How Does Data Sovereignty Impact Collecting PII Through IoT?

With the Internet of Things (IoT) connections growing from 8 billion in 2017 to 20 billion by 2020, it is important to understand the potential impact data sovereignty will play for organizations collecting and sharing customers’ personal information. International organizations are now frequently moving Big Data across borders for analysis and consolidation. How will disparate data protection regulations between countries with differing data sovereignty laws impact these organizations? What current standards or best practices can organizations follow to ensure that proper data protection controls are applied to IoT devices? How does your organization achieve IoT data regulatory compliance?

Protecting Sensitive Data

Data collected via IoT devices is no different than personal data collected through any other means, so organizations should have a cohesive strategy for how they secure this information and apply it accordingly. The real challenge around dealing with data collected from IoT devices will be dealing with privacy regulations regarding the collection, processing, and storage of personal data as well as data sovereignty issues. Most IoT data collection and processing is automated so organizations need to closely monitor the applicable laws of the countries the data is collected in as well as the countries the data may be processed in.

Protecting Personal Information

It’s likely less a case of IoT devices impacting data sovereignty regulations than those regulations impacting IoT device makers. Data protection authorities (DPAs) can be expected to look closely at IoT devices, the data they collect, and where that data is ultimately processed. There have been recent examples of IoT devices “leaking” personal information such as fitness trackers running the Strava fitness app.

Data Sovereignty Impact

Organizations that gather and process IoT data need to be keenly aware of the data protection regulations in the country where they are conducting the processing, as well the countries they are marketing IoT devices into. It is likely that an IoT device may end up in a jurisdiction the manufacturer never intended, particularly in the case of wearables. Due diligence is required from both the IT Security and Privacy roles within organization to plan for and address this eventuality.

Regulatory Compliance

Organizations should evaluate the regulatory obligations they are subject to across applicable jurisdictions and wherever possible, implement controls that address the most restrictive regulations. For example, the EU generally has stronger data protection laws than the U.S., so for those companies that do business in both, meeting data protection obligations imposed by the General Data Protection Regulation (GDPR) will satisfy most related U.S. privacy laws.

Organizational Security Controls

Organizations concerned about regulatory compliance for data collected via IoT devices need to ensure the respective Privacy and IT Security functions within their organizations are working closely together. Typically, the Privacy office has a better sense of the regulatory and compliance landscape, but the IT Security group is often charged with implementing the necessary controls to meet the corresponding obligations.

Data Protection by Design and by Default

The Internet of Things will continue to be an ever-expanding attack surface. Securing the sensitive data collected by IoT devices should be considered in the earliest stages of design and implemented in every stage of the IoT development and deployment lifecycle. Proper implementation of tokenization and encryption to secure data at rest and in transit can help achieve this.

John Noltensmeyer, CIPP/E/US, CIPM, CISSP, ISA, is a Privacy and Compliance Solutions Architect for TokenEx. TokenEx is the industry leader in data protection. Follow us on Twitter and LinkedIn.


Topic(s): data security , PII , tokenization , GDPR , privacy