Skip to main content

Geoff Revill,  co-founder of Krowdthink Ltd, developer of the Krowd personal app and an advocate for privacy and digital rights shares the impending challenges, and opportunities, facing companies collecting personal data in light of new regulatory rules, and why the changes will be particularly crucial for the IoT.

“If we don’t give users control of their data the IoT will fail”

This was the stark warning from Stephen Pattison, VP Public Affairs, ARM, at a recent conference at the Alan Turing Institute for Big Data in London.

Coming from a £1Bn company whose business future will be significantly linked to the success of the IoT (almost every high performance low power IoT device will use their processor technology), this is a hugely significant statement.

But there is another key factor coming for the future business success of both the IoT and Big Data.  A massive EU regulatory change for which most companies (whether EU based or not) have little or no comprehension of the business impact it heralds.

    If your business is using 3rd party software tools you had better be aware of precisely what they do with your customers data when operating on it for you, because now you as the first party become responsible for appropriate fully informed consent.

The Data Protection Act (DPA) is about to be replaced by the General Data Protection Regulation (GDPR), a rewrite of laws that takes into account current commercial business practices and seeks to rebalance the privacy equation back towards the consumer.

It includes a lot of new powers and many new demands upon businesses. It will call into question not just existing business models, but also the very culture of system and application developers.

If your business is using 3rd party software tools you had better be aware of precisely what they do with your customers data when operating on it for you, because now you as the first party become responsible for appropriate fully informed consent.  Something as simple as a website built using off the shelf tools suddenly becomes a point of compliance weakness – those javascript trackers just became your liability.

If you obtain personal data, you now need to allow individual customers the right and simple ability to delete it!  This becomes a massive provenance issue as it includes any personal data at all, this includes meta-data of your customers use of your services; it pertains to them so its personal and thus now subject to the GDPR, which is going to be a headache to separate in existing data models.

Most IT depts don’t delete, they hide (de-index), this is not enough under the GDPR.  This is just one of at least 10 seismic new challenges for any digital business, especially in the IoT, where consent issues are so hard to address.

Now normally we see regulatory compliance as a requirement to go through before product release, asking lawyers to rubber stamp what we did as developers.  It thus becomes a risk mitigation exercise and a cost burden; a burden many start-ups in particular find hard to carry at initial release.


Join technologists, investors and regulators to understand the market issues, and the opportunities created by the new GDPR at Privacy: The Competitive Advantage – MEF Members get a 20% discount

But in the context of the statement from ARM, whether building IoT systems, or systems that operate on big data that include personal information, this is no longer a burden that can be set aside – because the risks just became killer.  The new regulations are much stronger, much more fit for purpose in the digital age (less wriggle room for the lawyers to help you mitigate risk).

They now carry fines for non-compliance of up to 20M Euros or 4% of your global turnover, whichever is bigger; a massive step up from the few hundred thousand Euro maximums previously seen.

So perhaps its time for a fundamental rethink? Instead of seeing regulation as a burden and cost when it changes, maybe see it as an opportunity to disrupt if you are a startup or innovate if you are a corporate?

Study after study have shown increasing consumer desire for their digital lives to be respected, to be able to trust their service and product suppliers, not least of which was of course was the recent MEF study. The GDPR raises the bar of compliance, but its still a legal minimum.  Businesses that go beyond compliance can differentiate with competitive value.

But none of us are lawyers and fewer startups can afford to pay for this sort of baseline legal guidance.  This was a dilemma we faced.  What a lot of research and work uncovered was the little secret lawyers won’t tell you – that all laws do is try to codify (yep just like we code our apps) key principles; principles that once you understand and operationalize mean you are likely to not only end up with a legally compliant product but one that will engender trust from your customers.

They are not too difficult to understand, but you do need you to read and think carefully about them.  Here are just a few of the key ones we work to (not an exhaustive list but an excellent start):


Any data, whether an IP (IPv6) address, email, location & movement patterns or postcode/name, should be treated with the utmost security – encrypt encrypt encrypt

Informed Consent

Two key words that allow you to operate on someone’s personal data – ask yourself, does your user really know what you are doing with their data?


  • Hard to pin down without context – but it can be defined one way, in the breach: “Privacy is breached when my data is used in a way that I did not understand at the point of providing it”
  • Follow the 7 principles of Privacy-by-Design
  • Add an 8th overriding principle – treat all personal data as if owned by the user – imagine it is your child’s data


Don’t write a line of code until you have defined how your software will be secure-by-design – adding security later is damned hard, sometimes too costly to do, a dilemma you don’t want to be faced with given the fines for lack of industrially accepted security practise

Geoff Revill



color-linkedin-128 color-twitter-128 color-link-128

Open and Transparent

About your business model and what data you obtain and use. If you cannot be honest with your customers on these subjects, then are you really building a trustworthy platform?

There are more principles to comprehend to build a fully trustworthy company and product, but our future digital society would be a better place for our children to inherit if we followed these basic concepts as a start point.

Geoff Revill is Co-Founder of Krowdthink Ltd, developer of the Krowd personal networking app and an advocate for privacy and digital rights. He is speaking at upcoming London event Privacy: The Competitive advantage. MEF Members can attend at a 20% discounted rate, see here for details.

Join us at the 6th annual MEF Global Consumer Trust Summit in San Francisco on June 23rd to discuss the drivers in the mobile ecosystem when it comes to Privacy & Security. Showcasing a clear shift from simple compliance to business-critical, the Summit provides pragmatic insights, discussions and guidance on the value of Consumer Trust to businesses’ bottom-line.