The GDPR has been in force for little over one month now, and the confusion it has left in its wake appears to be unending. Every singly industrial sector is attempting to understand what the new data privacy regime spells for their corporate future and how best to initiate compliance with the numerous requirements it demands. However, in all the activity and flurry surrounding compliance mechanisms, there are many emerging technologies that appear to be overlooked.

Emerging technology is an umbrella terms used to describe essentially experimental technologies that have only been developed and launched within the last few years. These technologies are still being enhanced and researched. One popular example is the Internet-of-Things (IoT). As these are new techniques and methodologies, there is much debate about the application of the GDPR in these spheres and how compliance might look like when implemented in relation to them.

In this article, I’ll take a look at how the GDPR impacts the organization using IoT devices.

The IoT is a network of device connections enabled by the Internet. This means that devices interact with each other through an internet connection. Sometimes this interaction needs human input and sometimes, it can be automated. E.g.: Smart lights which can be controlled through a mobile app; or smart home which allows customers to control household appliances such as air conditioners with their mobiles.

The IOT is a revolutionary concept in the IT industry because of the widespread implications it has on day-to-day human living. It follows that the scale of impact would also raise issues of data privacy and protection.

The first point of contention lies in guaranteeing data security in the functioning of IoT devices. To be effective, these devices have to connect to the internet and access significant amounts of personal data such as locations, online identifiers, names, IP addresses, and so forth. All this information is being exchanged by many devices, which means multiple points of access. However, there is no methodology or measure currently available that can secure these data flows adequately. This issue exists for mobile phones as well, although to a more limited extent due to the immense focus and consumer demand for secured mobile devices. However, data getting captured through mobile is largely personal data and is voluminous so impact on the data subject could be very high.

The second point of contention arises from the GDPR’s consent requirement for the processing of personal data. Conditions for consent have been tightened under the new regulations. Now, to obtain consent organizations need active opt-ins through affirmative action. Anything otherwise would not amount to consent. Implementing this requirement to IoT devices has many experts befuddled. It is not feasible to seek consent for every processing operation done by every device because it would be impossible to account for each method in which data is being processed in such a network. This concern is further compounded by the restrictions imposed on the processing of children’s data. The GDPR has implemented age restrictions, which can also vary across member states.

The third point of contention comes from the requirement of data management and minimization. The GDPR requires organizations to be aware of what personal data they have and where it is located at all times. In addition, organizations should be aware of the access and permissions of this data, its usage, and its disclosure. The intent is to ensure that organizations are in complete control of all stages involved in their data processing operations, because this information has to be made available to data subjects and the concerned supervisory authority on request. IoT networks are vast with multiple connections and large data flows. In such circumstances, it becomes easy to lose track of information. It will be challenging for organizations to maintain records of data flows and monitor each one of them.

The fourth point of contention is introducing privacy by design and default in IoT devices. Organizations will have to ensure they anticipate all possible uses and risks for personal data processing from the inception, that is, the product design stage. Building privacy by default settings into IoT devices will also be challenging because they might undermine their flexibility and functionality.

The fifth and final point of contention pertains to third party access and third party applications. Take mobile phones. There are innumerable third party applications providing users with various services and functionalities. All these applications are processing user personal data. However, there appear to be no GDPR compliant safeguards built into these applications. Moreover, the opacity of their origin and operation makes it difficult for users to comprehend how these applications are processing users’ personal data.

Similarly, there are many emerging IoT devices such as smart watches, which rely on independent third party applications to provide functionality to their users. This remote access, however, is unregulated and unsecure, and in direct contravention of the GDPR. Despite knowing this, there is no solution available in the market as yet, which can aid in the successful compliance with GDPR requirements for these devices.

As IoT technology advances and even more devices, from household appliances to electronics, catch up to the functional diversity of mobile phones, the complexity of implementing GDPR requirements to these devices will only increase. This might appear an insurmountable challenge, but it is in actuality a rare opportunity for the IT industry to display its creative expertise in presenting path-breaking solutions that can augment both the use of IoT devices and ensure data protection.

If you are interested in knowing more about the Internet of Things and how GDPR’s requirements can be implemented to it, then check out our GDPR course (

Sandeep Arora

Advisory to CRIS

Co-founder & CEO, CyberImmersions Solutions

The ideas, view and opinions expressed above are those of the author and do not necessarily reflect the opinions or official position of any agency, organization, employer, or company. The views expressed are for informational purposes only. They are not intended to constitute legal advice. For legal reliance on GDPR compliance, please consult your attorney.