What regulation for connected objects
The impressive amount of devices from the Internet of Things is an important vector of malicious attack.
The threat of a virus disrupting the functioning of these objects, allowing them to take control and divert them from their initial functions is real.
Towards a European certification for the protection of data from the Internet of Objects
Among the innovations adopted by the RGDP, Article 40 encourages the establishment of codes of conduct and « certification mechanisms for data protection as well as for labels and trademarks ».
Like energy labels that summarize energy performance and guide consumer choice, a certification of conformity based on the RGPD or a trustworthy label for connected objects developed by the players in the sector for the general public Could be created to ensure transparency on the various levels of confidentiality and security.
In its report « Advancing the Internet of Things in Europe » published in April 2016, the Commission is considering the possibility of setting up a certification scheme for connected objects: This certification device will require the manufacturers to analyze the functions of each object in the light of a safety reference system defined by the regulatory authorities.
The implementation of appropriate governance measures
Governance refers to all the information and monitoring measures and rules that ensure the proper functioning and control of an organization. It aims at providing the strategic direction of the company, ensure that objectives are met, that risks are properly managed, and that resources are used in a responsible manner.
As part of the development of connected objects, a number of governance measures can be implemented by industry.
A data breach may be characterized by the destruction, loss, alteration, disclosure or unauthorized access to personal data, either accidentally or illegally. It is useful to formalize a usable procedure for data breaches for each level of risk (event, incident, disaster, crisis) keep it up to date and test it periodically. The objective is to put in place a system capable to detect and deal with events that may affect the freedoms and privacy of the persons concerned.
In terms of security measures, it is also necessary to formalize the authorizations and to establish an identification and authentication of the employees who work on each treatment.
In enterprises with several activities, it may even be envisaged to create an internal cell dedicated to the management of the data generated by this connected object.
In addition, traceability must be seriously managed. Thus, connections to the system from the workstations will have to be logged and time-stamped. These logs should be regularly inspected to detect incidents of personal data prematurely.
Encrypted backups should be done in a separate, secure location to reduce the severity of data modification or disappearance. This will ensure the availability and / or integrity of personal data, while protecting their confidentiality. The objective is to be alerted to the unwanted modification or disappearance of personal data, this may involve audits.
Since anonymization is an irreversible measure, it is more appropriate to advise the data controller to encrypt his databases. This will result in making personal data unintelligible to any unauthorized person and will thus reduce the risks associated with the theft.
The appointment of a Data Protection Officer (or DPO) successor of the Correspondant Informatique et Libertés will be mandatory especially as companies will do large-scale processing of regular and systematic monitoring of people or sensitive data.
Companies will also have to adapt the reflex to carry out a risk analysis of the impact of the processing operations envisaged on the protection of personal data.