Internet of Things (IoT) companies and equipment manufacturers provide cutting edge products and services powered in no small part by Big Data. To protect their access to and use of valuable data, companies that handle data on European residents must take steps to comply with new privacy and data security regulations that come into force this year. US companies can be subject to the new regulation even if they have no physical presence in the EU.
The General Data Privacy Regulation (“GDPR”) becomes effective on May 25, 2018. Sanctions for breach of the GDPR are steep, and can be as much as four percent of global annual turnover or €20 million, whichever is higher. In this advisory, we highlight some key elements of the law, and discuss some of the important issues that companies should pay attention to when planning GDPR compliance. Companies are recommended to seek legal counsel to ensure they are fully complying with the new regulation.
GDPR applies to all businesses that process data of EU residents (called “data subjects”), even companies outside the EU. The definition of processing is broad, and includes most forms of handling or manipulating data. For GDPR to apply, processing activities should be related to the offering of goods or services, or monitoring of the behavior of individuals.
GDPR applies to personal data, which is similarly broadly defined. If a company collects information that refers to a specific person, GDPR will generally consider the information to be covered.
GDPR is replete with new compliance requirements that apply to the numerous ways in which companies collect, use, share, or sell data. The following is a non-exhaustive list of major compliance requirements that will impact IoT businesses in particular:
- Notice & Consent
Processing is only lawful when the EU resident gives consent, or for another purpose specifically permitted in the regulation, such as performance of a contract. GDPR also requires notice to the EU resident when personal data is collected, with specific required details including who is collecting the data and who will receive the data.
Why it matters: Today, IoT companies may not always obtain consent or provide notice before collecting information from device users. Some IoT devices passively collect data without user input. GDPR requires rethinking this dynamic.
- Data Breach Avoidance & Security
In cases of a data breach, companies must notify authorities within 72 hours. The notification must include information about the nature of the breach, communicate details on how to contact the company, describe the likely consequences of the breach, and describe measures being taken to mitigate possible adverse effects.
Why it matters: IoT companies should take steps to avoid data breaches to the extent possible. GDPR includes provisions that may require companies to build privacy into the defaults and design of products, to enforce security measures to protect personal data, and to appoint a data protection officer with oversight over privacy compliance.
GDPR describes a set of rights that EU residents have, and which companies must respect. These rights are:
- The right to access information held by a company about an individual.
- The right to rectification of inaccurate information.
- The right to erasure, also known as the right to be forgotten
- The right to restrict processing of data, for instance, when the processing is unlawful or the accuracy is contested.
- The right to data portability, allowing a person to receive their data and use it with another company.
- The right to object to how data is being used to profile or make decisions concerning the individual.
Why it matters: IoT companies, in consultation with counsel, may determine that compliance with GDPR requires developing user portals or other processes that provide data subjects with access to information, control over the information, and the right to contest the accuracy of information or automated decisions. IoT companies may also be required to develop standard formats and processes that facilitate data portability.
Where to begin?
IoT companies seeking to begin to comply with GDPR will be required to evaluate the data they collect, how they use that data, where it is stored, and the extent to which data subjects have access to the data. Working with legal counsel or a certified information privacy professional, companies can then identify gaps in their privacy practices, and determine how to fill the gaps before GDPR comes into effect in May.
If you have any questions about GDPR, attorneys at The CommLaw Group can help. Our team includes expertise in privacy matters as well as the Internet of Things. To learn more, please contact Ronald Quirk, IoT Attorney, at 703-714-1305 or firstname.lastname@example.org, Linda McReynolds, Certified Information Privacy Professional/United States, at 703-714-1318 or email@example.com, or Alexander Schneider, Certified Information Privacy Professional/United States, at 703-714-1328, or firstname.lastname@example.org.