewart Publications 2398-1679 (2016)
Internet of things data protection and privacy in the era of the GDPR
14. Lexology (2016) ‘These toys have eyes (and ears too):
VTech security breach raises “internet of things”
privacy fears’, available at: http://www.lexology.com/
library/detail.aspx?g=e9fc4a57-4bbb-43d7-a414-
24c72b383ac4 (accessed 4th May, 2016).
15. Malinga, S. (2016) ‘Smart home appliances come
with security risks’, IT Web, available at: http://
www.itweb.co.za/index.php?option=com_
content&view=article&id=152108 (accessed
8th May, 2016).
16. ‘Regulation (EU) 2016/679 of the European
Parliament and of the Council of 27th April, 2016
on the protection of natural persons with regard
to the processing of personal data and on the free
movement of such data, and repealing Directive
95/46/EC (General Data Protection Regulation)’,
Official Journal of the European Union (2016), available at:
http://eur-lex.europa.eu/legal-content/EN/TXT/
PDF/?uri=CELEX:32016R0679&qid=
1462359521758&from=EN (accessed
8th May, 2016).
17. Levitt, T. (2015) ‘IoT governance, privacy and
security issues’, available at: http://www.internet-of-
things-research.eu/pdf/IERC_Position_Paper_IoT_
Governance_Privacy_Security_Final.pdf (accessed
8th May, 2016).
18. Pasquale, F. (2015) ‘The Black Box Society’, Harvard
University Press. Cambridge, Massachusetts.
JDPP0009_Chaudhuri_1_1.indd 12 27/10/16 12:23 pm