Business Challenges in the evolution of HOME AUTOMATION (IoT)
Alessandro Cosenza Chief Information Security Officer - BTicino Enrico Valtolina Innovation & Partnership Manager – Legrand Group About the speakers …
The global specialist in electrical and digital building infrastructures Over catalogue items in 78 product families 4.5 billion euro of sales in 2014 Established in more than 80 countries and sold in close to 180 countries Close to 36,000 employees
Home Automation: Internet of Things for Home Cloud ADSL modem Home Automation gateway LAN
What’s going to happen outside the home Cloud Insurance companies Caregivers ESCO
Legrand Privacy and Security requirements framework constituted a work-group in order to capture the privacy and security requirements. it made up of representatives from the business units of the company. it is a multidisciplinary team : Privacy and security office, Legal, Product Manager, R&D, Marketing,.. the Mission of the group is: Building a methodological framework to model the privacy and security requirements specifications for IoT in order to deal with its mission critical nature. Developing such a requirements engineering framework in order to ensure proper development of IoT with security and privacy taken into account from the earliest stages (Privacy and Security by Design). Define Internal Standard Privacy and Security Policy Give expert advices (best practices), regarding the development of all IoT projects keep a focus on standards,laws, (eg. EU Privacy) in order to ensure compliance with international regulations
ARTICLE 30 - Security of processing Having regard to the state of the art and the costs of implementation and taking into account the nature, scope, context and purposes of the processing as well as the risk of varying likelihood and severity for the rights and freedoms of individuals, the controller and the processor shall implement appropriate technical and organizational measures, to ensure a level of security appropriate to the risk, including inter alia, as appropriate: ARTICLE 33 - Data protection impact assessment Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk for the rights and freedoms of individuals, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks. Risk Management – Data Protecion Impact Assessment (DPIA) By The EU General Data Protection Regulation (GDPR)
Definition: the Internet of Things (IoT) refers to an infrastructure in which billions of sensors embedded in common, everyday devices – “things” as such, or things linked to other objects or individuals – are designed to record, process, store and transfer data and, as they are associated with unique identifiers, interact with other devices or systems using networking capabilities Working Party ARTICLE 29 : Opinion 8/2014 Collection exceeding purpose : The increase of the amount of data generated by the IoT in combination with modern techniques related to data analysis and cross-matching may lend this data to secondary uses, whether related or not to the purpose assigned to the original processing. Third parties requesting access to data collected by other parties may thus want to make use of this data for totally different purposes Continue …
Working Party ARTICLE 29 : Opinion 8/2014 Profiling:.. domotics raise specific data protection and privacy challenges as an analysis of usage patterns in such a context is likely to reveal the inhabitants’ lifestyle details, habits or choices or simply their presence at home. Possibility to withdraw consent and to oppose: Data subjects must have a possibility to revoke any prior consent given to a specific data processing and to object to the processing of data relating to them. The exercise of such rights must be possible without any technical or organisational constraints or hindrances and the tools provided to register this withdrawal should be accessible, visible and efficient.
D PIA can be carried out for the purpose of: identifying privacy risks and responsibilities; providing input to design for privacy protection (sometimes called Privacy by Design); reviewing a new information system`s privacy impact; providing input to planning a response for privacy impacts; maintaining later updates or upgrades with additional functionality likely to impact the PII that are handled; aiding in a stakeholder engagement where privacy may be a sensitive issue; providing evidence relating to compliance, where compliance is required; or providing the basis for provision of privacy information to PII principals on residual risks and any PII principal mitigation action necessary.
- New Services to be proposed (also in collaboration with other companies) - Reduce the costs to deliver old services - Improve efficiency / reliability of devices - Improve the “end user” contacts - Data Privacy & Security - Costumer respect & awareness Laws & Regulations Data means “economical values” to be balanced with Privacy & Security
Thank You