The design choices you make not only affect the security of your solution, but also how difficult it will become to make the solution GDPR compliant. Centralized big data solutions are difficult to make compliant, while decentralized edge solutions are easier to make compliant. The reason is that decentralized solutions lend themselves naturally to the wills of the corresponding owners. For centralized solutions, you must build a lot of data protection mechanisms manually, to safeguard the privacy of its data subjects.

In this book, we have studied multiple protocols for use with the Internet of Things. Among these, XMPP provides the following several features that can help you build solutions that protect the privacy of your data subjects:

• The distributed, federated authentication and authorization model lends itself perfectly to making security decisions in distributed ad hoc networks.
• Presence negotiation required to communicate efficiently provides an efficient means to model a crude binary form of consent. It's also easy to withdraw.
• Provisioning provides a method for modeling a detailed form of consent. The owner of the devices can control in detail who can access them and what they do with them.
• XMPP allows you to outsource much of the administration of privacy to the data subjects themselves. Since many processing activities do not require centralized processing and can be processed equally well on the edge, there's no need to provide support for correction, deletion, restriction, and so on, explicitly in the backend. The owner controls the data completely.
• Using XMPP is an example of data protection by default. You need to negotiate presence subscription before you can have a meaningful interaction using the iq and presence stanzas. The roster is always at hand, as are the identities of senders of messages, so you can always easily determine the validity of an incoming message.