The DPIA in IoT

The Internet of Things (IoT) is a rapidly evolving and expanding set of different technologies which interact with the physical world and represent one of the main lynchpins of the digital transformation currently in progress.

IoT technologies and systems offer ever-greater digitization and automation of processes and exploitation of machine learning and artificial intelligence functionalities in order to create new business opportunities and high-value services for customers and consumers.

In this context, IoT offers a series of opportunities, while also involving significant risks for the rights and freedoms of parties whose data are processed.

It is necessary for appropriate organizational, procedural and technological security measures to be adopted, starting out from an assessment of the risks relating to the processing performed via IoT systems and technologies.

IoT systems can affect the risks for information security and privacy in a different manner compared to traditional information technology systems.

The main characteristics of an IoT system are the large number and heterogeneous nature of the components, the large quantity of data processed, and the security of the devices limited by hardware and software restrictions.

The intelligent devices can be of various types: those which involve the greatest information and privacy risks are medical devices, video cameras, environmental proximity sensors, and wearables (for example wristbands and watches).

The main fields of application of IoT (both for end consumers and companies) are represented by those contexts in which there are devices which can “talk” and generate new information, such as:

• Smart buildings and building automation
• Smart Manufacturing (Industry 4.0)
• Automotive, self-driving cars
• Smart health, healthcare, biomedical
• Telemetry
• Surveillance and security
• Smart cities and smart mobility
• Smart Agriculture, precision farming, field sensors

The main risks in the use of IoT technologies and systems are:

• Cyber-attacks: DDoS, malwares, manipulation and loss of information, manipulation of hardware components, software, sensors etc.
• Service interruptions: lack of availability and interruption of the computer network and service providers, loss of communication services, malfunctions of systems and sensors etc.
• Physical attacks: modification or destruction of communications networks following sabotage or natural and environmental disasters etc.
• Software malfunctions: configuration and design errors in the software of sensors, authentication vulnerabilities, weaknesses in communications protocols etc.
• Interception: attack techniques such as “man in the middle”, modification of the communication protocol of sensors, information gathering, interception of messages between sensors and the central system etc.

• Attacks on personal privacy: abuse of personal data, identity theft, unauthorized access to systems and sensors, compromised personal data, social engineering etc.

European data protection regulations (General Data Protection Regulation – GDPR 679/2016, article 35) requires the controller responsible for processing personal data to carry out a DPIA (Data Protection Impact Assessment) before proceeding with processing involving the use of new technologies which could represent a significant risk to the rights and freedoms of the natural persons.

The main types of processing relating to IoT for which the Italian data protection authority requires an impact assessment (DPIA) before their use are as follows:

• Systematic processing of genetic data (e.g. medical devices)
• Processing involving systematic use of data for observation, monitoring or control of the data subjects (e.g. video surveillance, geolocation)
• Processing performed through use of innovative technologies (e.g. environmental proximity sensors, wearables)

In carrying out the DPIA, a series of essential aspects must be analyzed, including:

• The processing subject to the assessment
• The purposes of the processing
• The legal bases of the processing
• The data processed
• The company departments involved
• The privacy policy and attainment of consent of the data subjects
• Training of the personnel involved
• The IT resources supporting the processing
• The measures implemented to safeguard the data subjects’ rights
• The organizational, physical and logical security measures implemented to safeguard the processed data
• The potential threats, impacts and risks that the data could be subject to
• The data storage period
• Potential transfer of the data

Lutech Group’s Advisory Team carries out consultancy at its clients’ premises on the critical issues which can arise with the use of IoT systems and technologies, both in organization and procedural, and technological terms, and on the appropriate corrective actions to mitigate the highlighted risks.

The methodological approach which Lutech uses to correctly address the information security risks in IoT, in accordance with the suggestions from NIST (Considerations for Managing IoT Cybersecurity and Privacy Risks - 2018) and Enisa (Baseline Security Recommendations for IoT – 2017), is as follows:

1. Assessment and Remediation plan: analyze and understand the threats, impacts and risks which the devices and processed data may be subjected to, and define the actions which must be adopted to mitigate these threats and risks.
2. Governance Strategies: review and update the organizational processes and policies at a strategic level is essential for governing the information security and privacy risks throughout the lifecycle of the devices.
3. Build: implement the corrective and mitigating actions defined in order to correct or reduce the identified threats and risks.