Connected Devices, Data & the GDPR
In an increasingly connected world, providers of connected products and platforms are handling more data than ever. With that comes increased GDPR risks and responsibilities. The following are the key data considerations to have in mind:
Product design
The GDPR principle of data protection by design and default means that before you start collecting data, you need to ensure your product or platform is designed in a way that it can comply with data protection principles and that, by default, only data necessary for how you intend to use it is collected. These considerations need to be baked in from the outset and throughout the lifecycle of the product and cannot be an afterthought prior to launch. For example, you need to ensure that the product will:
- Function in a transparent manner, such as by ensuring the user flow and interface provide for appropriate notices and pop-ups to keep users informed and obtain necessary consent. Regulators are increasingly critical of providers which provide information on long and complicated privacy notices rather than providing information in an intuitive and bite-size format.
- Be capable of respecting user choices regarding their data such as by ensuring different data sets of different users can be isolated and treated differently, for example, where a user objects to their data being used for profiling or personalisation.
- Not passively and inadvertently collect and share data that isn’t necessary and ensure users are offered a meaningful opportunity to choose whether to provide or share such data. For example, this could include the settings that determine whether a user’s profile will be visible to others on the platform by default or whether the device will automatically share certain data, such as activity and location data, with others.
Future developments and integrations
Products and platforms need to continuously develop and innovate to meet user expectations. Being able to use data in a manner that respects GDPR principles of transparency, data minimisation and purpose limitation is essential to that.
To do so, you need to ensure that:
- Users are informed about the way in which you plan to use data you collect for product research and development. This obligation applies even where you intend to aggregate and anonymise the data collected before using it to understand general trends and behaviours. Keeping users informed is also an ongoing obligation and steps need to be taken to periodically update any privacy or in-app notices as the product develops.
- Data processing is limited to what is necessary. For example, use of full user profiles for product research should be avoided where de-identified data can be used as effectively. Similarly, where integrations between products can be achieved by sharing only basic account and profile data, other data associated with user accounts, such as user interests, preferences and location, should not be shared.
- Data is not used in unexpected ways. For example, existing data should not be used with new and different features or integrations or shared with third parties without offering appropriate choices to users.
Security incidents
Security incidents, however they arise, will impact most connected products at some point. The obligation under GDPR is not to ensure these don’t happen but to ensure policies were in place before the incident took place, any notifications required (such as to regulators or the individuals affected) were completed in a timely manner and they are handled appropriately. In certain cases, where risks arise, this means notifying the regulator “without undue delay” and no later than 72 hours. In high-risk cases, individuals also need to be notified.
Key considerations are:
- Ensuring appropriate security incident response plans are in place that are tried and tested. Simulating a real security incident is a great way to stress test your policies and meet the tight regulatory deadlines
- Ensuring protocols are in place to ensure records of the steps taken to address the incident and why. If the incident is ever investigated regulators will look for this information. Organisations need to be able to demonstrate to a regulator how the incident response plan was followed in practice
- Developing a plan to understand what went wrong and how to fix it quickly, and
- Familiarising yourself with appropriate notification and reporting forms available from regulators you may need to notify, such as your “lead supervisory authority” if you have one. Many use standardised forms that request significant amounts of information and it’s important to understand what is required.
Next steps
Providers of connected products and platforms face significant GDPR risks and challenges. However, compliance can be achieved by understanding the issues and putting in place clear plans and policies to deal with them.
For more information, contact a member of our Privacy & Data Security or Product Regulation & Consumer Law teams.
The content of this article is provided for information purposes only and does not constitute legal or other advice.
Share this: