Another day, another story of a cyber breach hits the news. Recent reports suggest that Uber was one of the latest victims, with 2.7 million people in the UK being affected by a cyber attack that took place in 2016, says Steven Farmer of Pillsbury Law.
With the most significant overhaul of EU data protection laws scheduled to come into effect in May 2018, data protection stories look set to remain in the headlines. The new General Data Protection Regulation (GDPR) will have direct effect throughout the EU, and the UK Government has committed to retaining the law post-Brexit. The new law not only requires private organisations and public entities to report data breaches to regulators in most circumstances, but also empowers those regulators to issue significant fines where breaches occur.
What does the new law say?
The new law changes the existing legal framework and empowers regulators to issue fines of up to four percent of global corporate turnover or €20 million for each breach, whichever is greater. Organisations in the IoT space are particularly vulnerable given the amount of information collected, and the potential weakness in wireless technologies, which can be exploited by hackers.
Businesses in the IoT space should be aware of the following key points:
Accountability – crucially, those caught will be required to show compliance e.g. (i) maintain certain documents; (ii) carry out Privacy Impact Assessments; (iii) implement Privacy by Design and Default (in all activities), requiring a fair amount of upfront work. For example, when developing an IoT product, a risk assessment will be required to review the sensitivity of the data collected and detect potential risks.
Consent – new rules will also be introduced relating to the collection of data, e.g., consent must be “explicit” for certain categories. Existing consents may no longer therefore be valid and consents obtained should be purged going forward. In addition, IoT products, which incorporate privacy settings, should, by default, be set on the most privacy-friendly setting, although users can be given the option to change these settings as part of an initial set-up process.
Enhanced rights for individuals – new rights will be introduced around (i) subject access; (ii) objecting to processing; (iii) data portability; and (iv) objecting to profiling, among others. The right to data portability empowers individuals to request that their data be transferred to a third party, likely a competitor, in a machine-readable form.
Privacy policies – fair processing notices will now need to be more detailed and providers of IoT products will need to ensure that policies are updated.
International transfers – Binding Corporate Rules for controllers and processors as a means of legitimising transfers will be expressly recognised for the first time and so should be considered as a transfer mechanism. Also, if the UK leaves the European Union without a “data-deal”, transfers of personal data between the UK and Europe may not be permitted unless safeguards are in place. Businesses should examine affected data flows now and develop contingency plans for data transfers post-Brexit.
Breach notification – new rules requiring breach reporting to regulators within 72 […]
The post Preparing for the new EU data laws in the IoT space appeared first on IoT Now – How to run an IoT enabled business.
Read more here:: www.m2mnow.biz/feed/Posted on: December 26, 2017