1. SmartM2M; Teaching material; Part 2: IoT Privacy
STF 547 Task 3.2
V0.1.7

2. Content Learning Objectives Part 1: What is Privacy?
Part 2: Privacy in the context of IoT
Part 3: What are the risks associated to privacy?
Part 4: How to Protect from Privacy Risks?
Conclusion

3. Learning objectives
Understanding the key aspects relating to privacy and GDPR 01
Understanding the risks associated with privacy 02
Identify how to protect from privacy risks 03

4. Target audience of this teaching material
The main target reader has no knowledge on the issue of privacy
This teaching material addresses key aspects of privacy by raising a set of relevant questions
Accordingly, this teaching material
provides learners with the necessary information,
so as to gain basic knowledge on the concept of privacy,
allowing them to make decisions and act in relation to the IoT environment.
Target group of learners
holds functions both upstream and downstream of the IoT supply chain, thus, mirroring the entire spectrum of the IoT stakeholders
Upstream e.g. Device Manufacturers
Midstream e.g. Professionals designing IoT products; 3rd party using and designing products; IoT platform manufacturers
Downstream e.g. subscribers, users, non-users, Authorities

5. Part 1: What is Privacy?

6. 1. What is Privacy? Contents
Introduction
The General Data Protection Regulation (GDPR)
What is the link between privacy and security?

7. 1.1 Introduction to Privacy
Privacy is the ability of an individual to be left alone, out of public view, and in control of information about oneself.
One can distinguish the ability to prevent intrusion in one's physical space ("physical privacy", for example with regard to the protection of the private home) and the ability to control the collection and sharing of information about oneself ("informational privacy").
The right to privacy is enshrined in the Universal Declaration of Human Rights (Article 12) as well as in the European Convention of Human Rights (Article 8).

8. 1.1 Introduction to Privacy Personal Data
The concept of privacy overlaps, but does not coincide, with the concept of data protection. The right to privacy is enshrined in the Universal Declaration of Human Rights (Article 12) as well as in the European Convention of Human Rights (Article 8).
Personal Data: any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity of that natural person;
Note that the GDPR provides separately for special categories of data, namely, genetic data, biometric data and data concerning health.

9. 1.1 Introduction to Privacy Personal Data categorization
Special Categories
Non-Personal
Personal
Non-identifiable data, which has never been labelled with individual identifiers , to which no specific individual can be identified
Any information relating to an identified or identifiable individual
Any information relating to an identified or identifiable individual that is sensitive in nature
Examples
Hours worked
Weather
Number of Employees
Anonymised data
Examples
Individual’s name
Date of Birth
Postal Code
Online identifier
Examples
Racial or ethnic origin
Data concerning health
Sexual orientation
Religion
Political beliefs
Biometric/genetic data

10. 1.2 The General Data Protection Regulation (GDPR) Overview
Protects personal data (not all data), due largely to the increase in technology and free flow of information.
Also referred to as Regulation (EU) 2016/679.
Created by the European Parliament and Council to strengthen and unify data privacy for EU individuals as well as regulate the international transfer of their data.
Became applicable on 25th May 2018 as a Regulation
Examples of Privacy scandals:
Facebook’s launch of Portal has been stymied by trust issues: “The company’s privacy scandals have made us wary of its connected devices”
Amazon confirms Alexa recorded and shared a family's conversation

11. NON-EU organization will be subject to GDPR if they:
1.2 The General Data Protection Regulation (GDPR) Territorial Scope of GDPR
GPDR intends to extend the reach of EU Data Protection Law. As well as protecting personal data that is held within the EU, even if no EU presence exists in an organisation, if personal data of a person who is in the EU is processed by this organisation in connection with goods or services provided, GDPR will still apply.
NON-EU organization will be subject to GDPR if they:
Offer goods or services to EU residents
Monitoring the behavior of EU residents

12. Following are some examples of processing
1.2 The General Data Protection Regulation (GDPR) What is Personal Data Processing? In
Gathering
Recording
Amendments
Data
Storage
Structure
Organisation
Out
Use
Analysis
Transmitting
Extraction
Profiling
Following are some examples of processing

13. 1.2 The General Data Protection Regulation (GDPR) Processing of Data
Processing in GDPR means any operations which is performed on personal data or sets of data whether or not it is automated.
collection, recording, organizing, structuring, storage, adaption, alteration, retrieval, transmission, erasure or destruction
Profiling of data and Automated decision
automated processing of personal data to evaluate certain personal aspects relating to a natural person, in order to predict aspects concerning that natural person.
Requirement for profiling: Data has to be personal, automated and some form of evaluation must take place

14. 1.2 The General Data Protection Regulation (GDPR) Roles within GDPR
Data subject: an identified or identifiable natural person
Data controller: person, public authority, agency, organization, alone or jointly which determines the purpose and means of the processing of personal data
Data Protection Officer (DPO): person who ensures that the organization is aware of and complies with its data protection responsibilities and obligations according to GDPR and Member state
Data processor: natural or legal person, public authority, agency or any other body which processes personal data on behalf of the data controller

15. 1.2 The General Data Protection Regulation (GDPR) Roles within GDPR
Third Party: natural or legal person, public authority, agency or body which is authorized to process personal data under the direct authority of the data controller or processor
Supervisory Authorities: monitor and enforce the application of GDPR with the aim to protect the fundamental rights and freedom of natural persons in relation to processing and to facilitate the free flow or personal data within the European Union

16. 1.2 The General Data Protection Regulation (GDPR) Data Protection Principles
There are six principles that define the conditions under which data should be processed they define the (“HOW”)
Breaking this principles make the processing unlawful.
These principles are as follows:
Lawfulness, Fairness and transparency
Purpose Limitation
Data minimization
Accuracy
Storage Limitation
Integrity and Confidentiality

17. 1.2 The General Data Protection Regulation (GDPR) Reasons to process data
There are six reasons under which data should be processed and they answer the “WHY” for processing
These reasons must also be lawful.
These six reasons are:
Consent
Contract
Compliance
Vital interest
Public interest
Legitimate interest

18. 1.2 The General Data Protection Regulation (GDPR) Rights of Individual
The GDPR provides the following rights for individuals:
Right to be informed: transparency about use of data collected, aim of collection and retention period
Right of access: right to have access to data either asking verbally or in writing
Right to rectification: right to request data to be corrected or complete if incomplete either verbally or in writing
Right to erasure: right to have their data erased (right to be forgotten)
Right to restrict processing: right to request the restriction or suppression of their personal data (applies only in certain circumstances)

19. 1.2 The General Data Protection Regulation (GDPR) Rights of Individual (cont.)
The GDPR provides the following rights for individuals (cont.):
Right to data portability: right to ask their data to be copied or transferred easily from one IT environment to another in a safe and secure way, without affecting their usability
Right to object: right to stop their data being used for direct marketing.
Rights in relation to automated decision making and profiling: give individuals information about the processing; introduce simple ways for them to request human intervention or challenge a decision; carry out regular checks to make sure that systems are working as intended

20. 1.2 The General Data Protection Regulation (GDPR) Novelties of the GDPR
Privacy by Design
Accountability
Consent management
Data Protection Impact Assessment (DPIA)
Data breach notification

21. 1.2 The General Data Protection Regulation (GDPR) Breaches - Introduction
Personal data breach: this is a breach of security leading to accidental or unlawful destruction. Loss, alteration, unauthorised disclosure, access to personal data transmitted stored or processed.
The GDPR provides for the mandatory notification of a data breaches provided that certain requirements are met. The breaches need to be notified to the data protection authorities and, in certain cases, to the individuals/data subjects affected by the data breach.
Ensure there is a record of any personal data breaches, regardless of whether notification is required, maintaining such a record would be in line with accountability principle.
The notification of a data breach is relevant for all actors in the supply chain that they have to provide for it in accordance with their role.

22. 1.2 The General Data Protection Regulation (GDPR) Procedures to follow: Who to Notify
Data protection authorities
The GDPR introduces a duty on all organizations to report certain types of personal data breach to the relevant supervisory authority. You must do this within 72 hours of becoming aware of the breach, where feasible.
Data Protection Authorities and Affected Individuals
If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, you must also inform those individuals without undue delay. Ensure there are robust breach detection, investigation and internal reporting procedures in place. This will facilitate decision-making about whether or not the relevant supervisory authority and the affected individuals are notified.
Note that it relevant, also, for end users of IoT devices given that in certain cases they are themselves the affected individuals so they will be directly notified.

23. 1.2 The General Data Protection Regulation (GDPR) Procedures to follow: What to Notify
According to article 33(5), when reporting a breach, the GDPR says you must provide:
a description of the nature of the personal data breach including, where possible:
the categories and approximate number of individuals concerned; and
the categories and approximate number of personal data records concerned;
the name and contact details of the data protection officer (if the organization has one) or other contact point where more information can be obtained;
a description of the likely consequences of the personal data breach
a description of the measures taken, or proposed to be taken, to deal with the personal data breach, including, where appropriate, the measures taken to mitigate any possible adverse effects.

24. 1.3 Link between privacy and security Privacy and Security
Privacy and security are separate concepts in the sense, for example, that privacy can be perceived independently of security
But they are complementary, given that in reality security is an enabler of privacy.
It can be stressed that security is a basic requirement for the effective protection of privacy.

25. Part 2: Privacy in the context of IoT

26. 2. Privacy in the context of IoT Contents
Global Approach of IoT Systems
Challenge of Privacy in IoT
Use case examples
Data processing within the IoT ecosystem

27. 2.1 Global Approach of IoT Systems Privacy in the context of IoT
This teaching material proposes an approach that suggests reinforcing the role of human users with privacy concerns at the heart of IoT and as the users and beneficiaries of IoT

28. 2.1 Global Approach of IoT Systems Main differences and characteristics of IoT systems
Stakeholders: large variety of potential stakeholders with a wide range of roles that shape the way; each of them can be considered in the IoT system. Moreover, none of them can be ignored.
Privacy. In the case of IoT systems that deal with critical data in critical applications (e.g., e-Health, Intelligent Transport, Food, Industrial systems), privacy becomes a make or break property.
Interoperability. There are very strong interoperability requirements because of the need to provide seamless interoperability across many different systems, sub-systems, devices, etc.
Security. As an essential enabling property for trust, security is a key feature of all IoT systems and needs to be dealt with in a global manner. One key challenge is that it is involving a variety of users in a variety of use cases.

29. 2.1 Global Approach of IoT Systems Main differences and characteristics of IoT systems
Technologies. By nature, all IoT systems have to integrate potentially very diverse technologies, very often for the same purpose (with a risk of overlap). The balance between proprietary and standardized solutions has to be carefully managed, with a lot of potential implications on the choice of the supporting platforms.
Deployment. A key aspect of IoT systems is that they emerge at the very same time where Cloud Computing and Edge Computing have become mainstream technologies. All IoT systems have to deal with the need to support both Cloud-based and Edge- based deployments with the associated challenges of management of data, etc.
Legacy. Many IoT systems have to deal with legacy (e.g., existing connectivity, back-end ERP systems). The challenge is to deal with these requirements without compromising the “IoT centric” approach.

30. 2.1 Global Approach of IoT Systems Need for an "IoT-centric" view
Examples of roles to be characterized and analyzed:
System Designer
System Developer
System Deployer
End-user
Device Manufacturer
Reference Architecture(s)
Many elements (e.g., vocabularies, definitions, models) have to be defined, agreed and shared by the IoT stakeholders.
Existence of a great variety of IoT systems architectures, it is also necessary to adopt Reference Architectures, in particular Functional Architectures
Very large span of requirements, use cases and roles within an IoT system make it difficult to provide prototypical solutions applicable to all of the various issues addressed

31. 2.2 Challenge of Privacy in IoT
IoT forms a clear example of hyper connectivity and distributed control
Appropriate safeguards are needed to ensure that individuals’ right to privacy is effectively protected
The following are some of the challenges in identifying:
the stakeholders that are impacted by Privacy
the personal data and who owns the data
privacy in various domains in IoT
how stakeholders need to think of Privacy as part of design not an afterthought
the implication of non-compliance with Regulation not just standards.

32. 2.3 Use case examples Ambient assisted living in smart homes, older people - illustration

33. 2.3 Use case examples Ambient assisted living in smart homes, older people - stakeholders
Main actors
Beneficiary: elderly person (Angela, 84 years-old) with raised cardiovascular risk
Family caregiver: the relatives (Alba) or family caregiver with interest and with permission to check the status of the beneficiary
Formal caregiver: in this case, the Spanish Red Cross that provides the 24/7 telecare and assistance service
Data Subject
Angela
Data Controller
CCTV camera manufacturer
Blood pressure device manufacturer

34. 2.3 Use case examples Ambient assisted living in smart homes, older people - stakeholders
Data Processor
Location service provider (provides Angela’s location service to Alba)
Caregiver -Spanish Red cross company (provides staff that reviews Angela medical record)
Relative
Blood Pressure device manufacturer

35. 2.3 Use case examples Ambient assisted living in smart homes, older people - challenges
The CCTV camera and the blood pressure tracker will be monitoring and maintaining a record Angela’s location, blood pressure, body temperature and other forms of health data
These data will be accessible to the camera manufacturer, blood pressure device manufacturer, Spanish Red Cross and the like.
Concerns such as
how these data will be stored and used by the respective parties,
for how long
whether sufficient safeguards have been implemented to protect the data from being accessed by an unauthorised party.

36. 2.3 Use case examples Smart home solutions - illustration
Movie night scenario: with a press of a button Erik’s flat door is locked, lights are off all over the house but in the living room where a dimmed discrete illumination is still present and the temperature in the living room is set a bit warmer than usual.
Security at night scenario: Daniel is in his bedroom. From his mobile phone, he can
look at the video streams coming from the video cameras installed outside home.
checks the motion detectors around the home
also checks the contact sensors installed on the windows to see if any of them is forgotten open.
Power saving scenario: Olaf lives in a remote cottage in the mountains. From his mobile phone, he can
set the preferred room temperatures, the priority of the rooms and the consumption limits
keep his instant power consumption within the required limits at all time

37. 2.3 Use case examples Smart home solutions - stakeholders
Main actors
home residents
housekeeper (with a passive role in the solution)
technician
Data Subject
Depending on the scenario: Erik, Daniel or Olaf
Data Controller
Smart home application developer
Data Processor
Video camera manufacturer
Technician

38. 2.3 Use case examples Smart home solutions - challenges
Smart homes require several sensors and actuators to be installed that allow it to be aware of the home parameters and events in every moment and take appropriate actions when needed.
These new technologies bring with them specific threats:
network security, hacking,
people’s privacy,
complexity of the installation
maintenance of the devices which needs to be accounted for when these devices are being manufactured

39. 2.3 Use case examples Logistics and workplace – story line
The port of Rotterdam is a multipurpose port with numerous terminals.
The type and quantity of data related to transiting goods are processed through a sophisticated equipment and IT systems, which are coordinated by employees from IT Department and protected under the supervision of the Department for port’s security. The overall system is constantly checked through a sophisticated internal system, which allows the interchange of data with external entities and logistic actors.
Peter is an employee who coordinates the incoming and outgoing shipments, ensures that the traffic is managed in an effective manner
Peter is equipped with a smart watch that he is required to wear during office hours.
The equipment allows the respective managers to keep track of the time and duration for which the warehouse was accessed by their delivery representatives.
Additionally, , a secure system allows the deliver representatives only to pick up the cargo after clearance is given by their managers along with a 4-digit OTP (One Time Password) which would be sent to their smart watches.
Access to the information on the watch is only provided to shipment owners when the cargo is arriving or at the premises of the port

40. 2.3 Use case examples Logistics and workplace - stakeholders
Main actors
Peter
The employer (Sky Shipping & Logistics Company Ltd)
The cargo shipment owner (Glitterati and Co)
Watch Company
Location service provider
Data Subject
Peter (Personal data: location, address, phone number ; health data: hearth rate, body temperature)
Data Controller
The employer
Data Processor

41. 2.3 Use case examples Logistics and workplace - challenges
The smart watch can track and store different types of data with respect to Peter including his location, address, heart rate and body temperature
Thus it is essential that his employer ensures that effective measures are put in place to ensure that
only the relevant personnel have access to such data
such data is tracked during office hours only when it is required for an assignment.
Further, the smart watch manufacturers must implement sufficient security mechanisms to prevent it from getting hacked by third parties

42. Part 3: What are the risks associated to Privacy?

43. 3. What are the risks associated to Privacy? Contents
The GDPR is a risk-based regulation requiring organizations to take appropriate technical and organizational measures on the basis of the risks identified.
When identifying risk organisation have to take into account several parameters such as the specific types of data to be processed and the scale of processing itself.
The risks pertaining to personal data protection relate to each individual separately, but since the harm can proliferate in the IoT environment they are relevant for society at large.

44. 3.1 What are the risks associated to Privacy? Contents -Categories
In order to be able to capture and explain risk across the relevant areas in an IoT ecosystem, it is worth categorising risk as it relates to relevant stakeholders as follows:
Upstream: Parties that are directly involved in the creation of the IoT device i.e. device manufacturers
Midstream: Third parties that assist the device manufacturers in the creation of the IoT device i.e. product designers, platform manufacturers and the like.
Downstream: The final users of the IoT device.

45. 3.1 What are the risks associated to Privacy? Contents -Upstream
Upstream parties e.g. IoT device manufacturers play a fundamental role as far as data privacy is concerned and their actions or inactions can expose IoT users to significant risks.
Some examples of possible risk are:
Device manufacturers may not make the necessary investments in the cybersecurity element of the IoT device in order to stay ahead of competitors while also providing an attractive price. Hence this may jeopardize the safety of consumers data.
Device manufacturers may now run the risk of losing their goodwill in the market and the confidence of customers mainly because they may now be made financially liable for failure to ensure implementation of required safeguards according to GDPR.

46. 3.1 What are the risks associated to Privacy? Contents -Midstream
The risks at the midstream level caused by parties like product designers, platform developers etc. are, to an extent, similar to those relating to the device manufacturers.
With the IoT, the internet is everywhere, in every nook and cranny of private spaces which could potentially mean the generation of more data. Such data is used not only by the device manufacturer but is shared with its relevant third parties to allow the overall functioning of the IoT devices.
It is for this reason that the GDPR also makes such related (/connected) parties liable to the extent that the breach is caused their negligence or failure.
In addition to violating the law, the product designers or platform developers may also be found in breach of contract that it would have with the device manufacturer.

47. 3.1 What are the risks associated to Privacy? Contents -Downstream
From the perspective of IoT devices users, data loses, unauthorized access to personal data, unlawful surveillance, intrusive use of wearable devices are some of the risks that they may be exposed to.
More specifically, lack of control and information asymmetry is another major risk that IoT users may be faced with. This is because an IoT ecosystem in a home will typically consist of several interconnected devices, with some devices that are designed to operate in the background as a result of which individuals may not be aware of their presence.
In such a situation, individuals may be oblivious to (/uninformed of) the information relating to them that is being collected, stored and used by such devices. An additional challenge that might be faced with IoT devices is that data that is being collected may not be used for the purpose for which it was originally collected.

48. 3. 2 What are the risks associated to Privacy
3.2 What are the risks associated to Privacy? Data Protection Impact Assessment 1/2
Data Protection Impact Assessment – DPIA (an art of privacy assessment) is a tool to help you identify and minimize the data protection risks of new projects. They are part of your accountability obligations under the GDPR, and an integral part of the ‘data protection by default and by design’ approach
DPIA can address a single processing operation or a set of similar processing operations.
DPIA should be carried out prior to the processing, as early as practical in the design of the processing operation.
DPIA should be continuously updated.

49. 3. 3 What are the risks associated to Privacy
3.3 What are the risks associated to Privacy? Data Protection Impact Assessment 2/2
The five key stages of DPIA may be summarized as follows:
Identify the need for DPIA (e.g. processing special categories of data)
Describe the information flow
Identify data protection related risks
Identify and evaluate privacy solutions
Sign-off and record the outcome

50. 3. 3 What are the risks associated to Privacy
3.3 What are the risks associated to Privacy? Data Protection Impact Assessment-Example of ICO Template
Identify the need for DPIA Template Example
Identify and Assess Risk Template Example

51. Part 4: How to Protect from Privacy Risks?

52. 4. How to Protect from Privacy Risks? Contents
Introduction
Device Manufacturers
Professionals designing IoT products (Social Network)
Professionals using IoT products (Third Party Application developers)
IoT Platforms
Individuals as Data Subjects: Subscribers, Users, Non-Users

53. 4.1 How to Protect from Privacy Risks? Introduction
Having suggested a tool to help identify risk which can be used by the categories of stakeholders mentioned earlier: Upstream, Midstream, Downstream, this section now wants to suggest key set of recommendations.
The recommendations are primarily, but not exclusively relevant for the stakeholders identified.
The recommendations here are subset of details found in the main TR.

54. 4.2 How to Protect from Privacy Risks? Upstream – Device Manufacturer
Most of them actually collect and process personal data which is generated by the device, for purposes and means which they have wholly determined.
This effectively means if device manufacturers have built in sensors that collect data from devices for transmit for other purposes such as to track employee’s usage in order to help determine what sites visited or to sell data to insurance companies, basically if the device collects and processes personal data generated, this needs to be made clear to the users who are the data subjects.
In this aspect, the Device Manufacturers qualify as data controllers

55. 4. 3 How to Protect from Privacy Risks
4.3 How to Protect from Privacy Risks? Upstream – Device Manufacturer - Recommendations
Data protection by design: Privacy of users must be embedded into the design of business processes, technologies, end-to-end ecosystems, operations and information architectures. Each service or business process designed to use – or to may later on use – personal data must take all the necessary security requirements into consideration at the initial stages of their developments;
Data Protection by default: The strictest privacy settings and mechanisms must automatically apply once a user acquires a new product or service; no manual change to the privacy settings should be required on the part of the user. The user ‘owns’ or at least controls its own data, by law
Transparency of privacy policy: The Device manufacturers should ensure that the user is and remains clear and aware of privacy issues, choices it makes and possible consequences thereof;
Non-discriminatory practices: The vendor, supplier or other provider should ensure non-discriminatory practices against users and businesses on the basis of information derived from digital ecosystems and deployments;
Accountability: Any vendor, supplier or other provider should have the appropriate levels of being accountable for regulatory, contractual and ethical compliance, both upstream, midstream and downstream in the ecosystem.

56. 4. 3 How to Protect from Privacy Risks
4.3 How to Protect from Privacy Risks? Midstream - Professionals designing IoT products (Social Network)
In the world of IoT with connected devices where data from one device can be shared with other devices depending on the platforms, the owner of the platforms is responsible for maintaining the privacy of the data as this data is pushed by the user (data subject) onto them. The social platform owner now is the data controller and is subject to GDPR
In light of the GDPR, the following set of recommendations is relevant for such actors
Default settings of social applications based on IoT devices should ask users to review, edit and decide on information generated by their device before publication on social platforms.
Default settings of IoT devices should allow end users to withdraw the originally given consent for the processing of their personal data.
Information published by IoT devices on social platforms should, by default, not become public or be indexed by search engines.

57. 4. 4 How to Protect from Privacy Risks
4.4 How to Protect from Privacy Risks? Midstream – Professionals using IoT products (3rd Party App developers)
For professionals using IoT products, e.g. a 3rd party application developers, an API is needed for the developer to access software needed or development.
Some of these Applications may be installed on an “opt-in” or “opt-out” basis which is subject to user’s prior consent.
This authorization request made by third-party application developers needs to display sufficient information for users consent to be considered as specific and sufficiently informed.
The diagram across shows an example of an App developer registering on an API to access 3rd party service. API owner is the data controller

58. 4. 4 How to Protect from Privacy Risks
4.4 How to Protect from Privacy Risks? Midstream – Professionals using IoT products- Recommendation
Notices or warnings should be designed to frequently remind users that sensors are collecting data. When the application developer does not have a direct access to the device, the app should periodically send a notification to the user to let him know that it is still recording data.
Applications should facilitate the exercise of data subject rights of access, modification and deletion of personal information collected by IoT devices.
Application developers should provide tools so that data-subjects can export both raw and/or aggregated data in a standard and usable format.
Developers should pay special attention to the types of data being processed and to the possibility of inferring sensitive personal data from them.
Application developers should apply a data minimisation principle. More generally, developers should follow a Privacy by Design approach and minimise the amount of collected data to that required to provide the service.
Continuous Updates: From the inception of an IoT device, it should be continuously updated in order to reduce vulnerabilities.
Encryption can and should be used as an effective tool for ensuring the security of data.

59. 4.5 How to Protect from Privacy Risks? Midstream - IoT Platforms
IoT manufacturers are designing standard platform interfaces with an aim to host the data collected through different devices in order to centralize and simplify their management.
Examples are the HLA (from AIOTI) platform and oneM2M platform. Such platforms may qualify as data controllers in the fact that they collect user’s personal data for their own purposes.
Recommendation:
Consent to the use of connected device and to the resulting data processing must be informed and freely given.
Data subject whose data is being processed in the context of a contractual relationship with the user of a connected device should be in a position to administer the device.

60. 4. 6 How to Protect from Privacy Risks
4.6 How to Protect from Privacy Risks? Downstream - Individuals as Data Subjects: Subscribers, Users, Non-Users
Although certain risk is more relevant for certain stakeholders, it is important to stress that risks and potential harm incurred cannot be limited and that they may proliferates throughout the entire chain.
GDPR applies to human personal data. Within IoT, if data collected are machine data, e.g. temperature in a factory or sensor data from a sensor in a vegetable farm, then they are not subject to GDPR.
Also, if data collected are human data, but are used exclusively for personal or domestic purposes, they will fall under the “house hold exemption”.
In IoT however this will be limited, as IoT by nature considers user’s data that are systematically transferred to device manufacturer, app developers and other 3rd parties who qualify as data controllers.

61. 4. 6 How to Protect from Privacy Risks
4.6 How to Protect from Privacy Risks? Downstream - Individuals as Data Subjects: Subscribers, Users, Non-Users
Recommendation
Consent to the use of a connected device and to the resulting data processing must be informed and freely given. Users should not be economically penalized or have degraded access to the capabilities of their devices if they decide to use the device or a specific service.
The data subject whose data is being processed in the context of a contractual relationship with the user of a connected device (i.e. hotel, health-insurance or a car renter) should be in a position to administer the device. Irrespective of the existence of any contractual relationship, any non-user data subject must be in a capacity to exercise his/her rights of access and opposition.
Users of IoT devices should inform non-user data subjects whose data are collected of the presence of IoT devices and the type of collected data. They should also respect the data subject’s preference not to have their data collected by the device.

62. Conclusion

63. 5.0 Conclusion Preliminary set of key takeaways
This teaching slides provide a quick guide to understanding GDPR in the context of IoT, the material offers a good background in privacy and how the concept of privacy applies in IoT environment. There is also opportunity to test one’s knowledge of the material which is a means of embedding the information enclosed.
Acknowledging the support IoT stakeholder’s need, in order to make well-educated decisions regarding personal data processing, the teaching materials put particular emphasis on the role of data protection risks that occur upstream, midstream and downstream of the supply chain and how IoT stakeholders holding a role in the respective parts of the supply chain can mitigate them.

64. 5.0 Conclusion Preliminary set of key takeaways
With respect to data protection risks and besides the specific recommendations captured in this document, it is of key importance to highlight that:
the understanding context matters for professionals to effectively protect personal information in practice
risks in the IoT ecosystems concerning personal data protection could be merely mitigated, but not eliminated.
risks can be perceived on an individual basis but also at a societal level
although data protection risks do not pertain solely to specific IoT stakeholders, the degree of relevance, though, may vary.
similarly, the recommendations produced are primarily relevant for certain professionals identified, but they remain relevant -to a lesser- extent for the other actors as well.

65. Other useful information

66. A1. Other useful information Guide to Certification in Privacy
Introduction
Guide to certification in Privacy

67. A1. Other useful information Introduction
Aiming to increase organizations’ accountability in relation to the processing of personal data of individuals, there may be need for training hence this section describes potential certification area available today in the area of Privacy.
The International Association of Privacy Professionals (IAPP) is a non-profit, non-advocacy membership association founded in 2000 The IAPP is responsible for developing and launching the only globally recognized credentialing programs in information privacy:
The Certified Information Privacy Professional (CIPP),
The Certified Information Privacy Manager (CIPM)
The Certified Information Privacy Technologist (CIPT).
The CIPP, CIPM and CIPT are the leading privacy certifications for thousands of professionals around the world who serve the data protection, information auditing, information security, legal compliance and/or risk management needs of their organizations but they are not the only ones (

68. A1. Other useful information Guide to Certification in Privacy
A.1 Certified Information Privacy Professional (CIPP)
The CIPP is for IT and other professionals whose responsibility involves data privacy and protection along with legal and compliance matters, plus information management, data governance, and human resources.
A.2 Certified Information Privacy Manager (CIPM)
The CIPM targets people responsible for managing information privacy programs. It stresses both knowledge of privacy law and regulations and how to translate that knowledge into workable practices, policies, and procedures for organizations to adopt and employ day to day
A.3 Certified Information Privacy Technologist (CIPT)
The CIPT is for the people who implement the technical controls and components that go into a privacy program. This credential is the most likely starting point for IT professionals interested in working with data privacy and protection. It would be best coupled with the CIPP/E for those interested in coming fully up to speed on GDPR.

69. References

70. References
ETSI TR : SmartM2M; Privacy study report; Standards Landscape and best practices
European Data Protection Supervisor: "Glossary", available at:
Cloud Service Level Agreement Standardisation Guidelines, available at agreement-standardisation-guidelines
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ L 119/1.
Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data)
Data Protection Working Party, Opinion 8/2014 on the Recent Developments on the Internet of Things, adopted on 16 September 2014
ETSI TR : SmartM2M; Teaching Material; Part 1: Security
Protecting Privacy and Data in the Internet of Things: Considerations and techniques for big data, machine learning and analytics February 2019
GSMA
Privacy in Mobile Apps: Guidance for app developers ICO
ETSI TS : CYBER; Mechanisms for privacy assurance and verification

71. Abbreviations AIOTI Alliance for IoT Innovation
API Application Programming Interface
CIPM Certified Information Privacy Manager
CIPP Certified Information Privacy Professional
CIPT Certified Information Privacy Technologist
DPIA Data Protection Impact Assessment
DPO Data Protection Officer
ERP Enterprise Resource Planning
ETSI European Telecommunication Standards Institute
EU European Union
GDPR General Data Protection Regulation
IAPP International Association of Privacy Professionals
IoT Internet of Things
HLA High Level Architecture
TR Technical Report

72. Quiz

73. Quiz (1/4)
It has been ascertained that a data breach of sensitive personal data occurred. To whom must this ultimately be reported according to GDPR?
Data Protection officer (DPO)
Supervisory Authority
The manager of the department
The Police
According to GDPR why is “Privacy by default” an essential privacy principle?
It ensures that only personal data is processed which are necessary for each specific purpose of processing
It ensures that personal data is collected by default as per the privacy policy
It ensures that the default privacy is accepted by data subjects before personal data is processed.
3) How can a DPIA strengthen the confidence of customers or citizens when it comes to how data is processed and their privacy respected?
Organization minimizes the risk of costly adjustment in processes or redesign of systems in a later stage
The organisation prevents non-compliance to GDPR and minimizes risk of time
The organisation proves that it takes data protection seriously and ensures compliance to GDPR
4) What best describes the principle of data minimization?
Care must be taken to collect as little data as possible in order to protect privacy and interest of data subjects
Data must be adequate, relevant and limited to what is necessary in relation to purposes for which they are processed
In order to keep data manageable it must be stored in such a manner that it requires a minimal amount of storage
The number of items that is collected per data subject may not exceed the upper limit stored by Supervisory Authority.

74. Quiz (2/4)
5) GDPR distinguishes “sensitive personal data as a special category of personal data. What is an example of such data?
An appointment in a hospital with a medical specialist
An independent Bank Account Number (IBAN)
Subscription to scientific journal for politics
Membership of a branch association
6) Which role in GDPR determines the purposes and means or processing personal data?
Data Controller
Data Protection Officer (DPO)
Data Processor
7) According to GDPR, what is the definition of “processing” of personal data?
Any operation that an be performed on personal data
Any operation that can be performed on personal data, except erasing and destroying
Only operations in which the data is being shared on social media or transferred by or otherwise through the internet
Only operations in which the personal data is used for the purposes for which it was collected.
8) According to the this Training material what should be at the centre of Privacy in IoT context?
Knowledge
Technology
Process
People

75. Quiz (3/4)
9) What are some of the challenges or Privacy in IoT context?
Consideration of the cost to stakeholders involved in IoT services
Identifying who owns personal data considering the various stakeholders involved and impacted by IoT services
Making sure only one element of an IoT device is compliant to GDPR
10) What are the typical risk associated with an IoT device manufacturer?
Lack of control and information
Lack of access to personal data or unlawful surveillance
Lack of investment in cybersecurity element of IoT devices
11) What are typical risk associated with Midstream parties
IoT application developers may now be liable for data breach
As a user, my Personal data may be shared without my consent
A device manufacturer may not have the appropriate security for their IoT device
12) What are the typical risk associated with downstream parties?
Device manufacturer may now run risk of loosing good will and confidence of its customers
Risk of unauthorised access to a data subject personal data
Risk that platform developers may also be liable to breach caused by failure of negligence.

76. Quiz (4/4)
13) As a device manufacturer designing an IoT device which of the following will be useful as guideline?
Embed privacy of users into the design of business processes and technology.
Apply principle of data minimization whilst manufacturing IoT system
As data subject give consent to data collected.
14) As an IoT application developer which of the following will be suitable recommendation to consider?
Provide default setting for IoT devices that allow end users to withdraw consent if required
Ignore types of data being processed
As data subject give consent for data to be used for service
15) As data subjects, which of the following should be a guide to prevent risk of being affected by lack of GDPR?
Provide continuous updates to your password
Embed privacy of users into design
Be informed of your rights as a data subject and provide consent to the use of connected device.

77. Answers

78. Answers B A C D
11) A 12) B 13) A 14) A 15) C