Staying data compliant in the IoT

Article By : Rehan Hameed

Customers want assurance that their data is protected and being used in their best interests.

The internet has gone through many transitions – what started as a communication network for educators and researchers now powers the way we communicate, shop, and live. Now stakeholders are on the edge of their seats because they see another dynamic shift on the horizon – the increasing ubiquity of interconnected and intelligent mobile devices.

The internet of things (IoT) is powered through sensors and processors on billions of devices that employ machine learning to gather and share data. As a result, IoT has revolutionized our expectations of data collection and privacy. Demand for greater anonymity from internet users has increased, but users are still regularly willing to share personal information for the sake of personalization and better service.

Data security – and client perceptions of this security – are paramount to businesses employing IoT devices. The IoT revolution has improved many areas of our lives, but in building the Internet of Things, we continue to challenge security specifications by linking an ever-increasing number of devices with greater processing power.

The General Data Protection Regulation (GDPR) of the European Union mandates data compliance for all internet-connected devices. However, passing nuanced privacy tests is challenging for IoT organizations, and failing these tests is expensive in terms of fines and possible loss associated with breaches. We’ll offer a few suggestions that device creators can employ to stay data compliant when developing IoT devices to help businesses stay secure in the age of interconnected mobile devices.

Data collection

Device developers are responsible for creating solutions that are both effective and data compliant. What’s more, secure coding is critical to developing secure embedded and IoT devices and applications. Therefore, developers must undergo extensive training including studying security as a significant part of programming education so they can create data collection methods that are efficient and secure.

Developers must implement secure and dependable data collection and processing in keeping with industry regulations. The techniques used by business owners to gather, sort, store, and transmit IoT data are all responsible for the solution’s reliability and scalability. In addition, to avoid legal penalties, developers must integrate security into all levels of IoT applications and obtain permissions from device users when collecting data.

Tech teams can use metadata and attach meta-tags to existing IoT data to make sense of all the sensors’ data. This simplifies the process of sorting through, monitoring, and storing various types of data in this way. But to stay compliant, you should limit the amount of data you collect and how you use it. Also be sure to create a strategic availability service for the information you’ve gathered.

Data storage

Although cloud storage is an essential aspect of the Internet of Things, there are several compelling reasons to be wary of it. One of the biggest challenges with cloud storage is data privacy, since any data that leaves the site where it is generated is exposed to attacks and security breaches. Government policies are strict about data storage, and the risk here is that all data on the centralized cloud can be compromised if there is a security breach.

If you’re an IoT company storing data on a centralized cloud, it’s much more difficult to stay compliant with privacy standards. Changing the device’s connection type is one solution, putting the focus on the backend of cloud security.

As an alternative, peer-to-peer connections circumvent the cloud and enable direct access between the end-user client. This eliminates delay while ensuring that data is safely saved on the IoT device rather than in the cloud. Device creators should also keep in mind that employing cloud storage for IoT is problematic due to the need to create retention periods to remain GDPR compliant.

Another argument for moving away from cloud storage for IoT is that cloud services can go offline at any time. In that case, any cloud-based technology may become unavailable, so securing your IoT devices must be done with backups in mind. Furthermore, internet access is often unavailable in certain countries, which might be inconvenient for any IoT organization.


The GDPR creates stringent obligations for user data protection and a strict 72-hour period for reporting a data breach. If you can show that you took proper security measures and quickly alerted affected customers about a data breach, you should not be punished for the attack under GDPR standards. However, these requirements can be difficult to implement for companies and difficult to enforce for governments.

When an IoT device is registered and connected to a network, you must verify that it is authentic. Therefore, it would be best to evaluate if there is cryptographic confirmation of legitimacy and whether the device has robust authentication. If an issue emerges, this level of attention to detail enables you to provide total transparency to auditors and users in a fair amount of time.

Full transparency instills trust in a company by providing insight into the firm’s policies, devices, data collection procedures, etc. This demonstrates that the company is functioning responsibly, which will improve customer perception of data security.

It’s also important to maintain contacts with the security research community. Inviting these groups to identify and report vulnerabilities allows you to address any issues that may arise, providing another pair of eyes on your compliance and security.


In light of the seemingly omnipresent and destructive consequences of data theft, it makes sense that customers want assurance that their data is being used in their best interests and for a good reason. Some may even demand that their information be permanently erased from computer systems as is their right under GDPR. Therefore, device makers should be able to address data privacy and security issues at every level of their production, testing, and marketing. The device creators’ responsibility is to deliver data secure devices so we may realize the possibilities for advancement across industries that the IoT offers.


This article was originally published on Embedded.


Leave a comment