The internet of things and GDPR

It has been called the next industrial revolution, the internet of things promises to transform industry, but also the home and how businesses communicate with customers. But not so fast – it comes with implications for privacy, and with GDPR enforceable from May 2018, companies wishing to ride the great internet of things opportunity need to be aware of the implications for their customers’ privacy.

It has been estimated that by 2022 no less than 29 billion devices will be connected. Privacy won’t be an issue for things if things are all they are. The great economic opportunity that lies with the Internet of Things will to a large extent relate to manufacturing, energy provision, or industry.  Ensuring machines are working properly, for example, or checking the tyres on a truck in a building site, or testing a solar panel in a remote area, won’t necessarily have major personal data concerns. The industrial Internet of Things only has vague connection with personal data.

But we are also entering era of customer centricity, AI applying big data to anticipate demand. The smart home might see a person’s fridge connected, and that is fine . . . providing.

Providing you use customer’s data with their explicit permission. Providing you have appropriate processes in place to safeguard their privacy and providing you have appropriate security to protect this data from hackers, and providing, in the event of a data breach, you have a clearly laid out and appropriate plan to follow and you act upon it.

At the heart of the internet of things are radio frequency identification tags (RFIDs), tiny chips sets that can identity a product.

And GDPR regulation itself explicitly refers to RFID chips as an example of identification technology, but always it boils down to how the technology is used.

Take RFIDs inside wearable technology for example, no matter how well meaning the application, they pose a potential privacy risk.

Wearable technology may serve a customer’s own interests, for example monitoring health, or communicating special offers, but the customer must have given explicit permission.

And that means permission must be clearly given, the customer needs to have provided an affirmative action, meaning ‘passively not ticking a box’ does not meet the standard. The permission must be unambiguous, freely given and specific.

Data is valuable, a recent editorial in the Economist said that data is the new oil. But when the data concerns personal information, it is only valuable if the appropriate consent is given to use it. And GDPR makes it clear that consent cannot be presumed through inaction.

GDPR regulation also concerns privacy by design and privacy by default, this means that data controllers must adopt significant technical and organisational measures to demonstrate GDPR compliance.

There are other important issues too, for example processing personal data related to children.

A key area, however, relates to what to do in the event of a data breach. Under GDPR regulation, a company has 72 hours to report a breach, and the Internet of Things creates many more ways in which such a breach can occur.

The Internet of Things represents a massive opportunity for business, but it can and should benefit the customer too. A company that understands this, has the customer at its core and appreciates the importance of earning the customers’ trust, may find that complying with GDPR requires taking actions and applying procedures that they would do anyway. But GDPR, because it comes with the threat of substantial fines, adds a whole new commercial imperative.

GDPR Summit London will take place on 30th January helping delegates to understand how your business can take advantage of the opportunity that the GDPR presents.

The event will feature a three theatres providing you with an in-depth understanding of the issues businesses face under GDPR.


GDPR Summit Series is a global series of GDPR events which will help businesses to prepare to meet the requirements of the GDPR ahead of May 2018 and beyond.

Further information and conference details are available at http://www.gdprsummit.london/