How Europe’s General Data Protection Regulation is Changing Product Design

Explaining the issues raised by the European GDPR law soon to be enforced and how electronics companies can address these

BY BERND HANTSCHE, MARKETING DIRECTOR EMBEDDED & WIRELESS AT RUTRONIK

How Europe’s General Data

Protection Regulation is Changing Product Design

Explaining the issues raised by the European GDPR law soon to be enforced and how electronics companies can address these

BY BERND HANTSCHE, MARKETING DIRECTOR EMBEDDED & WIRELESS AT RUTRONIK

Alexa, has my neighbour won the lottery?” Amazon’s virtual personal assistant could probably answer this question quite easily, given how much data such online services now collect and correlate. Social networks such as Facebook and LinkedIn can perform equally disconcerting tasks, revealing hidden links between people and groups. And even simple IoT devices, such as connected thermostats, smart door locks and Wi-Fi lighting can now leak sensitive personal information.

The technical abilities of these networks and devices are constrained by data-protection laws – in some places. In the Chinese coastal city of Rongcheng, however, economics professor Zhang Zheng is pushing the boundaries of personal data analysis in a pilot project that evaluates and classifies citizens based on their digital footprint. The classifications are then used to decide whether to grant citizens a loan, or which class of train ticket to issue them. Parents use the system to obtain credit information about potential spouses for their children. If the pilot goes well, the analytics tool will be introduced nationwide as a ‘System for Social Credibility’ by 2020. China hopes it will help create better and more prudent citizens, since in such a digitally monitored society their every mis-step will result in socially visible consequences.

Saying ‘no’ to Big Brother

Attitudes to privacy vary widely by culture. In Europe, which has suffered under authoritarian regimes intent on knowing and controlling the most intimate details of people’s lives, privacy is still highly valued. That’s why the European Union introduced its General Data Protection Regulation (GDPR) in April 2016 and will make its provisions mandatory on 25 May this year. The GDPR was formulated as a response to dissatisfaction about existing measures on data protection, including inconsistent implementations by the nation states and fines that were too small to prompt much action.

Under GDPR, fines can now be up to 4% of annual group turnover to a cap of €20 million – which is much more motivating. The other major change with GDPR is that, whereas it used to be the case of doing what you thought reasonable to protect personal data and then having a discussion with regulators if they found fault, now, if you’re unable to prove you have done the right thing, the law assumes you haven’t.

In Europe, which has suffered under authoritarian regimes intent on knowing and controlling the most intimate details of people’s lives, privacy is still highly valued.

Protecting personal data on devices

This is a challenge for almost all organisations, and especially for hardware designers.

The GDPR applies to all European natural persons. For many organisations, its consequences are so enormous that new roles are being created and employees from Information Technology, Human Resources, and Quality Assurance and other departments are having to learn fast and cooperate deeply in order to rewrite company policies and guidelines.

Hardware and software developers, product managers, purchasers and portfolio managers face their own GDPR issues. Article 32 of the Regulation covers ‘security of processing’, while Article 25 discusses ‘data protection by design and by default’.

These sections of the text will have profound effect on electronic engineers and embedded-software specialists. For example, the GDPR says that personal data should be encrypted, in a way that takes into account the relevant state-of-the-art technology. It is also unclear what data will be regarded as personal, and this hasn’t yet been legally clarified. Likewise, the definition ‘state of the art’ is open to interpretation for all components, processes, and intended applications. Does this clause of the GDPR mean that designers must always use an RSA-based asymmetric encryption strategy, or is an AES method, which is around one thousand times faster, sufficient? For which applications would error checking and correction or the hybrid SSL/TLS method be a satisfactory compromise from a legal perspective?

The security of data processing and of data protection ‘by design and default’ required by the GDPR does not end with encryption issues. For instance, the regulations say that data processing must be ‘permanently’ guaranteed. So do designers choose longer-lasting single-level-cell NAND memory, or a RAID array of cheaper triple-level-cell NAND memory, to satisfy the regulations?

Redundant power supplies for doctors’ computers?

The GDPR also stipulates that data systems must always be available. Does this mean that every doctor’s computer that holds personal data must have a redundant power supply? If this is the case, how are uninterruptible power supplies with back-up batteries to be viewed, and just how much surge protection will be regarded as enough? Is the required capability to swiftly restore access to personal data in the event of a physical or technical incident over-prescribed in GDPR, given that designs are also supposed to feature built-in redundancy and extra high-quality construction?

The more you analyse the two paragraphs mentioned and follow the online forum discussions, the greater the concerns about failing to comply with all the requirements of GDPR – or worse still, having to face a barrage of cease-and-desist letters initiated by market competitors claiming your designs breach its provisions.

Our design teams have been reviewing the impact of GDPR for a while, and the more we look at it the more its implications seem to proliferate.

Protecting displays, user interfaces, wireless connections and more

Our design teams have been reviewing the impact of GDPR for a while, and the more we look at it the more its implications seem to proliferate.

At first, the team concentrated on core topics such as making data transfer, data storage, and data-processing equipment comply with the requirements of GDPR. We’ve now broadened our outlook to more systemic issues, such as finding ways to overcome ‘social engineering’ hacks on equipment, in which hackers charm or cajole key security details out of legitimate users in order to gain illegitimate access. Addressing this issue may mean abandoning the use of PIN codes and passwords that can be hacked, in favour of using biometric sensors such as fingerprint readers.

GDPR touches on many other aspects of hardware and software development. Designers may have to start using displays with narrow viewing angles, like those familiar in bank machines, to protect sensitive data from being overlooked. It might also be time to start using proprietary wireless protocols, protected by rolling codes, to create more secure wireless links than standard protocols can offer. And embedded designers will have to understand all the mechanisms through which their systems can be compromised by malicious code, during the boot process, updates and normal operation, in order to protect the user information that flows through their devices.

Getting help with GDPR

Rutronik has had to establish a multidisciplinary team of experts to help customers understand the issues involved in implementing the requirements of GDPR. Experts from the Storage Technologies, Wireless Technologies, Embedded Boards, Embedded Systems, Security Modules, Micro-Controllers, Displays, and Sensors product areas have developed complete system concepts that meet the GDPR to the best of their knowledge and belief. We can’t take away our customers’ liability for meeting the Regulation’s requirements, but we can provide well-informed, up-to-the-minute advice on the security implications of using individual components to help them address the issue.

Rutronik has also published a comprehensive security white paper and from early 2018 will have a team of experts to support the sales team during customer meetings. Sales staff are also being trained about GDPR using online courses.

As we work to satisfy the requirements of GDPR, it is worth remembering that doing so is about more than just avoiding its penalties. These efforts serve another important purpose: to set clear boundaries for Alexa and all the other devices that collect and process our personal data. The last thing we want in Europe is a ‘social credit’ agency investigating prospective brides and grooms – and everyone else!

0

Start typing and press Enter to search