Cybersecurity and the EU GDPR
May 25, 2018, will certainly be in the mind of CISOs and data managers around the world for some time to come. At this point in time, the companies had to be compliant with the EU General Data Protection Regulation (GDPR). The focus of the act is for persons who are citizens of the European Union (EU) to have greater control over their data. As applied this provides for much greater accountability for the businesses handling, processing, managing, and storing a person’s data. The act is far-reaching, as it follows your data. Your data can be the obvious (e.g. name, address, username, ID number, race/ethnicity, genetic data, phot, and banking details). This also covers any data that can be used to directly or indirectly trace you. For the latter, this may be your IP address, cookie identifier, and other data points.
There are volumes of articles on GDPR, the fines, and how this applies to the enterprise. The issue not explored nearly as much is the application to embedded systems. These are present in equipment and machinery used globally in vehicles, trucks, farm equipment, and many other uses. These also use various apps for the user’s experience.
For this article, we will not be focusing on who or which entity owns the data. This topic is reserved for law review journals. The GDPR is rather clear in the data created from the vehicle is the property of the owner. While this appears clear, there still may be issues. The connected vehicles connect a mountain of data now. This is going to increase substantially as time passes and the vehicles become more complex. This will apply to the user’s data within the vehicle’s infrastructure, managed by the processes, and uploaded to the cloud. While the data collected is rather substantial, the only data which should be collected per the GDPR relates directly to the vehicle’s operation. This data is vital with many uses, including predictive analysis. With the data being pertinent for the vehicle’s operations, along with the analysis, there is a value held here. To keep the environment secure, the infrastructure would need to be secured and data encrypted, in the least.
Why is this important?
The data not related or identifiable to a person is their private data. This describes their life. The data could be used for malicious purposes, to track people who have done nothing wrong, for predicting future activities (i.e. where they probably will be at a certain day and time), and other inappropriate uses. This data, while held at the company, would continue to be the target of the attackers. While this would not be ethical, there is a more direct dis-incentive for companies involved with this type of behavior. For every data or GDPR breach, there could be a fine of up to €20M or 4% of the annual worldwide turnover (revenue), whichever is greater. Recent fines, include $840k to BKR, $600k to Google (Belgium) and $50m to Google, €99M to Marriott International, and £183m to British Airways. These amounts are significant. If a portion of these fines are paid, the amounts are still enough to get the attention of any person in finance and the Board.
Vehicles collect and hold an enormous amount of data. This data partially consists of the user’s data. This data is private and confidential. This extra data, which may be collected by the vehicle, also could be used to identify the user. Based on what is currently done with the vehicle’s operations, the GDPR does apply. The next step is to determine the responsible party. *This article should not be used as legal advice; please seek your own legal advice from a qualified, licensed attorney.* For a clearer understanding, we need to clarify a few aspects. We need to know the purpose of the data collected, how the data is collected, and does one party or several control the data. These questions are designed to bring the broad issue to a reasonable level of analysis.
Feldman, B. (2020, July 24). How to think about GDPR as a vendor. Retrieved from https://securityboulevard.com/2020/07/how-to-think-about-gdpr-as-a-security-vendor/
GDPR.edu. (n.d.). What is GDPR, the EU’s new data protection law? Retrieved from https://www.gdpr.edu
Jung, M.M. (n.d.). Why is data protection so important in the context of connected and autonomous vehicles? Retrieved from https://www.dotmagazine.online/issues/on-the-road-mobility-connected-car/making-connected-cars-safe/data-protection-for-connected-cars
Lydian. (2020, May 14). Connected vehicles and GDPR-A status update after the public consultation. Retrieved from https://www.lexology.com/library/
Scaldis-Conseil. (n.d.). The impact of GDPR on ownership of connected data.
Valerio, P. (2018, June 7). GDPR: A security headache for connected car makers & OEMs. Retrieved from https://www.tu-auto.com/channels/services/