Demonstrably Doing Accountability in the Internet of Things

TL;DR

This paper discusses integrating accountability into IoT systems to enhance data protection and user trust, emphasizing GDPR compliance and practical implementations like the IoT Databox.

Contribution

It analyzes how accountability can be embedded in IoT design, translating GDPR principles into system features and evaluating the IoT Databox as a practical solution.

Findings

Accountability enhances user trust in IoT.

GDPR principles can be operationalized in IoT systems.

IoT Databox demonstrates practical implementation of data protection.

Abstract

This paper explores the importance of accountability to data protection, and how it can be built into the Internet of Things (IoT). The need to build accountability into the IoT is motivated by the opaque nature of distributed data flows, inadequate consent mechanisms, and lack of interfaces enabling end-user control over the behaviours of internet-enabled devices. The lack of accountability precludes meaningful engagement by end-users with their personal data and poses a key challenge to creating user trust in the IoT and the reciprocal development of the digital economy. The EU General Data Protection Regulation 2016 (GDPR) seeks to remedy this particular problem by mandating that a rapidly developing technological ecosystem be made accountable. In doing so it foregrounds new responsibilities for data controllers, including data protection by design and default, and new data subject rights such as the right to data portability. While GDPR is technologically neutral, it is nevertheless anticipated that realising the vision will turn upon effective technological development. Accordingly, this paper examines the notion of accountability, how it has been translated into systems design recommendations for the IoT, and how the IoT Databox puts key data protection principles into practice.