GDPR Compliance Verification in Internet of Things

Abstract

Data privacy in Internet of Things (IoT) applications remains a major concern of regulation bodies. The introduction of the European General Data Protection Regulation (GDPR) enables users to control how their data is accessed and processed, requiring consent from users before any data manipulation is carried out on their (personal) data by smart devices or cloud-hosted services. Blockchains provide the benefits of a distributed and immutable ledger recording digital transactions across a global network of peer nodes. Blockchain support for tracking of operations carried out by an IoT-based system provides greater confidence to a user that the IoT device is not infringing user privacy (as the Blockchain can be audited to verify which operation was carried out, by which actor). A formal model (following the privacy-by-design approach) is proposed for supporting GDPR compliance checking for smart devices. The privacy requirements of such applications are related to GDPR obligations of device (and software systems) operators (such as user consent, data protection, right to forget etc). Three smart contracts are proposed as a practical solution to support automated verification of operations carried out by devices on user data, in accordance with GDPR rules. We evaluate the performance and scalability costs of our approach using a Blockchain test network.