The future of the Internet of Things in the wake of the General Data Protection Regulation

Abstract

With the General Data Protection Regulation (GDPR) soon coming into force, today’s internet business models face a question mark over their management of data opportunities. Internet of Things (IoT) adopters will have to think even more carefully as they evolve any monetisation models that could target or inadvertently create personally identifiable information (PII). ‘Things’ are sensors or actuators, monitoring or operating upon the real world, mostly passively collecting data or changing the state of systems based on sensed data changes. As the IoT evolves, the automated sharing of such data will be required for efficient deployment and operation. So where does the new GDPR principle of accountability stand in a world of billions of devices autonomously conversing and sharing information? How do we approach the other nine existing, and strengthened, principles of the Data Protection Directive 95/46/EC that the GDPR represents when the new fines are so high and individuals have new judicial rights over the use of ‘their data’? If one is to execute one’s accountability role properly, it is essential to understand the underlying technology of the IoT and how it operates. In addition, corporate reorganisation to inculcate a duty of care towards PII across the organisation may be the only truly viable way forward for large-scale data processing.