Healthcare, smart cities and connected vehicles will be the three enterprise IoT ‘verticals’ most impacted by the General Data Protection Regulation (GDPR), which comes into force next week.
Analysts suggest these market sectors, outside of the consumer internet of things (IoT) market, will be under most scrutiny under the new GDPR controls as they are most likely to collect and process personal data from and about European citizens.
“It depends on whether or not personal data is being processed – healthcare is an obvious contender here because it is any device is likely to be collecting data that is associated with an identifiable data subject, but vehicles and smart cities will also be processing personal data so will fall within scope,” comments Martin Whitworth, research director in European data security and privacy at IDC.
The new European Union (EU) privacy regulation, which comes into effect on May 25, relates to any system or application that collects, processes or stores personal data of EU residents. Enterprises are subject to the regulation, regardless of whether they are based in the EU or not, and are required to obtain consent from the subject of the data, and limit their usage of it.
The fast-developing IoT market, typically running low-level data collection in the background, makes the challenge of privacy regulation for enterprises particularly complex, generally. IoT connections will grow from eight billion in 2017 to 27 billion in 2025, according to Gartner, generating vast quantities of personal data that will be subject to the data protection laws of each country in which the devices are deployed.
Governments are ramping up fines for non-compliance with data protection laws. The GDPR makes companies liable for up to €20 million, or four per cent of global revenue, for breaches. Whitworth quotes the regulation’s definition of ‘personal data’, related to an indentifiable person, to underline the catch-all scope of the regulation.
“An identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier – such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person,” he says.
The question of which enterprise IoT vertical is most at risk, or has most to brush up on, comes down to which carries the most personal data. On the face of it, healthcare seems the most likely, due to the collection and processing of patient data, but this is a false assumption, reckons Michela Menting, digital security research director at ABI research.
The sector’s familiarity with watchful regulation makes its demeanour relatively healthy, she suggests. “The industry is already heavily regulated, and as such, is experienced at operating in a strict regulatory environment.” By contrast, the relative inexperience of smart cities and car-makers could be telling.
“Automotive and cities are more newly connected and in part will be collecting information about users which they simply were not doing before. Such data will be subject to GDPR and the ePrivacy Regulation, and many in those verticals will have to work out how they can best comply with them. This will be a new effort for them, and as such, will impact those industries more strongly than healthcare.”
What about the broader industrial IoT sector, covering manufacturing, agriculture, supply chain and logistics? “They may possibly be less impacted initially,” says Menting. “They operate in a more B2B capacity and will perhaps collect less personal data about the final users of their products than a B2C outfit.”
But she warns even these companies need to be cognizant of data they collect on their workforce, covering both employees and contractors. The risks associated with non-compliance are high. Both analysts cite the four per cent rule; Whitworth points to even more profound repercussions. “Other actions such as prohibition of processing of personal data and, worst of all, the reputational damage,” he says.
The Regulation on Privacy and Electronic Communications (ePrivacy Regulation) comes into force at the same time as the GDPR, replacing the Directive 2002/58/EC on privacy and electronic communications (ePrivacy Directive). The move to replace an old privacy directive, which informed national law, with a new regulation, which defines it, will further harmonise data protection and privacy across the EU, notes Menting.
The ePrivacy Regulation is more narrowly defined, says Menting, as it protects the line of communication, rather than its contents as such, but both will have an impact on enterprise IoT practitioners. “Much of the data collected today on users will be electronic, whether in an enterprise setting or other. The GDPR applies regardless of format, although the ePrivacy regulation is specific to electronic data. For enterprise IoT, both will be relevant. In any case, the regulations are meant to be complimentary.”
The advice is clear. The concept of data protection by design and by default, and security by design and by default, are paramount when designing IoT devices, and must be documented in the making, says Whitworth. “It is important to remember that the scope of personal data within GDPR is incredibly wide so careful examination is necessary,” he adds.
Gartner states in a research note: “Any organisation that collates and analyses IoT data in a centralised system that moves data across borders – such as an IaaS data centre outside the end user’s country – needs to be aware of the data protection laws that will enforce either a governance methodology or outright restrict any data exiting the jurisdiction.”