Designing a GDPR-Compliant Security Architecture for Remote Elderly Care Systems : A Privacy-by-Design Approach

Abstract

IoMT-based remote elderly care systems generate continuous streams of sensitive health data. Existing security architectures have not simultaneously addressed three interdependent challenges: GDPR-compliant edge-layer pseudonymisation, elderly-specific zero-interaction usability as a binding architectural constraint, and integrated STRIDE-based threat validation within a single unified design. This thesis applies the Design Science Research Methodology (DSRM) to present the Secure Edge Gateway (SEG) framework: the first validated integrated IoMT architecture for elderly care to resolve all three dimensions of this gap simultaneously. An ESP32-based residential gateway enforces MAC address whitelisting - permitting only pre-registered devices to communicate - cryptographic pseudonymisation using HMAC-SHA256 before any network transmission, Advanced Encryption Standard 128-bit CBC mode (AES-128-CBC) payload encryption, and Transport Layer Security (TLS) 1.3, in line with GDPR Articles 25 and 32. The framework is validated through software-based simulation, full STRIDE threat modelling, attack tree analysis, GDPR compliance mapping, and a Data Protection Impact Assessment under Article 35. Published benchmarks demonstrate that MQTT consumes 6 to 8% less energy than HTTP in comparable IoT deployments, and edge processing achieves sub-50 ms response latency versus 200 to 700 ms for cloud-only systems. The results confirm that GDPR compliance and operational efficiency are complementary, not competing, objectives in resource-constrained IoMT deployments for elderly care.