GDPR Prep: Keep IoT in Mind

We’re still in the early days of the Internet of Things (IoT), but all signs point to an upswell in this IT trend. Gartner predicts that IoT connections around the world will more than quadruple in the coming years—from 8 billion in 2017 to 27 billion in 2025. These can be anything from sensors on trains to home security systems.

 Tenant to tenant migration | Binary Tree

Gartner also cautions that data regulations could kill your IoT strategy before you even get off the ground. So as you’re revisiting your data policies to follow the EU GDPR, make sure to keep your IoT strategy in mind, too. Be thinking about the type of data you collect, where you store it, and how easy it is to find and delete any personal data in those stores.

Collect data from the right places

Whether you use IoT devices yourself or merely manufacture the devices for others to use, you should make sure that you’re collecting personal data only in countries that allow it. To do this:

  • Put safeguards in place to make sure your IoT devices can be used only in the right legal jurisdictions
  • Make sure all your suppliers and partners stay compliant with the law, too
  • Seek legal advice for any situations that are ambiguous
  • Stay current on ever-evolving data regulations

Only collect data that you really need

You shouldn’t be collecting personal data with IoT devices just because you can. Instead, make sure to justify every piece of personal data you collect. To do this:

  • Do an audit of all personal data you collect
  • Clearly label personal data as such and explain your reasons for collecting it
  • Put repeatable, scalable processes in place so you can find and delete any personal data when users ask you to
  • Clearly let your users opt in to letting you store and use their personal data

Store data in the right places

This one comes back to laws around data sovereignty. Some regions, like the EU, allow you to transfer data within the EU and 11 other countries that are thought to have “adequate” security governance. But China doesn’t allow organizations to transfer data outside China, including to any third parties.

This means you need to be crystal clear on the laws in any countries you work in. You might not be able to store all your personal data in a central repository. Instead, you might need to keep some personal data in the country in which you collected it. Or depending on the country, you might also be able to store personal data outside of the country if you use anonymization, tokenization, data masking, or encryption.

Get started with Microsoft IoT

Microsoft offers an Azure IoT suite that makes it easy to launch and monitor IoT solutions. If you need help getting on a different instance of Azure, Binary Tree offers a solution called Power365®, which helps migrate across Microsoft tenants. Our Power365 is a software as a service that’s built on the Microsoft Azure platform. As you migrate, no data leaves Azure, which increases security and compliance, while delivering a reliable transformation. See more about Power365.


Source: Gartner. How Data Sovereignty Will Kill Your IoT Strategy and What You Can Do About It. January 2018.