Preparing for the new EU data laws in the IoT space
Another day, another story of a cyber breach hits the news. Recent reports suggest that Uber was one of the latest victims, with 2.7 million people in the UK being affected by a cyber attack that took place in 2016, says Steven Farmer of Pillsbury Law.
With the most significant overhaul of EU data protection laws scheduled to come into effect in May 2018, data protection stories look set to remain in the headlines. The new General Data Protection Regulation (GDPR) will have direct effect throughout the EU, and the UK Government has committed to retaining the law post-Brexit. The new law not only requires private organisations and public entities to report data breaches to regulators in most circumstances, but also empowers those regulators to issue significant fines where breaches occur.
What does the new law say?
The new law changes the existing legal framework and empowers regulators to issue fines of up to four percent of global corporate turnover or €20 million for each breach, whichever is greater. Organisations in the IoT space are particularly vulnerable given the amount of information collected, and the potential weakness in wireless technologies, which can be exploited by hackers.
Businesses in the IoT space should be aware of the following key points:
- Accountability – crucially, those caught will be required to show compliance e.g. (i) maintain certain documents; (ii) carry out Privacy Impact Assessments; (iii) implement Privacy by Design and Default (in all activities), requiring a fair amount of upfront work. For example, when developing an IoT product, a risk assessment will be required to review the sensitivity of the data collected and detect potential risks.
- Consent – new rules will also be introduced relating to the collection of data, e.g., consent must be “explicit” for certain categories. Existing consents may no longer therefore be valid and consents obtained should be purged going forward. In addition, IoT products, which incorporate privacy settings, should, by default, be set on the most privacy-friendly setting, although users can be given the option to change these settings as part of an initial set-up process.
- Enhanced rights for individuals – new rights will be introduced around (i) subject access; (ii) objecting to processing; (iii) data portability; and (iv) objecting to profiling, among others. The right to data portability empowers individuals to request that their data be transferred to a third party, likely a competitor, in a machine-readable form.
- Privacy policies – fair processing notices will now need to be more detailed and providers of IoT products will need to ensure that policies are updated.
- International transfers – Binding Corporate Rules for controllers and processors as a means of legitimising transfers will be expressly recognised for the first time and so should be considered as a transfer mechanism. Also, if the UK leaves the European Union without a “data-deal”, transfers of personal data between the UK and Europe may not be permitted unless safeguards are in place. Businesses should examine affected data flows now and develop contingency plans for data transfers post-Brexit.
- Breach notification – new rules requiring breach reporting to regulators within 72 hours, and the individuals affected (subject to conditions), will be introduced and so processes in place (or not) will need to be revisited to accommodate these rules.
What should businesses be doing?
With the risk of heavy fines under the GDPR, not to mention the reputational damage and potential loss of consumer confidence caused by non-compliance, nothing should be left to chance.
In terms of key first steps, IoT companies might consider prioritising the following as a minimum:
- Review privacy notices and policies – ensure these are GDPR compliant. Do they provide for the new rights individuals have?
- Prepare and update the data security breach plan – to ensure new rules can be met if needed.
- Audit your consents – are you lawfully processing data? Will you be permitted to continue processing data under the GDPR? What are the default privacy settings on your IoT products?
- Set up an accountability framework – e.g., monitor processes, procedures, train staff.
- Audit your international transfers – do you have a lawful basis to transfer data? How will transfers continue post-Brexit?
As the 25th May 2018 draws ever closer, the advice to firms in the IoT sector that are yet to consider their obligations is to start thinking about compliance sooner rather than later. Falling foul of the GDPR could not only damage customer trust, but could also have profound financial implications. As the adage goes: ‘those who fail to prepare are preparing to fail’.
The author of this blog is Steven Farmer, counsel at Pillsbury Law