The 25th of May 2018 will be an important date for businesses operating in the Smart Home sector (and not only). This is the date by when companies will have to prove compliance to the new European directive GDPR EU 679/2016, which includes the adoption of specific measures to protect the privacy of consumers.
The EU 679/2016 European Regulation on personal data protection (GDPR – General Data Protection Regulation), approved the 24th of May 2016 but that will be come into effect from the 25h of May 2018, is the regulatory framework of reference to which at all organizations must conform and that has a relevant impact also in the very broad Internet of Things and Smart Home scenario.
To be able to fully understand the changes introduced by the Regulation it is necessary to highlight the basic shift of philosophy, to an approach where the data controller is accountable  . The GDPR, in fact, provides that, already in the early stages of data processing, controllers and processors proactively choose and apply technical and organizational measures, and in general define what conformance measures will be adopted. At the same time, they must always be capable of demonstrating the underlying rationale on which their choices are based as well as how compliance to the European regulation is achieved.
In the connected home era the data generated by smart objects is a key element: if on one hand it provides new revenue sources for companies and helps in delivering value added services to consumers, on the other it forces data processing or controller companies to adopt procedures that guarantee the rights of people involved.
With the growing spread of Smart Home solutions, companies have increasing access to flows of data capable of reducing distances between physical and digital worlds. The many sources from which data can be collected, processed and stored, and the feasible options to properly valorize it, justify the great attention placed on this matter (read the report to learn more ).
Video cameras, thermostats, dolls, connected washing machines, are all devices within homes that can interact with people and the surrounding environment, record sound and videos, and connect to the Internet. These objects are therefore capable of collecting, processing and communication data and information of various kinds – from voice to passwords, to families’ tastes, preferences, and habitual behavior – and therefore present possible risks to consumer data protection.
All this only highlights the strong impact of data controllers’ accountability requirements as prescribed by the GDPR, effectively entailing the demonstrable implementation by Controllers and Processors of certain procedures by May 25, 2018 :
• proper, transparent and authorized use of personal information, in compliance with principles set forth by the GDPR;
• data protection by design. This principle establishes a radical shift from what most companies have traditionally done, as it requires data privacy controls to be embedded in the design of Smart Home solutions;
• privacy by default only of the data required for each specific purpose, according to the minimization principle. This implies that data cannot be collected and stored for generic “future use”, since it is now essential to clearly identify and state its purpose from the very start;
• DPIA – Data Protection Impact Assessment: evaluating the impact of data treatment to identify whether it poses a high risk to people’s freedom and rights, especially when it is performed through the use of new technologies;
• appropriate technical and organizational measures to ensure an adequate level of security in response to the risk surfaced from the evaluation;
• the guarantee that data subjects (people to whom the personal information is referred) be allowed to exercise their rights, including data portability rights as provided for by art. 20 of the GDPR.
 The Data Controller is the subject responsible for data processing.