Enhanced Privacy Recommendations According to GDPR in the Context of Internet-of-Things (IoT)

By: S. Rizou and K. E. Psannis

The Internet of Things (IoT) is considered to be “the network of physical objects, devices, vehicles, buildings and other items which are embedded with electronics, software, sensors, and network connectivity, permitting these objects to gather and interchange data” [1, 2].

As a key element of the technology sector [3-5], IoT is expected to grow via 5G networks, as 5G networks are going to support 100 times more devices compared to the previous 4G networks [6]. The exponential growth of IoT in many sectors of everyday life [7-8], emerges potential issues to the data protection of data subjects [9], especially within a wireless network [10]. In this context, it should be mentioned that the initiatives of communication technologies raise privacy concerns, demanding specialized treatment to each one [11-12].

GDPR (General Data Protection Regulation), which sets out the data protection principles, obligations and data subjects’ rights [13], applies to the European Economic Area (EEA) [14]. Apart from the general protective screen of the GDPR provisions, it is important to put attention to the key elements of the IoT context in order to focus on the main privacy issues regarding IoT. The key aspects of IoT privacy can provide a practical implementation and assist the security measures aiming at the data protection of IoT users. Figure 1 illustrates these selected privacy aspects for the IoT environment as follows:

  • Anonymization: The security measure of anonymization consists of the transition of personal data into non-personal data according to the state of the art [15]. The principles and obligations of GDPR do not apply to anonymous data, which are not related to an identified or identifiable natural person (Recital 26). As a result, it could become an efficient security measure regarding big data of IoT.
  • Purpose limitation: Under this processing principle of GDPR, among the seven principles of Article 5 (Lawfulness, fairness and transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, confidentiality and accountability), the restriction on further data processing incompatible with the primary collection purpose is required [16]. Therefore, focusing on the proper purpose of each processing via IoT, could limit unnecessary data processing with a different context from the primary processing.
  • Data minimization: This processing principle of GDPR refers to the requirement of prioritizing the necessity of each processing. In the context of IoT, this processing principle demands only the essential personal data for each processing. For example, the location data of a device is not considered to be an essential element of the processing, If the specific processing is not related to the location.
  • DPIA (Data Protection Impact Assessment): The Data Protection Impact Assessment is an assessment of the “impact of the envisaged processing operations on the protection of personal data” (Article 35 para 1). The conduction of this assessment is not required for every processing and is essential when “it is likely to result in a high risk to the rights and freedoms of natural persons” (Article 35 para 1). IoT is a new technology (Article 35 refers to the contribution of new technologies in the DPIA conduction) and it would be necessary before the launching of any new IoT application [17].
  • Lawful consent: The data subject’s consent is a very important and common legal basis of data processing. In the context of the consent via IoT environment, two major elements should be mentioned. Firstly, according to Recital 32, if the consent request is provided with electronic means, this should not interrupt the use of the specific service. In addition, the withdrawal of the consent should be as easy as the given consent. Regarding IoT applications, special consideration should be given to the procedures that include the withdrawal of the data subject’s consent.
Enhanced Privacy Recommendations According to GDPR in the Context of Internet-of-Things (IoT)
Figure 1: Key elements of IoT privacy

In conclusion, it should be mentioned that the key privacy concerns have been presented in order to point out the main data protection issues of IoT. This framework, therefore, highlights that the combination of the legal and Information technology field has become of vital importance regarding the IoT environment.


  1. Atzori, L., Iera, A., & Morabito, G. (2010).The internet of things:A survey. Computer networks, 54(15), 2787-2805.
  2. Roy, S., Bose, R., & Sarddar, D. (2015). A fog-based dss model for driving rule violation monitoring framework on the internet of things. International Journal of Advanced Science and Technology, 82, 23-32.
  3. Stergiou, C., Psannis, K. E., Kim, B. G., et al. (2018). Secure integration of IoT and cloud computing. Future Generation Computer Systems, 78, 964-975.
  4. Memos, V. A., Psannis, K. E., Minopoulos, G., Kokkonis, G., & Ishibashi, Y. (2019, December). An Energy Efficient Scheme for IoT (EES4IoT). In 2019 2nd World Symposium on Communication Engineering (WSCE) (pp. 11-15). IEEE.
  5. Stergiou, C. L., Plageras, A. P., Psannis, K. E., et al. (2020). Secure machine learning scenario from big data in cloud computing via internet of things network. In Handbook of computer networks and cyber security (pp. 525-554). Springer, Cham.
  6. Liyanage, M., Ahmad, I., Abro, A. B., Gurtov, A., & Ylianttila, M. (Eds.). (2018). A comprehensive guide to 5G security. (pp. 34-307). John Wiley & Sons.
  7. Plageras, A. P., Psannis, K. E., Stergiou, C., Wang, H., et al (2018). Efficient IoT-based sensor BIG Data collection–processing and analysis in smart buildings. Future Generation Computer Systems82, 349-357.
  8. Stergiou, C., & Psannis, K. E. (2017). Recent advances delivered by Mobile Cloud Computing and Internet of Things for Big Data applications: a surveyInternational Journal of Network Management27(3), e1930.
  9. Memos, V. A., Minopoulos, G., Stergiou, K. D., & Psannis, K. E. (2021). Internet-of-Things-Enabled Infrastructure Against Infectious Diseases. IEEE Internet of Things Magazine4(2), 20-25.
  10. Stergiou, C. L., Plageras, A. P., Psannis, K. E., et al. (2020). Secure machine learning scenario from big data in cloud computing via internet of things network. In Handbook of computer networks and cyber security (pp. 525-554). Springer, Cham.
  11. Stergiou, C., Psannis, K. E., et al. (2018). Security, privacy & efficiency of sustainable cloud computing for big data & IoT. Sustainable Computing: Informatics and Systems, 19, 174-184.
  12. Stoyanova, M., Nikoloudakis, Y., Panagiotakis, S., Pallis, E., & Markakis, E. K. (2020). A survey on the internet of things (IoT) forensics: challenges, approaches, and open issues. IEEE Communications Surveys & Tutorials, 22(2), 1191-1221.
  13. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance), April 2016. [Online]. Available: https://eur-lex.europa.eu/eli/reg/2016/679/oj
  14. European Free Trade Association. (2016, Aug. 19).  Agreement on the European Economic Area.
  15. Article 29 Data Protection Working Party. “Opinion 05/2014 on Anonymisation Techniques.” WP216, 10 Apr 2014. [Online]. Available: https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp216_en.pdf
  16. Burton, C., De Boel, L., Kuner, C., Pateraki, A., Cadiot, S., & Hoffman, S. G. (2016). The final european union general data protection regulation. BNA Privacy & Security Law Report, 15, 153.
  17. Bieker, F., Friedewald, M., Hansen, M., Obersteller, H., & Rost, M. (2016, September). A process for data protection impact assessment under the european general data protection regulation. In Annual Privacy Forum (pp. 21-37). Springer, Cham.

Cite this article as

S. Rizou and K. E. Psannis (2021), Enhanced Privacy Recommendations According to GDPR in the Context of Internet-of-Things (IoT), Insights2Techinfo, pp.1

9300cookie-checkEnhanced Privacy Recommendations According to GDPR in the Context of Internet-of-Things (IoT)
Share this:

Leave a Reply

Your email address will not be published.