Will GDPR Spoil the IoT Party?

The General Data Protection Regulation (GDPR) may be a European initiative, but it has been the source of consternation across the globe because data flows across national boundaries and oceans as easily and quickly as it does between neighboring buildings. Any organization employing or exchanging data with European customers or partners is subject to the privacy rules embedded in the regulation, due to go live in May.

But nowhere is the matter of GDPR compliance more tangled and hair-pulling than the Internet of Things. In a recent paper, Michael Moran and Tim Panagos, both with Microshare, warn of the complications that GDPR brings to IoT. The challenging of keeping IoT data and interactions compliant “will be particularly vexing due to its volume, the disparate nature of its sources, and the lack of common standards across IoT networks. GDPR and other regulatory and security initiatives will complicate efforts to store, analyze, share and sell IoT data, a problem that threatens to undermine bullish forecasts about the potential size of the IoT data market,” they state.

See also: How to secure our data, networks, and employees remotely

Complying with GDPR would have been much easier tin times gone by, when a major tech firm, for example, could be compelled to maintain a centralized database of customers that could be easily sorted by European versus the rest of the world. IoT, however, “tears up the notion that data has a single owner or that data transactions are conducted primarily between two entities,” they state.

The data subject to GDPR privacy regulations are the core of many IoT projects, including basic identity information such as name, address and ID numbers; Web data such as location, IP address, cookie data and RFID tags; health and genetic data; and biometric data. Moran and Paganos are concerned that such regulations, with the threat of steep fines for violations, will put a damper on IoT ventures.

Those that do build IoT networks will be those that  subject their implementations to massive legalistic and technical overhead; “the winners will wrestle with the complexities of deploying solutions that rely on a mixture of robotic compliance protocols and human monitoring to ensure that they can move into the highlands of the new IoT data economy without risking a regulatory backlash.” Many potential players in this space will simply be too timid to incur such liabilities.

Will we slow IoT’s roll?

There are many, many compelling concepts now becoming a reality with IoT, including connected cars that receive regular software boosts, connected homes that regulate energy usage, home entertainment systems that receive automatic upgrades, and health monitoring devices, just to name a few. Servicing customers in this space could be problematic since it requires some degree of personal usage or location-based data.

“A shopper in a European mall will not stop to consent to the leveraging of 150 pieces of data created by the simple fact that he walked by your storefront,” Moran and Paganos observe. “Some of that data will have real value and its distribution fall entirely within the borders of the GPDR; some will be personal and require explicit permission for ingestion; a large amount in between will drive legal challenges for the next several decades as national judiciaries grapple with the need for a whole new class of precedents.”

In other words, a legal tangle awaits for organizations with European customer bases, which, in today’s global economy, is just about everyone. It’s going to be a great time for lawyers, who may need new sources of revenue as online lawbots take over many aspects of their profession.

Moran and Paganos urge that organizations not back away from the IoT opportunity as it relates to European markets, but begin work on “more sophisticated business models will need a more granular and responsive data management approach to avoid triggering GDPR and other privacy red flags.” Their own approach calls for a packet approach to data delivery from IoT networks, which can be automated and audited as frequently as needed.