Ensuring GDPR Compliance in IoT Network With a Glass Box Security Guard System

This paper addresses the challenges of General Data Protection Regulation (GDPR) compliance posed by the growing prevalence of Internet of Things (IoT) devices, which exacerbate privacy concerns. GDPR mandates data controllers to protect personal data and requires explicit consent for data processin...

Full description

Saved in:
Bibliographic Details
Published inIEEE Transactions on Privacy Vol. 2; pp. 27 - 40
Main Authors Yang, Yi-Chun, Lu, Kuan-Fu, Chen, Yong-Xuan, Tsay, Ren-Song
Format Journal Article
LanguageEnglish
Published IEEE 2025
Subjects
Access control
accountability
blockchain
Blockchains
Data collection
data ownership
data privacy
Electronic equipment
Flight recording
General Data Protection Regulation
general data protection regulation (GDPR)
Glass box
Internet of Things
Internet of Things (IoT)
Law
Privacy
Reliability
Online AccessGet full text

Cover

More Information
Summary:This paper addresses the challenges of General Data Protection Regulation (GDPR) compliance posed by the growing prevalence of Internet of Things (IoT) devices, which exacerbate privacy concerns. GDPR mandates data controllers to protect personal data and requires explicit consent for data processing, but centralized approaches create opaque closed box systems prone to misuse. Although recent solutions utilize blockchain for access control by recording data subject consents, they focus solely on transaction-level activities, but overlook user devices controlled by enterprises, leaving closedbox issues unresolved. To address these challenges, we propose data protection guard (GDPR-Guard), a novel transparent glass box solution that shifts control from enterprises to users, enhancing transparency and accountability by auditing the entire device lifecycle, including manufacturing, which existing solutions often neglect. The supervisory authority oversees manufacturing, ensuring each device integrates a secure GDPR-Guard to log certified device manufacture, controlled application deployment, reliable ownership transfer, and consent-based data collection or application update using tamper-proof digital signatures. This enables reliable investigations throughout the device's lifecycle. The paper also offers a comprehensive access control and auditing protocol, presents a proof-of-concept implementation, evaluates security with concrete threat models, and demonstrating the reliability and acceptable performance of the solution for GDPR compliance.
ISSN:2836-208X
2836-208X
DOI:10.1109/TP.2025.3546854