IAPP CIPT – GDPR for Cloud Service Providers (CSPs) Part 5

17. Advices for CSPs and Software providers

Hi, guys. Here are some advices for cloud service providers. Cloud service providers need to consider their positions urgently in light of the GDPR. They will have to update their standard contract terms, let’s say for compliance with GDPR requirements, bearing in mind that their role as a controller, processor or subprocessor will change depending on the situation, even for the same customer who may use the cloud service or different services in different ways for different purposes.

They will also need to devise a game plan for handling customers, whether controllers or processors who seek to amend their standard terms. Compliance may be difficult for smaller providers with little negotiating power. An extra complication is also that cloud service providers may be treated as processors under the GDPR, even if unaware data, or even if they are unaware of data processed using their services constitute personal data. Therefore, cloud services providers will need to review their pricing and service structures as well as their standard terms, vendor partner terms, and their vendor procurement or management processes.

In addition, cloud service providers should consider to what extent and how they can update their systems and processes in order to comply with the new GDPR regulation and also with the new GDPR contractual obligations such as deleting personal data post termination, providing assistance to customers, whether extra fees can be charged for such assistance and if so, how much, how to handle any law enforcement demands to personal data, and so on and so forth.

Some advice is for software providers. Well, traditional software providers may have less stringent requirements, especially if they are not considered a data controller, a processor, or a subprocessor, which will be defined by the type of environment they are selling their software into. I mean, it’s a public cloud or on premises or partner managed, et cetera. Nonetheless, traditional archiving security and data protection software solutions will be an important piece of the GDPR puzzle, which will result in a new wave of customer inquiry and consideration for these solutions. First and foremost, software providers should ensure that their solutions and platforms can meet all these GDPR requirements.

If a solution is missing data deletion, reporting, encryption or protection capabilities necessary for compliance, vendors should ensure they are partnering or developing new tools to fill in these gaps. Although some software providers may not be legally bound as a data controller or a subprocessor, any guarantees or assurances that can be provided contractually to their customers may help or may make the difference between one vendor and its peers.

Finally, I advise that software’s providers be ready to discuss their customers processes and technology requirements regarding GDPR. Being able to handle customers classify their data management and compliance policies as well as their technology needs, will demonstrate maturity to these customers and ensure a more effective partnership and relationship on the long term.

18. GDPR and IoT approach

Hi guys. On top of the GDPR, there is another legal framework which is called Eprivacy regulation. This regulation concerns all electronic communications. The European Parliament has approved the text and now it’s up to member states to take their positions and the European Commission to finalize along with the member states. While many people talk about the episode privacy regulation from the perspective of the web and we can say about cookies, email or any other electronic communication channels which we all know, we previously pointed out that Eprivacy regulation text also clearly mentions new electronic communication channels. This includes instant messaging apps and tools like Snapchat or Facebook Messenger. However, it also clearly mentions the Internet of Things or Iota.

As we said before, the principle of confidentiality should apply to current or future means of communication and this includes the Internet of Things. Moreover, the draft text says that it’s needed to have specific safeguards in machine to machine communications in particular sectors, so expect more to come in the near future. While not all Internet of Things use cases are about personal data, certainly in the industrial Internet of Things or Eliot, it is clear that many other use cases are. We also need to point out that from an Internet of Things spending perspective, the consumer IoT where the portion of data aspect is omnipresent, is expected to grow faster in the Western Europe.

Going back to the GDPR, here are some things you must know in order to be compliant. If you use the Internet of Things, the GDPR manages a range of Identifiers, such as online Identifiers, and this explicitly include radio frequency identification or RFID tags. Moreover, that list of online Identifiers is not exhaustive. Internet of Things use cases are always about data, so it’s important to see where exactly personal data is used, as the Internet of Things is part of a larger information and data reality. With many processes, this must be looked upon in a holistic way, as is the case for all GDPR strategies. Really, you can’t uncouple the Internet of Things, which is already a vast reality from related technologies and the many areas, processes, use cases, organizational aspects and so forth in a GDPR context and beyond. However, at the same time you also need to look at the specifics.

So analyze the specific risks of the Internet of Things from both GDPR and Eprivacy regulation in terms of breaches risks on one hand and also loss and theft of personal data risk on the other hand. Once you know where personal data comes into play, you have to look at your IoT project. This seems obvious, but in IoT there are many components that can pose a security risk and are often not seen or understood well enough by it.

There is no room or time for assumptions. In this regard, IoT is different and not everyone leveraging it is equally aware of security aspects, to put it mildly. Although the Internet of Things still really is in its early days. There are already different areas where personal data is leveraged in the context of the digital transformation of healthcare. For example, there is a rapid growth of wearables and connected medical devices that enable remote health monitoring. More and more we’ll see wearables being used by healthcare payers too. Health care data are extremely sensitive data also in the scope of the GDPR. So connected vehicles are also growing IoT use case here as well.

Data which can be traced back to an individual need to be looked at. Then there is smart metering whereby personal data on household energy consumption patterns is also leveraged. Finally, from the consumer IoT perspective, we see the fastest growing use case from an IoT spending perspective is in the smart home applications. Needless to say that here as well data can be added.

19. There is far more in this space

Hi guys. The overarching message is to make sure that your IoT plans and projects are certainly included in both your GDPR compliance strategies and the future ways in which you plan to leverage the IoT. From the privacy and confidentiality perspective of the Eprivacy regulation context, you won’t be able to do that alone and need help from It security, legal and expert partners. Yet at the same time, you also need to look really well at the specific risks in IoT deployments and setups that some might be less known even by It. The GDPR awareness stage is an important part of any GDPR compliance process with the IoT. You need to take the various IoT technologies into account.

It goes without saying that there are several elements which need to be thoroughly understood and followed, including one, existing IoT vulnerabilities and types of attacks. Two, the security initiatives which are taken in the IoT industry, including existing frameworks as we have them in industrial IoT security and in frameworks initiatives of numerous vendors, standard bodies and associations. And number three is the practices and initiatives of your partners. This of course mainly goes for the types of technologies and vendors you want or need for your IoT project.

You probably don’t want to know that the Zwave Alliance, mainly used for smart home applications, has a new security framework if you are deploying a farming or agriculture project and cattle doesn’t fall under the category of data subjects in the GDPR or are doing something in the industry 40 for example, and the Internet robotic things. IoT device management is another important element, as is real time IoT device monitoring, something that is rarely done. Last but not least, if you plan an IoT project, do know that there are IoT platforms that deal with security and that there is also such a thing as IoT managed security services. Both are mainly used in larger projects and industrial internet type of use cases, but not exclusive. So do check the market as new players join and will join as other IoT platforms vendors also come up with new features. As we said previously, the overall managed security service providers or NSSP market is growing really, really.

20. GDPR requirements in an IoT context

Hi guys. We’ll discuss now about some aspects of the GDPR which are relevant but not always clear in an IoT context. First, IoT and data Protection Impact Assessments under GDPR something that is often overlooked is the importance of data protection impact assessments, or DPI, and the scope of IoT under GDPR. GDPR has very specific rules with regards to when such a data protection impact assessment is needed. These are especially required when a new specific type of personal data processing which could lead to a high risk from the data subject rights and freedoms perspective, and also especially when new technologies are involved.

So guess what? The WP 29 guidelines on the requirement of the DPI mentioned as examples well, indeed, it’s IoT applications. If personal data are processed using IoT, it’s already best to check whether you need a DPI as the innovative use for applying new technological or organizational solutions. This is one of the nine criterias which are recommended to use in order to see whether the need for a DPI A will be likely. Number two IoT data Breaches and the reporting duty. The regulation is really, really clear data breaches need to be reported if personal data are involved and under specific conditions, which is called Personal Data Breach Notification. And we discussed about that in my full GDPR course. Needless to say, that certainly with a bunch of IoT consumer devices which sometimes are hackable as hell, we are far from the possibility to do so.

In the second, whether you use consumer IoT devices and data in your consumer oriented business or have IoT use cases in an industrial internet context whereby personal data is leveraged, for example, healthcare, including with other types of connected devices, make sure the full solutions, including those devices connectivity. And here there are loads of specific IoT connectivity solutions, from the short range ones, such as, let’s say, Zigbee, or those used in smart home apps, to the many wireless ones in a long range context such as LPWA technologies.

Look at the platforms, look at cloud, and so on. These are all integrated in a secure environment with security controls and policies on the level of these various IoT components and an ability to report as the General Data Protection Regulation requires. So take the reporting into consideration. These levels also include data and information streams further along the road. Number Three IoT and the Challenge of Consent and Lawful Processing A major aspect of the GDPR are the so called legal grounds for lawfully processing personal data.

One of them is called consent, and we already discussed that consent in detail in the full GDPR course. In several IoT applications. Where consent is used, it might even need to be explicit consent. However, it is key to see what is the best legal ground for lawful processing, as consent will certainly not always be the path to follow. So how do you do that in practice when you have an IoT use case whereby personal data of European Union citizens are involved. You get the picture. So not easy at all depending on context and use case. Even on the level of giving consent to a company with a basic personal fitness rate or an application, it’s already hard. Imagine more sophisticated use cases. Well, there is no general advice to give as it is, so much depends on the use case.

You will have to think about the where, when and how you get that consent or which other legal ground is a better fit. In some cases it will be mainly a matter of additional clauses in contracts, for example telematics in insurance or smart metering in contracts with utility firms. In others it will be harder, for example, in store retail applications and most certainly the use of the IoT for marketing purposes. Fortunately, although the GDPR clearly raised the bar with regards to consent, as said, there are other grounds for lawful processing, so make sure you check those out as well. Several might fit in the scope of your IoT project depending on purpose, types of personal data and even other more factors.

Number four other Internet of Things GDPR focus areas well, there are two main areas where we see challenges to address. Others include the specific regulations regarding the processing of personal data, regarding children ample of IoT toys nowadays, the rights of erasure, aka the rights to be forgotten and the right of access to personal data. However, the latter is part of the post consent stages further down the road where we would typically look at it from the data security enterprise information management which are policies, storage or all forms of processing governance for example, etc. Etc. And also from the big data.

21. Robots, AI, IoT and BigData

Hi guys. Let’s talk about robots, artificial intelligence, IoT and big data. There are more regulations coming and we speak about consequences and duties and there could be more coming in the European Union and outside. The calls for regulations in the connected digital economy is really louder. IoT security will become a core focus for both enterprises and providers and will be part of every deployment discussion as well as coming into the rudder for regulators. It is clear that Big Data, the Internet of things, robots and artificial intelligence are all connected. This is both the case in industry 40 and to a certain extent in the growing market of robots for rather personal utilization. No matter how you look at it, you need to start looking at regulations, privacy, data breach, liabilities and compliance and security.

Right now the GDPR and also the Eprivacy regulation are just few reasons. And each day I am really amazed when we talk with professionals in information management and other industries who say they are shocked to see how many organizations are even in the early stages of awareness and preparation, although it’s a big task with big consequences if not done. And it needs to be done not just for the funds but also for the market, although we are certainly not among those who believe everything needs to be regulated and do understand other realities.

But with IoT the stakes are too high. From a security perspective and even beyond. IoT requires trust and keep that in mind. IoT equals trust. The adoption of IoT, both among consumers and organizations is related with trust. Trust regarding security, trust regarding transparency in data usage, clear information and so on and so forth. 39% of European consumers said they completely disagreed with the fact that IoT manufacturers provide sufficient information about the data and information they collect. So another 42% somewhat disagreed.

In other words, that’s not good. Well, one of the fundamentals of the GDPR is that data subjects, which are people, need to clearly give consent, not in legalese or weird ways, no, it’s clear, visible and so forth. And at all times they have the right to know the what, who and why of the processing of their personal data. There is another research and there are plenty of researches summarized even on the website of ICO and conducted by 25 data protection regulators worldwide, coordinated by the Global Privacy Enforcement Network.

The privacy sweep in IoT, among others, showed that, and I’m quoting 59% of devices failed to adequately explain to customers how their personal information was collected, used and disclosed. 68% failed to properly explain how information was stored and 72% didn’t explain consumers how to delete their data off the device. Among the devices that were checked, there are smart electricity meters, there are smart thermostats and hurt moistures. Some medical devices turned out to send data to physicians via unencrypted mail.

Let’s talk about regulations as an IoT market and the trust driver. So at the same time, it’s an opportunity and even a must, as without security there is no internet of things. Do we expect more regulation also outside of the European context, for specific industries where personal data and security are already key? For example, finance.

And do expect more regulations in the connected space of robotics, artificial intelligence, IoT and so forth in other regions as well. This is your new reality. A lack of attention for security and personal data won’t be tolerated as the stakes grow and risks increase and the consequences will be big. In many cases you’ll need people who are very familiar with the specific risks regarding IoT and related technologies. And also you need experts in compliance regulations and security when making a solid IoT deployment women case. And you need to do it from the very beginning.

• Category: Uncategorized