Data protection legislation, as it exists at the moment, dates back to 1995 when only the largest of organisations had the capacity or the desire to collect and store large amounts of data.
Twenty years on, the technological landscape for the collection and manipulation of data is completely different.
Huge numbers of businesses now process personal data extensively, especially in tech sectors such as the Internet of Things (IoT), where many businesses' value lies in their collection, analysis and monetisation of personal data.
The aims of the forthcoming European General Data Protection Regulation (GDPR) include driving better security and privacy in the IoT, directly and indirectly through investors and users.
Breaches of the GDPR will attract much higher financial penalties than the current legislation, potentially up to five percent of annual global turnover, providing a sharp incentive for businesses to pay attention to their compliance strategies.
The GDPR is still in draft form, but it is currently being negotiated and a final version is expected in late 2015 or early 2016. As the drafts stand, some of the key changes which are most relevant to IoT businesses include the following areas.
A broader definition of personal data
This is potentially the most significant change. Current legislation applies only to data which directly identifies an individual (either on its own or in combination with other information to which a data controller has access), so generally excludes ‘alias' data such as pseudonyms and IP addresses.
The new legislation will also apply to data which identifies an individual indirectly, meaning that the legislation has a much wider scope and pseudonymous (data provided under a false name) and IP data will now be ‘caught'.
Many IoT businesses have chosen to process only pseudonymous data to avoid being subject to the existing legislation, but this strategy will cease to be effective once the GDPR comes into force and such businesses will find themselves subject to a dramatically increased regulatory burden.
Greater restrictions on profiling and higher levels of consent from data subjects
Under the GDPR, data subjects' (living individuals to whom personal data relates) consent must be obtained if their data is to be used for profiling (a broad term which can be applied to most data analytics), and such consent should be freely given, specific, informed and, crucially, revocable.
The European Commission's draft also states that consent should be ‘explicit'. It is unclear whether the word ‘explicit' will be adopted, but either way the new consent threshold will make it much more difficult to rely on customers' implied consent.
There will also be further restrictions as to when big data or further processing is compatible with the purposes originally stated, which will limit IoT businesses which perform extensive analytics.
This will give the public much greater control over their personal information, and businesses which rely on complex analytics and/or proprietary data would be advised to consider their customer engagement strategies, user interfaces and terms and conditions to ensure that they have the necessary consents in place.
The GDPR will introduce a new right of data portability (the ability to move data among different application programs, computing environments or cloud services), extending the existing right of data subjects to make a subject access request by obliging data controllers to provide subjects' data in a machine-readable format which can be provided to another controller.
Businesses operating in the IoT should consider how this might affect them. The GDPR's aim was to give customers greater control over their data by preventing them from being ‘locked in' to services, so additional customer incentivisation may be necessary.
Conversely, though, to the extent that IoT businesses are based on hardware purchased by a customer, businesses may find that retaining customer loyalty is less of an issue than in other sectors, for example utilities.
Increased obligations on data processors
Whereas the current legislation applies only to data processors (i.e. parties that decide how personal data is used), the GDPR will also impose security obligations on data processors and will make them directly liable to claims by data subjects.
These new measures will make it much more difficult for analytics businesses to allocate risk, and processors may find themselves subject to data protection legislation for the first time.
Privacy impact assessments will be compulsory
Current legislation does not require data controllers to perform privacy impact assessments (PIAs), although the Information Commissioner's Office states that they are ‘best practice', especially for organisations which deal with sensitive personal information.
This is likely to change under the GDPR. The current drafts of the text disagree over the exact circumstances in which PIAs will become compulsory, but PIAs are likely to be mandatory for large companies and for ‘high risk' processing involving biometric or health data.
Businesses which process health data or other sensitive personal data are advised to lay the foundations for this now and to bring their PIA procedures up to date to ease the transition from ‘good to have' to ‘must have'.
As they operate in a data-rich sector, many IoT companies will find that they will need to make significant and systemic changes to their businesses in order to accommodate the new legal framework.
But the good news is that there will be a grace period of two years after the GDPR is agreed before it comes into force, allowing some breathing space to consider the implications of the GDPR and prepare accordingly.
Nicola Fulford is head of data protection and privacy at law firm Kemp Little.
Infected apps have been downloaded more than 50 million times
Customers of regular price-raising ISP and cable operator claim nationwide outages started on Monday
Pixel 2 smartphones and a Pixel-branded laptop also planned by Google
The moment you've all been waiting for...