10 Ways GDPR Will Affect Engineers, Part 2
Jul 20, 2018
by Agam Shah Associate Editor at Mechanical Engineering magazine
Part 1 looked at some the challenges GDPR poses to engineering and manufacturing companies that design and produce smart devices. This part of the story takes a closer look the impact GDPR has on the Internet of Things, smart cities, and security.
4) Smart Devices Might Have to Be Less Smart
Smart devices, especially those used in the home, could amass huge amounts of personal data without identifying individuals. But the data could make an individual almost identifiable or build a comprehensive picture of what a person's home life is like.
"The key challenge with this will be assessing the extent to which this information is personal data and then ensuring that the appropriate safeguards are in place in relation to it," the lawyers say.
When making hardware and software changes in engineering projects, ask these questions: Is the personal data kept secure? How can you provide transparent information to individuals? What is the personal data being used for and do you have a legal basis for each use?
These are all questions GDPR requires organizations to ask and answer when personal data is collected.
5) Plugging Security Holes, Especially in IoT
Multiple security steps need to be taken to mitigate risk, especially with IoT systems deployed in critical infrastructure and industrial systems. Security assessments need to be conducted, and it’s important to understand who is responsible for managing risks in automation and IoT.
"Given the poor state of IoT security, if data breaches occur, worker personal data could also be implicated. The quick data breach notification requirements in GDPR -- to report within 72 hours to authorities -- may pose practical strains for assessing the scale, nature and impact of breaches for distributed, interdependent systems," says the University of Ediburgh's Lachlan Urquhart, a lecturer in technology law.
Risk can be mitigated by managing data (often user information) effectively across supply chains and manufactured products. Also, budget to patch and manage legacy IoT systems and networks of devices like PLCs that may be vulnerable to hacks.
6) Smart City Challenges
IoT is key in smart cities, but GDPR challenges could emerge. Lines could blur between consent and the "right to be forgotten" in smart cities where devices track movement or in retail spaces or intelligent public displays where advertisements are delivered to consumers.
"User interactions with devices may be transient as they walk past, so data management needs to reflect this,” Urquhart says. “Implementing the right to be forgotten could be one challenge, but a bigger one is the legal basis for collecting data in the first place."
Explicit consent is needed when more sensitive data -- like biometrics or health information -- is collected. "Redesigning consent mechanisms for public space IoT may involve finding creative ways to use affordances of smart technologies to communicate with users -- example, gesture recognition -- or even using icons, as GDPR suggests," Urquhart says.
7) Data Portability
A lot of personal data is stored in the cloud, but users have limited access to it. GDPR has fangs for users to have more control over that data. An interesting design challenge in GDPR is related to implementing the right to data portability for IoT.
Under GDPR, users have a right to receive their data from a data controller in a structured, commonly used, interoperable, machine readable format -- much like how Facebook provides an archive of personal data to users -- for transmission to another controller. Users can decide how the other controller uses the data.
“In response, personal information management systems can help, as users decide who can access data, why, and for how long,” Urquhart says. “New edge computing architectures are emerging where privacy engineers prioritise usability and user rights.”
One project called Databox brings analysis to the local data, as opposed to centralizing it in the cloud. It was built with GDPR compliance in mind, and addresses concerns like accountability of data processing to users and reducing the need for international data transfer.
8) Think Beyond Borders
The GDPR regulation doesn't apply to countries outside the EU. But if a U.S. company wants to engage EU customers, they need to think carefully about capturing personal data and device design. Companies like Siemens and Starfish Medical have policies in place to apply GDPR on a worldwide basis. Customizing specialized devices for individual markets can be an expensive proposition.
9) Train Employees in GDPR
Every employee needs to be aware of how to handle personal data and the policies and procedures to ensure compliance with GDPR's accountability principle.
“An organization’s employees are really the key to ensuring ongoing compliance, so their training and engagement is of paramount importance,” the lawyers at Womble Bond Dickinson say.
10) Pathway for New Technologies
GDPR could pave a path for implementation of new technologies like Blockchain so that users get a full view how their data is being used. This can be tied into other Blockchain-driven systems implemented by companies like Syncfab that are putting idle factories to work.
User interactions with devices may be transient as they walk past, so data management needs to reflect this. Lachlan Urquhart, University of Edinburgh