Q & A with GDPR Expert: What to know about Privacy and Security for IoT Devices
Posted on 13 Jul 2018 by Sally Guenette
This blog post lists the questions raised on TUV Rheinland OpenSky’s recent webinar: Approaches to Privacy and Security for IoT Devices in a GDPR World. For a recording of the webinar, please click here.
Questions and Answers
Question 1: Is GDPR targeting small to medium-sized companies?
The GDPR is applicable no matter what size the company is, however see Recital 13 (1-4) below:
1 In order to ensure a consistent level of protection for natural persons throughout the Union and to prevent divergences hampering the free movement of personal data within the internal market, a Regulation is necessary to provide legal certainty and transparency for economic operators, including micro, small and medium-sized enterprises, and to provide natural persons in all Member States with the same level of legally enforceable rights and obligations and responsibilities for controllers and processors, to ensure consistent monitoring of the processing of personal data, and equivalent sanctions in all Member States as well as effective cooperation between the supervisory authorities of different Member States.
2The proper functioning of the internal market requires that the free movement of personal data within the Union is not restricted or prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data.
3To take account of the specific situation of micro, small and medium-sized enterprises, this Regulation includes a derogation for organizations with fewer than 250 employees with regard to record-keeping.
4In addition, the Union institutions and bodies, and Member States and their supervisory authorities, are encouraged to take account of the specific needs of micro, small and medium-sized enterprises in the application of this Regulation.
Question 2: What are the steps a cloud API provider must follow to make sure we are GDPR compliant?
A: Cloud API providers should ensure they can protect personal data as it is transmitted via their APIs. Key topics related to the GDPR include secure software development practices, protecting against the OWASP Top 10 vulnerabilities, encryption, change management, and protection against unauthorized access and modification of data. All APIs should be tested thoroughly after every change to the code or environment where they will be used. In addition, only personal data necessary for the API should be processed. Use methods and protocols like OAUTH, where appropriate, to limit personal data. Ensure personal data is not stored or tracked except where required to provide the API’s functionality. Users should be informed of what personal data is being used by the API, why, and how it is used and transmitted.
Question 3: Is it useful to have a representative in the EU for non-EU manufacturers?
A: Yes, it is. For the GDPR, a business presence in the EU is not mandatory however a representative in the EU is. A ‘representative’ means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to Article 27, represents the controller or processor with regard to their respective obligations under this Regulation (Article 4.17).
Question 4: Where do industrial IoT devices cross over to being held accountable for GDPR? Do industrial users that provide personal e-mail addresses or phone numbers fall under GDPR?
A: Any company, no matter their industry, is accountable for the GDPR if they process data from individuals in the EU, this includes email addresses and phone numbers. Here’s an industrial IoT example to help think about the potential relevance of the GDPR: If you sell a device like a tank level monitor in the EU, you may usually sell to businesses. However, if that business places your monitor on one of their customer’s home fuel tanks, that data will then appear in your cloud data. You are now processing personal data about how much fuel is in an individual’s home fuel tank, and the GDPR applies.
Per GDPR Article 6.1 a-b:
Processing shall be lawful only if and to the extent that at least one of the following applies:
a) The data subject has given consent to the processing of his or her personal data for one or more specific purposes;
b) Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
Question 5: We can only store the information required to provide the service, but, can we then use that information to perform research? I mean keeping and processing anonymous data to evaluate if the device is working as it should.
A: The GDPR only applies to personal data. If that data has been anonymized, the GDPR does not apply. Per Recital 26:
1The principles of data protection should apply to any information concerning an identified or identifiable natural person.
2Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person.
3To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly.
4To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments.
5The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable.
6This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes
Question 6: Are there test requirements on hardware to make it compliant?
A: The GDPR allows for certifications; however to date, no certifications have been approved for GDPR by the relevant governing bodies. In fact, the accreditation bodies have not been fully identified. For further information, please click here for the recently published (May 25, 2018) guidance on GDPR certification from the European Data Protection Board.
In the meantime, individual privacy and security testing organizations have created services to test hardware and software against the GDPR, based on the GDPR’s documented articles and recitals. These often include testing of the devices and their components, infrastructure, local and online communications, and related applications. In-depth penetration testing is an important component of any testing. Some testing services will issue formal test reports which can help build trust with customers.
Question 7: Does user consent override data residency requirements? For example, if a database is in the US only
and a user in Germany consents to have access, is that ok?
A: Yes, that is ok. See Q4 above for consent information.
Question 8: Are there any exemptions such as for judicial, legal or criminal instances?
A: Yes, there are. See Article 6.1 c-f:
Processing shall be lawful only if:
c) processing is necessary for compliance with a legal obligation to which the controller is subject;
d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Question 9: We have been engaged with TUV Rheinland in several countries for safety certifications of our products. In which countries does TUV Rheinland provide IoT privacy testing?
A: TUV Rheinland has test labs worldwide in 69 countries with over 19,000 employees. We test the mechanical and electrical features of products and extend it for the growing number of IoT products to provide testing for security and data protection. We have a laboratory in Shenzhen, China, and in Cologne, Germany, for IoT Privacy Product Testing. We are planning to open additional labs in Yokohama, Japan, and Fremont, California. Penetration testing for devices can also be done in other locations.
For IoT Privacy Service Testing, Germany and the US provide full-service testing; however some testing can be provided in other locations.