Legal Aspects of the Internet of Things. Richard Kemp June 2017

Similar documents
Robert Bond Partner, Commercial/IP/IT

IAB Europe Guidance THE DEFINITION OF PERSONAL DATA. IAB Europe GDPR Implementation Working Group WHITE PAPER

Our position. ICDPPC declaration on ethics and data protection in artificial intelligence

ICO submission to the inquiry of the House of Lords Select Committee on Communications - The Internet : To Regulate or not to Regulate?

The General Data Protection Regulation and use of health data: challenges for pharmaceutical regulation

ARTICLE 29 Data Protection Working Party

GDPR Implications for ediscovery from a legal and technical point of view

This policy sets out how Legacy Foresight and its Associates will seek to ensure compliance with the legislation.

The Information Commissioner s response to the Draft AI Ethics Guidelines of the High-Level Expert Group on Artificial Intelligence

Privacy Management in Smart Cities

GDPR Awareness. Kevin Styles. Certified Information Privacy Professional - Europe Member of International Association of Privacy professionals

Ocean Energy Europe Privacy Policy

ICC POSITION ON LEGITIMATE INTERESTS

Privacy Policy SOP-031

EXIN Privacy and Data Protection Foundation. Preparation Guide. Edition

CCTV Policy. Policy reviewed by Academy Transformation Trust on June This policy links to: T:Drive. Safeguarding Policy Data Protection Policy

Standards and privacy engineering ISO, OASIS, PRIPARE and Other Important Developments

What does the revision of the OECD Privacy Guidelines mean for businesses?

DG CONNECT Artificial Intelligence activities

GDPR & Teknologiske Trends

CCTV Policy. Policy reviewed by Academy Transformation Trust on June This policy links to: Safeguarding Policy Data Protection Policy

The General Data Protection Regulation

I hope you will find these comments constructive and helpful.

Interaction btw. the GDPR and Clinical Trials Regulation

General Questionnaire

ISO/TR TECHNICAL REPORT. Intelligent transport systems System architecture Privacy aspects in ITS standards and systems

IoT governance roadmap

Privacy Impact Assessment on use of CCTV

Having regard to the Treaty establishing the European Community, and in particular its Article 286,

Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

TechAmerica Europe comments for DAPIX on Pseudonymous Data and Profiling as per 19/12/2013 paper on Specific Issues of Chapters I-IV

THE EUROPEAN DATA PROTECTION SUPERVISOR, Having regard to the Treaty on the Functioning of the European Union, and in particular Article 16 thereof,

24 May Committee Secretariat Justice Committee Parliament Buildings Wellington. Dear Justice Select Committee member,

CONSENT IN THE TIME OF BIG DATA. Richard Austin February 1, 2017

Photography and Videos at School Policy

COUNCIL OF THE EUROPEAN UNION. Brussels, 19 May 2014 (OR. en) 9879/14 Interinstitutional File: 2013/0165 (COD) ENT 123 MI 428 CODEC 1299

IET Guidelines for Volunteers: Data Protection

The EU's new data protection regime Key implications for marketers and adtech service providers Nick Johnson and Stephen Groom 11 February 2016

PRIVACY ANALYTICS WHITE PAPER

Artificial Intelligence (AI) and Patents in the European Union

Robotics, AI and the Law

ISO/IEC INTERNATIONAL STANDARD. Information technology Security techniques Privacy framework

Artificial Intelligence, Business, and the Law

Global Standards Symposium. Security, privacy and trust in standardisation. ICDPPC Chair John Edwards. 24 October 2016

Commonwealth Data Forum. Giovanni Buttarelli

Internet of Things Market Insights, Opportunities and Key Legal Risks

IoT in Health and Social Care

ITAC RESPONSE: Modernizing Consent and Privacy in PIPEDA

Towards Code of Conduct on Processing of Personal Data for Purposes of Scientific Research in the Area of Health

Privacy. New technologies, same responsibilities. Carole Fleeman Office of the Victorian Privacy Commissioner

Overview: Emerging Technologies and Issues

International Seminar on Personal Data Protection and Privacy Câmara Dos Deputados-BRAZIL

Position Paper.

First Components Ltd, Savigny Oddie Ltd, & Datum Engineering Ltd. is pleased to provide the following

The Alan Turing Institute, British Library, 96 Euston Rd, London, NW1 2DB, United Kingdom; 3

Integrating Fundamental Values into Information Flows in Sustainability Decision-Making

The Information Commissioner s role

European Union General Data Protection Regulation Effects on Research

2

Biometric Data, Deidentification. E. Kindt Cost1206 Training school 2017

COMMISSION OF THE EUROPEAN COMMUNITIES COMMISSION RECOMMENDATION

The new GDPR legislative changes & solutions for online marketing

EU-GDPR The General Data Protection Regulation

Public consultation on Europeana

2018 / Photography & Video Bell Lane Primary School & Children s Centre

Details of the Proposal

Copyright: Conference website: Date deposited:

User Privacy in Health Monitoring Wearables

DEVELOPMENTS IN EU MDD & IVDD SOFTWARE REGULATION

clarification to bring legal certainty to these issues have been voiced in various position papers and statements.

COMMISSION RECOMMENDATION. of on access to and preservation of scientific information. {SWD(2012) 221 final} {SWD(2012) 222 final}

Office for Nuclear Regulation

COMMISSION IMPLEMENTING DECISION. of XXX

ACTIVITY REPORT OF THE NATIONAL INDUSTRIAL COMPETITIVENESS COMMISSION PRAMONĖ 4.0 OF 2017

Privacy Procedure SOP-031. Version: 04.01

Opinion of the European Data Protection Supervisor

Preparing for the new Regulations for healthcare providers

The GDPR and Upcoming mhealth Code of Conduct. Dr Etain Quigley Postdoctoral Research Fellow (ARCH, UCD)

The University of Sheffield Research Ethics Policy Note no. 14 RESEARCH INVOLVING SOCIAL MEDIA DATA 1. BACKGROUND

EUROPEAN COMMISSION Directorate-General for Communications Networks, Content and Technology CONCEPT NOTE

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 16 thereof,

Metrology in the Digital Transformation

BDS Activities to Support SMEs in 2013

EFRAG s Draft letter to the European Commission regarding endorsement of Definition of Material (Amendments to IAS 1 and IAS 8)

Joint Declaration of Intent. of the Ministry of Economy, Trade and Industry of Japan, the Ministry of Internal Affairs and Communications of Japan

A Guide for Structuring and Implementing PIAs

Franco German press release. following the interview between Ministers Le Maire and Altmaier, 18 December.

HL7 Standards and Components to Support Implementation of the European General Data Protection Regulation (GDPR)

Ethical and social aspects of management information systems

UN-GGIM Future Trends in Geospatial Information Management 1

RECOMMENDATIONS. COMMISSION RECOMMENDATION (EU) 2018/790 of 25 April 2018 on access to and preservation of scientific information

13460/15 CB/ek 1 DGE 2B

I m sorry, my friend, but you re implicit in the algorithm Privacy and internal access to #BigDataStream

At its meeting on 18 May 2016, the Permanent Representatives Committee noted the unanimous agreement on the above conclusions.

Interest Balancing Test Assessment on the processing of the copies of data subjects driving licences for the MOL Limo service

RADIO SPECTRUM POLICY GROUP. Commission activities related to radio spectrum policy

FEE Comments on EFRAG Draft Comment Letter on ESMA Consultation Paper Considerations of materiality in financial reporting

COMMISSION OF THE EUROPEAN COMMUNITIES

DATA PROTECTION IMPACT ASSESSMENT

EU businesses go digital: Opportunities, outcomes and uptake

Transcription:

Legal Aspects of the Internet of Things Richard Kemp June 2017

LEGAL ASPECTS OF THE INTERNET OF THINGS TABLE OF CONTENTS Para Heading Page A. INTRODUCTION... 1 1. What is the Internet of Things?... 1 2. Why is it so important?... 1 3. How does the IoT fit into the 4 th Industrial Revolution?... 1 B. PRACTICAL IOT LEGAL ISSUES... 2 4. Key practical IoT legal issues... 2 5. Key privacy and security challenges to be addressed in the IoT... 3 C. EU DATA PROTECTION LAW AND THE IOT... 4 6. How does EU data protection law address these challenges?... 4 7. Core IoT related definitions... 4 8. How do the data protection principles apply to the IoT?... 5 9. Legitimate processing... 5 10. Fairly and lawfully... 6 11. Purpose limitation... 6 12. Data minimisation... 6 13. Kept for no longer than is necessary... 6 14. Processing of sensitive data... 6 15. Transparency requirements... 6 16. Security requirements... 6 17. Data Subjects rights... 6 18. Terminal equipment... 7 19. What recommendations does the Opinion make?... 7 20. Recommendations for all stakeholders... 7 21. Recommendations for device manufacturers... 7 22. How will the GDPR change things?... 8 D. DIFFERENCES BETWEEN THE US AND EU APPROACHES... 8 23. What are the key differences between the US and EU approaches to privacy in the Internet of Things?... 8 E. CONCLUSION... 9 24. Conclusion... 9 i

LEGAL ASPECTS OF THE INTERNET OF THINGS A. INTRODUCTION 1. What is the Internet of Things? Whilst there is still no formally accepted definition, the Internet of things (IoT) is generally understood as everyday things, objects and devices that are connected to the Internet. The range of things is vast and increasing: watches, glasses and other wearables; health indicators; home automation like smart meters and connected lightbulbs, thermostats and fridges; right up to autonomous vehicles and connected cities. They include consumer facing devices as well as B2B devices to assist in manufacturing and supply chain management but generally don t include smartphones, tablets, laptops and other computers themselves. What links all these things is their connection to the Internet through sensors to record, process, store and transfer data, whether they communicate between themselves, with computers or with people. 2. Why is it so important? In the early days of the PC, it was chips with everything. Now, in the era of the fourth industrial revolution, it s chips and sensors with everything. Only a few years ago, there were more people in the world than things connected to the Internet. We re just towards the start of this trend but on current estimates there are 25 billion things connected to the Internet at the moment and by 2020 this will rise to 50 billion. These new developments will bring enormous benefits to all of us in our daily lives as consumers in everything from healthcare to the home to transportation and insurance. And there will be benefits in the future that we can t even begin to foresee at the moment. The rub is that much of the data that these connected devices generate and use will be personal data and some of that will be highly sensitive. And it s really the issues about personal data and security that lie at the heart of the legal aspects of the Internet of things. 3. How does the IoT fit into the 4 th Industrial Revolution? The fourth Industrial Revolution is a portmanteau term coined by DAVOS founder Klaus Schwab to describe the deep digital transformation of our lives that is just starting. These shifts cover everything from artificial intelligence and robotics to 3-D printing and ubiquitous computing. But many of them have at their heart the connected Internet of things whether it s wearables, the connected home, smart cities or driverless cars. All these changes centre on the cloud, big data and artificial intelligence. Cloud data centres are the engine room of the fourth Industrial Revolution. Volumes of digital data are currently doubling every 18 to 24 months a bit like Moore s law for data. Machine learning is the core component of AI and it works by crunching huge datasets to recognise patterns with increasing accuracy. Central to all these elements the cloud, big data and AI - is the data produced by the sensors in the billions of devices that make up the IoT. 1

B. PRACTICAL IOT LEGAL ISSUES 4. Key practical IoT legal issues. For lawyers advising clients on projects related to the Internet of things, there s a wide range of legal issues to be aware of. Commercially, the Internet of things will give rise to new patterns of business and business ecosystems, and the contracts underpinning them will need lawyering. Particular sectors like healthcare and financial services for example are likely to develop their own rules touching on IoT and at a more general level, consumer protection rules are also likely to be extended. But it s really in the areas of privacy, data protection and security that the most pressing legal issues arise. And there have been three reports over the last couple of years from government bodies on both sides of the Atlantic addressing practical legal issues around the Internet of things in these areas. First, in the EU, the Article 29 Working Party is an independent advisory body on data protection and privacy set up under the current data protection Directive 95/46. In September 2014, it published an Opinion on the Internet of things (Working Paper 223) ( Opinion ). 1 The Opinion sets out the main issues, how the existing and future law should apply to the Internet of things and recommendations to stakeholders. Helpfully, it provides pointers looking ahead to May 2018 when the General Data Protection Regulation come into force. Secondly, in January 2015 the US Federal Trade Commission published a staff report on the Internet of things called privacy and security in the connected world which covers similar ground from the US perspective. 2 Third, and most recently, NIST - the US National Institute of Standards and Technology - in November 2016 published a technical report from the engineering perspective on all aspects of security relating to the Internet of things. 3 1 Article 29 Data Protection Working Party, Opinion 8/2014 on Recent Developments on the Internet of Things (14/EN WP 223), Adopted as of 16 September 2014 - http://ec.europa.eu/justice/data-protection/article- 29/documentation/opinion-recommendation/files/2014/wp223_en.pdf 2 FTC Staff Report, Internet of Things Privacy and Security in a Connected World (January 2015) - https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013- workshop-entitled-internet-things-privacy/150127iotrpt.pdf 3 NIST Special Publication 800-160, Systems Security Engineering Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems (November 2016) - http://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-160.pdf 2

5. Key privacy and security challenges to be addressed in the IoT. The privacy and security challenges that need to be addressed are clearly shown by a study from September 2016 by GPEN, the Global Privacy Enforcement Network, a grouping of national privacy authorities. 4 The report found that about two thirds of devices surveyed failed to explain adequately to customers how their personal information was collected, used, stored and disclosed. In particular, almost three quarters failed to show it could be deleted off the device. And in just over one third of cases, the devices did not include include easily accessible contact details if customers had privacy concerns. It s these failures to explain adequately and give notice that the regulators find particularly concerning. The Opinion unpacks these issues into six particular challenges: (a) (b) (c) (d) (e) (f) first, what it calls lack of control and information asymmetry: where device connectedness results in personal data generation, storage and communication over which the user has no control. secondly, quality of user consent: the user s consent to the processing of data carried out by IoT devices must be informed and the standard will rise when the GDPR comes in next year. In many cases the user will not be aware of the data processing carried out by a particular device and in these cases consent cannot be relied on under EU law as it is not properly informed. third, secondary use and repurposing: where big data analysis techniques may lead to device data obtained for one purpose being used for a quite different purpose for which no consent has been given. next, aggregation of data from different devices may reveal specific aspects of individuals habits, behaviours and preferences in an unduly intrusive manner. fifth, limitations on the possibility to remain anonymous when using services. finally, security risks: physical constraints, for example balancing battery efficiency and device security, may lead to manufacturers reducing security the implementation of confidentiality, integrity and availability measures to reduce costs. 4 GPEN Privacy Sweep, Internet of Things: Participating Authorities Press Releases - https://www.privacyenforcement.net/node/717; see e.g. UK Information Commissioner s Office press release, Privacy regulators study finds Internet of Things shortfalls (22 September 2016) - https://ico.org.uk/about-theico/news-and-events/news-and-blogs/2016/09/privacy-regulators-study-finds-internet-of-things-shortfalls/ 3

C. EU DATA PROTECTION LAW AND THE IOT 6. How does EU data protection law address these challenges? The Opinion confirms that EU data protection law applies to the Internet of things and then applies these rules to the IOT world, looking at: core definitions; [paragraph 7]; how the data protection principles apply to the Internet of things [paragraphs 8 to 14]; transparency requirements [paragraph 15]; security requirements [paragraph 16]; data subject rights [paragraph 17]; and certain rules from the e-privacy directive about terminal equipment [paragraph 18]. 7. Core IoT related definitions. The Opinion gives a broad definition to IoT devices as all objects that are used to collect and further process the individual s data in the context of the provision of services in the IoT. It states EU data protection law will apply in respect of those devices even where data controller is outside the European Union provided that the device has been used within the EU. Personal data is of course broadly information from which an individual may be identified and the Opinion states that even data intended to be processed after the implementation of techniques like pseudonymisation may need to be considered as personal data because of the risks of reidentification where data from one device aggregated with one or more others enables an individual to be identified, even though that individual could not be identified from one device alone. The Opinion provides a helpful discussion of the various stakeholders in IoT ecosystems and how they may qualify as data controllers, a core building block of EU data protection law as a person who by himself or with others determines the purposes and means of processing personal data. So, device manufacturers, social media platforms, third-party application developers, data hosting providers and insurers may all be data controllers in using data generated by IoT devices for specific purposes that they determine. Users of IoT devices will qualify as data subjects under EU law. An important point is that ownership of a particular IoT device is not a factor that is relevant as to whether someone is a data subject the key thing is that if the device processes personal data the individual concerned will be the data subject. 4

8. How do the data protection principles apply to the IoT? Where an IoT stakeholder is a data controller the Opinion calls out a number specific obligations that apply. These correspond in the IoT world to compliance with the data protection principles. 9. Legitimate processing. The Opinion discusses the three ways set out in Article 7 of the Data Protection Directive 5 for processing personal data to be legitimate. Essentially, these are: that the data subject consented; that the processing is necessary for the performance of the contract to which the data subject is a party; and where the processing is necessary for the purposes of the legitimate interests of the data controller except where inconsistent with the fundamental rights of the data subject. Consent is a thorny issue in data protection terms and getting thornier. The Information Commissioner s Office ( ICO ), the UK regulator, has recently consulted on its draft guidance on consent, and we await the finalised guidance. The draft guidance 6 notes that the GDPR 7 will set a high standard for consent. It means offering individuals genuine choice and control, and requires a positive opt-in and a very clear and specific evidenced statement of consent. Importantly, data controllers must make it easy for people to withdraw consent and tell them how. Relying on consent in the IoT context is therefore likely to become more difficult. The second way is that the processing must be necessary for the performance of the contract. Here, quotes necessary has tended to be interpreted narrowly and to require a direct and objective link between the processing itself and the purpose of expected contractual performance. The third way is even more restrictive and the Opinion refers to the Google Spain case 8 to say that economic interests are not by themselves legitimate interests. 5 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data - http://eurlex.europa.eu/legal-content/en/txt/?uri=celex:31995l0046. 6 ICO Consultation, GDPR consent guidance (draft, March 2017) - https://ico.org.uk/media/about-theico/consultations/2013551/draft-gdpr-consent-guidance-for-consultation-201703.pdf 7 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119/1, 04.05.2016) - http://ec.europa.eu/justice/data-protection/reform/files/regulation_oj_en.pdf 8 Judgment of the European Court of Justice (Grand Chamber), 13 May 2014, Case C-131/12. 5

10. Fairly and lawfully. Once the legitimate basis for the processing has been established, personal data should then be collected and processed consistently with the other data protection principles. This means data should be collected and processed fairly and lawfully the individual should be aware that this is going on, for example. 11. Purpose limitation. The purpose limitation principle means that the data can only be collected for specified, explicit and legitimate purposes. These purposes must be defined before processing takes place which in turn means that IoT stakeholders must have a good overview of their business case before they start collecting personal data. 12. Data minimisation. The personal data collected must be strictly necessary for the specific purpose concerned the data minimisation principle. As the opinion says (at page 16), necessary data should not be collected and stored just in case or because it might be useful later. 13. Kept for no longer than is necessary. Finally, personal data should be kept for no longer than is necessary. This test must be met by each IoT stakeholder for their specific service. For example, the Opinion says (at page 17) that personal data communicated by a user when subscribing to a specific service on the IoT should be deleted as soon as the user ends the subscription. Similarly, account information deleted by the user should not be retained. 14. Processing of sensitive data. Sensitive data about an individual s health, for example is subject to a higher standard in the IoT as in other areas effectively requiring the user s explicit consent. 15. Transparency requirements. Data controllers must meet certain transparency requirements they must give notice to data users of the identity of the controller, the purposes of the processing, the recipients of the data and the existence of data users rights. 16. Security requirements. As in other areas of data protection law the controller must implement appropriate technical and organisational measures to protect personal data they must keep the data secure. This means that any IoT stakeholder who is a data controller remains fully responsible for the security of the data processing. This is as much a technical as a legal issue. The US NIST paper on systems security engineering puts considerable reliance on an international standard, ISO 15288 on systems and software engineering 9. It is likely that this standard will emerge as the benchmark for determining compliance in the IoT world with the data protection security requirement. 17. Data subjects rights. IoT data controllers must respect the rights of the data subject in the same way as other data controllers. So, data subjects must be able to obtain details of the data that the controller holds about them. And data subject must be able to withdraw consent previously given and to object to the processing of data relating to them. 9 https://www.iso.org/standard/63711.html 6

18. Terminal equipment. Where an IoT stakeholder stores or accesses information already stored on an IoT device, that device will qualify as terminal equipment under the e-privacy directive 10. There is a further requirement here for consent by the subscriber to that storage or access. This consent requirement primarily concerns the device manufacturer but will also be relevant for anyone else who wants access to the aggregated raw data. 19. What recommendations does the Opinion make? Having gone through the legal requirements, the opinion then lists a number of recommendations to help data controllers in the IoT ecosystem comply with their legal obligations. 20. Recommendations for all stakeholders. The Opinion first makes a number of recommendations that apply to all stakeholders: Privacy impact assessments 11 should be carried out before the launch of any new application; raw data should be deleted as soon as data required for processing has been extracted; the principles of Privacy by Design and Privacy by Default should be applied. This means as the names suggest that data protection compliance should be baked in to the design of the product or service and that it should default to compliance with privacy rules; using the now fashionable tagline, data users and subjects should be in control they should be able to determine how their data is used; information about the processing should be given in a user-friendly manner; and consent must be explicit, informed and freely given and users should have the opportunity to withdraw it. 21. Recommendations for device manufacturers. Device manufacturers should: give information to users about the types of data that are collected, the types of data the sensors receive and how they will be processed and combined; 10 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) - http://eurlex.europa.eu/lexuriserv/lexuriserv.do?uri=celex:32002l0058:en:html as amended by Directive 2009/136/EC of 25 November 2009 - http://eurlex.europa.eu/lexuriserv/lexuriserv.do?uri=oj:l:2009:337:0011:0036:en:pdf 11 See for example ICO s code of practice, Conducting privacy impact assessments, February 2014 - https://ico.org.uk/media/for-organisations/documents/1595/pia-code-of-practice.pdf 7

inform all stakeholders as soon as the data subject withdraws consent; disable wireless interfaces when not in use; provides tools to enable the editing of data locally before it is transferred to the data controller; give users a right of access to data and the ability to export data; notify users when security vulnerabilities are discovered; enable devices to distinguish between different users; and work with standardisation bodies to develop common protocols. The opinion makes (at pages 23 and 24) similar specific recommendations from other IoT eco-system participants like application developers, social platforms. 22. How will the GDPR change things? When it comes in in May 2018, the GDPR will significantly broaden and deepen the range of obligations that data controllers must comply with. These apply in the IoT area as elsewhere. The Opinion has been helpful in looking ahead to when the GDPR is in force, particularly in relation to stressing the need for a structured approach as in the case of privacy impact assessments, privacy by design and privacy by default. However the new requirements will make life more exacting in data protection terms for IoT participants. Importantly, data processors who process personal data on the instructions of a data controller are outside of the net caught by the Data Protection Directive at the moment but inside it when the GDPR comes into force. This means that for the first time they will have a range of directly enforceable duties which they will need to comply with. IoT eco-participants will also need to be mindful of include the risk of penalties for breach that could amount to 4% of worldwide turnover; tougher and more granular consent requirements, as we have seen; rules on data breach notification; profiling restrictions and the right to be forgotten. D. DIFFERENCES BETWEEN THE US AND EU APPROACHES 23. What are the key differences between the US and EU approaches to privacy in the Internet of Things? Interestingly, as we have all got used with safe harbor and the privacy shield to the differences between US and EU privacy law, the EU Article 29 Working Party Opinion from 2014 and the US FTC IoT Staff Report from January 2015 have more things in common than things that separate them. 8

The FTC report was released against a backdrop of active prosecutions against IoT device makers for privacy and security breaches. It sets out a number of recommendations for device manufacturers who should: adopt what the FTC calls a security by design approach; carry out a training and awareness campaign for employees to ensure that security is managed at all levels within the organisation; ensure that third party service providers are required to follow the same security standards; and adopt a defence in depth strategy for security risks i.e. to ensure that there are multiple layers of security to combat a particular risk. E. CONCLUSION 24. Conclusion. The IoT will continue to be a top priority for regulators in the data protection and security areas. Compliance with the broadening and deepening requirements of data protection law will continue equally to be high on the agenda of all participants in the IoT ecosystem. Richard Kemp Kemp IT Law, London June 2017 richard.kemp@kempitlaw.com 9

2024 © hobbydocbox.com Privacy Policy | Terms of Service | Feedback