IoT and Personal Data / GDPR

The introduction of IoT means a potentially strong advantage – for every organization, it creates the ability to turn technology into business benefits. The technology enables automation, demand-driven processes, predictive maintenance, and new value chains; the organization obtains a systematic knowledge of the state of things.

While technology creates opportunities, as with all digitalization, it also introduces new risks. The GDPR (General Data Protection Regulation, EU, 2018) has incentivized most organizations to allocate resources to work with IT and information security actively.

GDPR

GDPR has local implementations in every EU member state. In Sweden, for instance, the GDPR is translated into “Dataskyddsförordningen” (DSF). In the DSF context, it is customary for an organization to establish routines to ensure that the information processed, regardless of application and system, has an Information Owner. Furthermore, if the information contains personal data, there must also be a Data Protection Officer.

The Data Protection Officer has to ensure that the processed data is handled correctly. For instance, regarding the type of data saved, how it is stored, how it is erased, how it can be retrieved, and how it can or cannot be combined with other data sets for generating new insights.

It is not possible to transfer the personal data responsibility to another party or other organization.

IoT data

When introducing IoT in an organization, it is not apparent that modern sensors generate data that is classified as personal data. At first glance, it isn’t easy to understand that, for instance, air quality data or data generated from simple passage counters at an entrance probably must be handled as personal data.

These examples are probably not personal information when looking at the data alone. For example, the information that a person just passed a doorway at a given time will not in itself provide the opportunity to say who it was and thus result in personal data. Likewise, that there has been a certain CO2 content in a conference room at a specific time is also not relevant as personal information.

However, IoT data is most often put into a context, and this is when the data can become personal. For instance, if the organization has information in its systems that, for example, tells which access card was used to pass a certain door, the people counter in the example suddenly does not become anonymous data. And if there is data that says which account booked a particular conference room, the CO2 value suddenly takes on a different meaning. In these two examples, the respective data points must then be classified as personal data.

Modern IoT technology enables organizations to manage IoT securely. Administrators log in to their IoT solution, configure connected devices, and ensure that the data is correct. The administrators are people, and data concerning these are also to be classified as personal data, something that is sometimes forgotten in the process as the focus is naturally on the IoT solution’s purpose.

Personal Data Processing Agreement

In a relationship between Sensative and our customers, we should sign a so-called Personal Data Processing Agreement. The agreements do not mean that our customer can transfer responsibility to Sensative, but that our customer delegates parts of managing their responsibility to Sensative. Sensative’s responsibility is to follow the customer’s guidelines and instructions as specified in the agreement and associated appendices.

Each use case should be specifically analyzed. Some applications are less important than others. For example, real-time information about a person’s heart rate requires some handling. Outdoor temperature polled every 4 hours another. Dialogue between the parties concerned regarding the configuration of data streams and which operational measures are relevant should be documented before introducing the current use case.

Sensative operates with a clear understanding that the data is our customer’s property, with all that entails. Our IoT solution, Yggio, is developed according to “privacy by design,” and our processes are well documented. The relationship with our customers and partners is always based on mutual respect and trust.

Cloud hosting

The reasoning around national and international regulations is also interesting to relate to the Cloud Act and FISA 702. These US laws give US authorities such as the FBI and NSA a legal basis to collect any data delivered via US companies (also with the support of the US supplier who by law is prohibited from disclosing that this is happening or has taken place). This means that it is impossible to be compliant with the GDPR if you also use services from US suppliers.

Sensative’s IoT solution, Yggio, can be installed in any data center. All we need is a Dockers and Kubernetes environment. So if our customer wants to use AWS, Google, or Microsoft’s cloud services as the basis for their IT environment, it works well for us. However, when we deliver Yggio as a cloud service, which is the most common form of delivery, we have chosen to use data centers that do not fall within US jurisdiction. And we will continue to do so as long as the international regulations look the way they do to ensure our customer’s compliance with GDPR.

IoT data is personal data and must be handled accordingly!