Happy birthday GDPR: IoT impact and practical tips for compliance
With the GDPR now in its third year, compliance with the EU data privacy regulation is still a significant issue for organizations to tackle, especially especially when it comes to the Internet of Things (IoT).
Additionally, with remote work currently being the norm and the subsequent mass integration of personal devices into organizational networks, shadow IoT will be widely deployed by individuals in the enterprise. The upcoming physical return to the office is also set to bring the influx of IoT devices that may be installed on networks as part of new COVID-19 workplace compliance policies.
Digital transformation has led to an explosive increase of these connected devices. But while they present great opportunities to improve business productivity and increase connectivity, they also present novel challenges for data protection and GDPR compliance. Some of these devices (e.g., medical devices) may collect large quantities of personal data that needs to be protected and is subject to the GDPR.
GDPR Privacy by Design
GDPR’s Privacy by Design and security design focuses on IoT manufacturers and compliance within the design of the device itself. In addition, all IoT service providers and manufacturers within the UK must comply with the following principles, which are outlined in the Code of Practice for Consumer IoT Security:
- No default passwords
- Implement a vulnerability disclosure policy
- Keep IoT software updated
- Securely store credentials and security-sensitive data
- Communicate securely, i.e., remote management and control, must be encrypted
- Minimize exposed attack surfaces via the principle of least privilege
- Ensure software integrity
- Ensure that personal data is protected
- Make systems reliant to outages
- Monitor system telemetry data
- Make it easy to delete consumer data
- Make installation and maintenance of devices easy
- Validate input data
However, these guidelines put the burden on the manufacturer of the IoT device. What can enterprises do themselves to comply with GDPR? Many of the same principles above apply.
Uncovering data protection blind spots
Organizations need to address data protection blind spots today, to ensure reasonable security to protect consumers’ private data and meet a minimum level of cybersecurity.
Even though most data security standards ask organizations to ensure the technology is secure and up to date, this is a challenge for most. Even though they are a critical part of business operations, connected devices can range widely and often run outdated systems. Their scale and diversity, and the capacity for network connectivity introduces risks – every single device is a potential attack vector and must be secured against cyberattacks and potential vulnerabilities.
To minimize these risks and meet GDPR data compliance and regulation thresholds, it’s essential that organizations develop a comprehensive approach to securing all devices. These include:
- Discover and inventory every device: Making sure you know and can profile every IoT device in your network is the very first step towards security
- Understand risks and personal data that may be compromised: To comply with GDPR, it is important to understand if a device is at risk of a data breach (e.g., runs an outdated operating system, supports weak passwords or certificates, or there is PII data on the device itself)
- Understand what the device is doing in the network: Baselining and understanding device communications patterns helps you understand where personal data might be processed or stored. For example, while a medical device may have PII within the device itself, an IP camera that is communicating to a server in the cloud might have data in the cloud
- Monitor for anomalous communications: This best practice is about identifying a potential compromise that has already occurred such as communications to a malicious domain so you can stop a data breach in process
- Segmentation for vulnerable devices: Real-time discovery, monitoring, and behavioral analytics are the first step. Security teams can also use AI and automation to proactively segment IoT devices that are vulnerable on existing infrastructure; this enables devices appropriate access while limiting exposure to cybersecurity attacks and potential data protection breaches.
By leveraging automation and the right tools, security teams can increase visibility into IoT risks, identify devices that are subject to GDPR and protect them against potential data breaches.
Let’s celebrate GDPR’s anniversary as a reminder of best practices needed for data and connected devices.