How IoT is Vulnerable Within the Scope of GDPR

4 min read Stephen Blum on Apr 17, 2018

Today, companies who power platforms for IoT, gaming or web applications, and any site that leverages notifications and/or chat need to be deeply in touch with the data they process. User data needs to be protected with end-to-end encryption strategies, and if that data needs to be accessed for any reason, it has to be available to audit at a moment’s notice. Further to that, each channel of access itself needs to be controlled.

IoT devices make use of user-supplied data in order to deliver their functionality. Whether this is a smart home device or virtual personal assistant, like Amazon Alexa, a smart doorbell, pet-minding camera, or a smart scale that tracks your body composition to an app on your phone, all that data exists on the IoT network and as such, must be encrypted, transmitted, stored, and protected in the same way that your personal, browsing and payment information is.

How IoT is Vulnerable Within the Scope of GDPR

IoT can be vulnerable on a number of levels. As it pertains to the GDPR, the concerns include:


In the event a user’s personal data is breached via the IoT device, data controllers will have 72 hours to report the breach to their supervisory authority and/or to the affected parties. Therefore, companies that control IoT data must be prepared to respond in a compliant manner.


As it pertains to IoT devices, this is a complex topic. Currently, the GDPR indicates that consent cannot be implied by non-action on the part of the data subject, nor can it be deemed “freely given” if the subject has no choice in the matter. The subject should be able to grant, refuse or withdraw consent at any time.

Privacy by Design

With a requirement for better organizational methods to demonstrate compliance with GDPR regulations, companies may need to focus on impact assessments of conditions that are likely to arise with regard to IoT systems.

Data Subject Rights

IoT considerations stem from GDPR mandates on the right to be forgotten, the right to object to automatic decision-making, and especially data portability, as the IoT platform needs to consider how these things can be delivered efficiently and expediently.


Under the law, children under the age of 13 cannot consent to online data access on their own behalf. Since the age of consent is a regionally-governed (at the state or provincial level, for example, it is 16 in Spain) legislation, this will be a serious consideration for IoT providers who plan to ship globally. Since the laws relating to this item may differ from country to country, parental consent may have to be built-in. And not just for products that are directly intended for children as it would need to pertain to home products that children may have occasion to access as well.

Where Your Data is Processed and Held Matters

Data storage and the act of processing data also needs to be considered, even in cases where the data originates or resides outside of the EU. This means that non-EU data that is held or processed in the EU must comply, as does EU data that is held or processed outside of the EU.

As you can see, no company is truly exempt, anywhere in the world. In the unusual case that you can state that you will never, in the course of doing business, ever do digital business with an EU citizen or a company that has origins in the EU, there might be a case for exemption.

However, eventually, and at a point that is certainly in the near future, the frameworks that such compliance is built upon will have to be standardized for adoption on a global basis. Until then, the best ways for companies to comply with the GDPR is to leverage the capabilities of a compliance specialist, one that can provide them with a platform from which to govern their data. Digital transformation is a necessary first step.

Technology Transforms Governance

Blockchain is the technology that will largely disrupt and transform this process. Though widespread adoption of blockchain is still in a nascent phase, software platforms, APIs, and SDKs of the future will all be built upon it.

Blockchain provides transparency, security, and myriad ways to ensure that rules are being followed and data is being governed in a way that is inscrutable. Simply put, data held in a blockchain cannot be altered, accessed, manipulated or corrupted in any way unless there is a consensus from the governing body. Usually a chain of command that is not limited to one person or entity.

What if a user requests data to be deleted on a blockchain. Well guess what? You can’t. Once the data is stored on the ledger, it is there pretty much forever. And if a user requests their data to be deleted, it can’t be done. This would mean any company using blockchain as a data storage mechanism for personal data will never be GDPR compliant. They are better off not storing personal data in a blockchain.

How PubNub Provides You a Better Way to Comply with GDPR Obligations

In light of the business risks associated with GDPR non-compliance, it makes sense to partner with a vendor who can supply you with an anxiety-free way to meet all of your data governance objectives.

For IoT platforms, live chat, or any other multi-tenant situation where you are holding data for users across a wide spectrum of geography, being able to isolate and interact with that data is as complex as it is important. Instead of throwing valuable IT resources at the problem, hosting a PubNub API on your platform or building your platform on a PubNub SDK just makes sense. The GDPR represents one of the most immediate use cases, and as we move into the future, having an IT partner who is on the leading edge of blockchain and other advances and data security will be an advantage.