How GDPR is impacting IoT

The General Data Protection Regulation (GDPR) is a new privacy-related regulation in the EU that has become active and enforceable in May of 2018. The stricter regulation on data control and processing makes more complicated for today’s business. Why? Because you can safely assume that almost all the business are somehow related to data now. It’s all about data!

What is even worse? According to Gartner, the number of connected things will reach 20.4 billion by 2020, with consumer applications as the biggest segment. That is gonna generate huge amount of data every day, personal data!

IoT business is gonna pick up a big fight with GDPR. No doubt!

In Today’s #Gossipiece, we will briefly discuss GDPR and how it’s impacting the IoT businesses.

It’s a law you must follow!

EU Privacy History

Safe Harbor was a set of privacy principles enacted between the European Union and the United States in 2000. However, they were invalidated in 2015 because the protections were determined to not be sufficient. Currently, many organizations are leveraging privacy shield agreements between them. These have privacy components in them and outline respective responsibilities. However, they are agreements versus laws. That means, there is no law to back it up. Until 2018, GDPR becomes effective in the EU, there is finally something the consumer can use, legally to protect their rights on data.

Why you must do it? because if you don’t, there is a huge fine up to 20 million Euros or 4% of your yearly gross revenue, whichever is higher.

Ranked No1 in Fortune 500

Do you know that Walmart‘s profit is about 1.77% in 2018… and multi-national organizations are treated as single entities

GDPR in a nutshell

Image result for GDPR structure
GDPR structure

As an organization, you are the data controller. Your customer (individuals) or your employees are the data subject. Whoever is using the data from the data controller is the data processors, this can be internal entities or 3rd parties. Also, there are other companies, even other countries that will be involved in the data processing process.

Data controller: Authority which alone or jointly determines the purposes and means of processing personal data. They are responsible to:

  • Compliance
  • Inform (data details)
  • Implement technical measures
  • Written agreements with processors

Data processor: Authority which processes personal data on behalf of the controller. They are engaged by the data controller to obtain, analyze and store data on the controller’s behalf. They must:

  • Record processing operations
  • Implement security measures
  • Inform of any data breach
  • Appoint a data protection officer (DPO) as required.

GDPR has in total of 99 articles, they specifically describe the following topics:

  • General Provisions
  • Principles
  • Rights of Data Subject
  • Controller & Processor
  • Transfers of personal data to third countries or international organizations
  • Independent Supervisory Authorities
  • Cooperation & consistency
  • Remedies, liability & penalties
  • Provisions relating to specific processing situations
  • Delegated acts and implementing acts
  • Final provisions

More info can be found in, it has a clear structure for indexing. Official website of GDPR is:

Core principles

Opt-in only: all data subject must provide consent, and the data controller must be able to prove consent.

No soft opt-in: Implied consent no longer enough, nor does the disclaimers. Users must actively opt-in.

Right to be forgotten: Data subject must be provided the option to revoke data access at any time if they want to stop the data controller and processor to use the data. e.g., they can ask to delete all their personal data from your platform.

How your IoT business gets impacted?

When comes to laws… it’s gonna drive you insane by explaining each article. And you know what? Those articles are always arguable… That’s why those lawyers can defend their clients and turn black into white…

Image result for court sketch lawyers
balabalabalabalaba…. and then yep, a lot of attorney’s fee

I will give you an example for your IoT solution:

Nowadays, most of the IoT solutions are cloud-based… maybe worth reading my other #Gossipiece:

So a typical architecture of a cloud-based IoT solution architecture looks like below:

IoT architecture in a cloud-based solution

The place where you store the data and process the data needs to be compliant with all GDPR requirements. For example, article 24 in GDPR outlines 4 primary responsibilities a data controller must follow.

  • Implement technical and organizational measures (demonstrate that processing occurs properly)
  • Consider nature, scope, context, and purpose (take into account the likelihood and severity of risks for rights of natural persons)
  • Implement a data protection policy (Policy should be proportionate to processing activity)
  • Develop and approve a code of conduct.

A lot of work, uh? it’s just one article…

Don’t forget companies have to ask the end consumer (data subject) to actively consent to let you handle their data every time they connect a new device… terrible user experience!!! Oh, forget to mention, the consumer has the right to ask you to provide written materials or any requests about their data. You have to react on that with a maximum 2 of months…

Yep, this is the GDPR, and itself is evolving as well… I remembered we had a fierce discussion during the Odyssey Hackathon in Groningen last year. GDPR is not clear for blockchain technologies…. good and bad news…


Data is the new oil in our age, everyone wants your data. GDPR is a great initiative to protect our data from a legal perspective. However, it’s far from enough…

When it comes to IoT… machines… autonomous cars… it’s gonna be an interesting game.

Interesting list of all the fine GDPR enforces so far… British Airway, you are number one… about 200 million euro, lol

more info can be found here of all the fines so far: