Presentation given during the Guilford IoT Meetup

1. GDPR and IoT:
What do you need to know?
IoT Guildford Meetup
February 27th, Guildford
Michele Nati
Lead Technologist for Digital Trust
Digital Catapult, London
@michelenati
https://www.linkedin.com/in/michelenati/

2. House keeping
• Need to increase participation
• Rewards participants, hosts, speakers
• Reputation based ecosystem
• Community Engagement List (CEL)
• ERC20 token to build meetup-ers reputation

3. CEL Token
https://etherscan.io/token/0x662bA51F62591830CD380a7A9bEB23
2DbD7a92a4#balances

4. Disclaimer:
I am oversimplifying and giving
my personal interpretation!!

5. What is GDPR?
A regulation for the treatment of personal
data in Europe, superseding previous
DPA (in force on May 25th 2018, after a two
years grace period)
Whose personal data: All EU citizen
Who has to comply: All organizations
processing data of EU citizens

6. Personal Data – WTF?
According to GDPR: ‘Personal data’ means any information
relating to an identified or identifiable natural person (‘data
subject’); an identifiable natural person is one who can be
identified, directly or indirectly, in particular by reference to an
identifier such as a name, an identification number, location
data, an online identifier or to one or more factors specific to the
physical, physiological, genetic, mental, economic, cultural or
social identity of that natural person
IoT data are most likely personal
• If in doubt, be conservative!

7. Data Protection basics
Data Subject: the person whom data are collected
and processed for the provisioning of a service
Data Controller: who sets the purpose of the
processing (either collected directly or acquired
from other sources)
Data Processor: who processes the data for the
purpose of providing a service (might be the same
as the Controller)

8. The Data Economy:
The opportunity
• More companies are
embracing digital
transformation
• With more data used to:
• Improve in Artificial Intelligence and
Machine Learning algorithms
• Deliver more personalised services
and attract new customers
• With IoT increasing
availability of data
• Most of them being personal

9. First:
Know Your Customers

10. GDPR: Transparency
Article 12-14, Information notice
concise, transparent, intelligible and easily
accessible” and “clear and in plain language
• Should avoid information fatigue
• Name the recipients of personal data
• Keep up-to-date

11. IoT Challenges
Some concepts might be difficult to convey
• Privacy Policies complexity > automated
decision
• Layered privacy policy
• Unlikely names of the recipients but
detailed categories
• How to maintain this dynamic and personalised?
• Exceptions might exist

12. GDPR: Accountability
Article 4 and 7, Consent
Consent would not legitimise collection of data which is not necessary
in relation…
Other legal basis: performance of a contract, legal obligation,
legitimate interest
“any freely given, specific, informed and unambiguous indication of
the data subject’s wishes by which he or she, by a statement or by a
clear affirmative action, signifies agreement to the processing of
personal data relating to him or her“

13. Consent requirements
Freely given
• Cannot prevent the provisioning of a service
• No data for free app
Specific
• For different data and purpose, and different
recipients
Informed
An unambiguous indication of wishes
• No pre-ticked boxes, no opt-out
Explicit Consent
• Sensitive data
Proof of consent and possibility to remove

14. How to manage consent:
Solutions Landscape
Consent
Management
Platforms
PIMSTransparency
(e.g.,PDRs)
Service ProvisioningCustomer on-boarding
Standards

15. IoT Challenges
• How to obtain consent through IoT
device?
• How to remove consent through IoT
device?
• How to keep consent updated?
• E.g. triggering new sensors, collecting new data
• How to obtain consent in shared
space? Or for shared devices? (cars,
home assistants)

16. GDPR: Level of control
Article 17-19
The right to be informed -> provide information notice
The right of access -> free of charge, within a month
The right to rectification -> within one (or two months)
The right to erasure -> some exceptions are possible
The right to restrict processing -> retain information but stop
processing
The right to data portability -> free of charge, within a month, no
hindrance
The right to object -> marketing and research unless legal basis
Rights in relation to automated decision making and profiling.

17. IoT Challenges
• Need to know all the collected data
• Be able to link data from different data
sources
• Track who you shared the data with
• Track and keep up to date retention
period
• Interoperable, machine-readable
formats

18. The risks for IoT
• Understand what data are personal
• You are most likely profiling your
customers (tell them) - Article
• You are most likely combining data
• Do you know where this data comes and how you obtained them?
(Consent)
• Is there risk of de-anonymization?

19. How to build Digital Trust
Measureable
properties
TrustworthinessTrust
- Transparency
(Article 12-14,
Information notice)
- Accountability
(Article 4 and 7,
Consent)
- Level of Control
(Article 17-19, Data
erasure and
portability)

20. Example
The case of
transparency

21. The transparency risk
• Consumers are
becoming savvy
• And demands for trustworthy apps
(33%), with simple privacy
statements (source: MEF Consumer
Trust Report 2017)
• While hidden business
models and lack of
transparency might
hinder this growth

22. Measurable transparency
Transparency
TrustworthinessTrust
First step:
Transparency
Savvy consumers demand
• Simple privacy
statements
• Clarity on collected
data and access to
them
• Better user
experience
- Transparency
(Article 12-14,
Information notice)

23. Transparency today

24. Consumers pain points
• Lie & Agree
• Takes too long to read and
understand
• Want to access the service
• (Often) No choice offered
• Agree & Forget
• Lack of record
• Difficult to retrieve
• Static information
• Lack of interaction

25. How to redesign
Privacy Policies?
Problem Statement: How to increase consumers’ trust and
businesses’ transparency by developing a GDPR compliant solution
that takes into account the user experience and help to reduce
consumers pain points and organizations compliance burden related
to the provisioning of digital services using personal data?
Personal Data Receipts (PDRs), a human-readable record
summarizing in a simple and clear way what personal data an
organization is collecting about an individual, for what purpose, how
they are stored and for how long and if any third party sharing is
allowed.

26. Personal Data Receipts
• How it was built
• Multidisciplinary team: UX lead, Marketing expert,
Tech Lead, Lawyer
• Customer-centric approach
• Transparency can be measured, ASK
the Customers
• The categories of data
• The purpose, including 3rd party sharing
• The where, how and how long
• The contact details of the Data Controller
• What else consumers wants
• Simple, non technical, plain text
• Icons only as support

27. PDRs and GDPR compliance
• Article 12-14, Information notice
• Use of icons and simple text to explain: what, how and for what
purpose
• (could be personalized to target different demographic groups)
• Article 4 and 7, Consent
• Includes data collected under consent
• Provides a record for both individual and organization
• Article 17-19, Data erasure and
portability
• Provides a direct channel with the contact Data Controller
• Educates business to discover their customers data (in particular
IoT and third parties) and simplify cascade updates
• Privacy by Design and DPIA

28. PDRs: The benefits
For individuals (“Savvy consumers”):
• Privacy Policies become human and simplified
• Track and control on personal data sharing is simplified (and
possible!!)
• Reassurance that data will not end in the wrong hands is
possible (3rd party sharing highlighted)
Services and apps become more trustworthy and
more data are shared with more control
For organizations:
• Attitude to personal data become user-centric
• Open new personal comm channel with their uses
Consumers trust increases and churn is avoided,
while more data are accessed

29. Where are PDRs are useful:
Patient data collection
BMS Backend
PDR
Hospital/Imaging
Centres
Visitor
BMS
website
Data Collected →
← Response
PostgreSQL
Booking Confirmation
NEW PDR
Application
Data Points for
PDR:
Email, Full Name,
DoB, Phone
Number, Address,
Post Code
Added possibility
to manage
individual rights

30. Want to know more?
• White paper available in March
• Recommendations and blueprint on
how integrate PDRs
• Templates for PDRs available

31. Advanced Topics
Artificial intelligence

32. GDPR and AI Transparency
Article 4 (4) & 22 - Automate decision making and profiling
1. is either provided by the law, such as in the case of fraud prevention
or money laundering checks,
2. or is necessary for the performance of or entering into a contract,
3. or is based on the individual’s prior consent
This requires to explain:
1. the usage of such technologies;
2. the significance and envisaged consequences for the individual; and
3. “meaningful information about the logic involved“
This is a challenge not only for IoT data

33. AI: Transparency challenges
• Algorithms are becoming too complex
• In particular when using Deep Learning
• Not easy to explain to general public
• Privacy Policies are statics and might need to evolve as the algorithms evolve or
the subject change (PDRs can help instead)
• You want to protect IP of your model
• You can try to:
• Give access to the data you use as input
• Tell how many see the same as you, show fairness (lack of bias in training sets)

34. Be careful using AI
• Research?
• Be careful with anonymization
• Personalised service?
• Ask for consent and maintain pseudonimity
• Want more efficiency? Combine more data?
• Be transparent, Ask consent, Don’t share
Always be transparent about use of AI and
ask for consent

35. The complexity of AI
ecosystem
Individuals (Data Subjects)
Algorithm
Controllers
(Data
Controllers
)
Algorithm
Executors
(Data
Processors
)
Algorithm
Creators

36. The role of AI Governance

37. Case Study
Blockchain and GDPR

38. Blockchain properties
• Transactional data are personal
• Anonymization -> Hashing is not anonymization
• Pseudonymization -> Keys are not anonymous
• Unpermissioned vs permissioned
• Decentralized network, who runs it?
• Append-only
• High-redundancy of data

39. GDRP compliance
• Personal data
• What data to store?
• Jurisdiction
• Who is the data controller?
• Digital rights enforcement
• Minimization?
• Erasure?
• Update? What update means?
• Access request? To who?
• Possible solutions?
• Think about your network first
• Think about what you store
• Consider off-chain data store, store consent but consider carefully meta-data

40. Other things to consider
Data breaches
• Report within 72 hours (in UK to the ICO)
• Communicate to data subject
• Require to map data (including processors)
Privacy by Design and DPIA
• Risk-based approach
• Might result difficult in case of HW and SW
• Lawyers, with DPO and CIO
Data Retention
• Pre-determined, explicit
• For the duration of the service
• Need frequent review

41. Get involved
• Resolve more
consumers and
businesses
tensions
• Risk of cybercrime
• Lack of control
• Fear of surveillance
• Identify achievable
trustworthy
measures
• Stimulate debate, Generate
recommendation for EU
• Co-create a DTRL (Digital
Trust Readiness Level)
https://truessec.eu

42. Other resources – initiatives
IoT Mark: https://iotmark.wordpress.com
Recommendation and a mark for SMEs
IoTSF: https://iotsecurityfoundation.org
Focus on security of IoT systems
Tech Lawyer interpretation: http://www.gamingtechlaw.com
ICO recommendations: https://ico.org.uk/for-organisations/guide-
to-the-general-data-protection-regulation-gdpr/
Digital Catapult workshop:
https://www.eventbrite.co.uk/e/innovation-opportunity-of-the-gdpr-
for-ai-and-ml-workshop-registration-42793145450

43. EU Recommendations –
Article WP29
Article 29 WP on Consent:
https://iapp.org/media/pdf/resource_center/wp29_consent
-12-12-17.pdf
Article 29 WP on Transparency:
https://iapp.org/media/pdf/resource_center/wp29-
transparency-12-12-17.pdf
Article 29 WP on Data Portability:
https://iapp.org/media/pdf/resource_center/WP29-2017-
04-data-portability-guidance.pdf

44. THANK YOU!
#DigiCatapult
info@digicatapult.org.uk
0300 1233 101
Digital Catapult
digicatapult.org.uk
/DigitalCatapult
@DigitalCatapult
Questions?