The Internet of Things and the Threat it Poses to GDPR Compliance
The pending General Data Protection Regulation (GDPR) is already significantly impacting businesses across Europe. Organisations need to take action now to make certain they are adequately capturing, integrating, certifying, publishing, monitoring and of course, protecting their data to ensure compliance when GDPR enters into application in May 2018.
With the number of well-publicised data breaches escalating, businesses have so far focused on data security in formulating their response to GDPR. They are typically less well organised in their approach to the data privacy issues surrounding the new regulation, and that’s a serious concern for two main reasons.
First, GDPR has a broad definition of data privacy. It places far-reaching responsibilities on organisations to impose a specific 'privacy by design' requirement and expands the need to implement appropriate technical and organisational measures to ensure data privacy and data protection is no longer an after-thought.
Second, the emergence and growing prevalence of the Internet of Things (IoT) exacerbates these issues. At the heart of IoT is the concept of the always-connected customer. Businesses are looking to generate and capture large volumes of data about customer preferences and behaviours to drive a competitive edge.
Even though much of this data is related to products, rather than data subjects, it still has the potential to impact privacy. Information provided by a connected car, for example, is likely to affect the privacy of the car owner if his ownership of that vehicle is known, even if the data itself is not specifically linked to him. Retailers of connected products are aware that once a product is under a customer’s hands, all data broadcast through their product could be qualified as personal data, which means that they need to apply privacy by design principles together with all their suppliers involved in gathering, storing, and processing the data.
Consumer electronics product developer Vizio was recently fined $2.2 million after the US consumer watchdog found that it had been using content recognition software to track users without obtaining their permission. The company reportedly installed software on 11 million Internet-connected TV sets it had sold to track customers' detailed viewing habits, linked that data with specific household demographics and then sold the information to third-party marketers. In its defence, Vizio said its televisions "never paired viewing data with personally identifiable information such as name or contact information."
The punishment meted out to Vizio sounds like a significant penalty. But, let’s consider that Vizio (now part of LeEco, a Chinese company worth $7.3 billion revenue), delivers its HDTV and soundbars in Europe by May 2018 and faces similar privacy issues: They would then be exposed to a fine of $292 million!
Knowing Where your Data is
Another big challenge organisations face is knowing both where all of the private, sensitive data within their organisation resides and who is responsible for taking care of it. Many businesses are unclear about this because their data is siloed in different department sales, marketing, finance, services, etc., and that is an increasing concern under the new, more rigorous GDPR stipulations.
Under GDPR, the data controller must respond to subject access requests within a month, with the possibility of extending this period for particularly complex requests. This is typically more stringent than existing regulations. Under the UK’s Data Protection Act, for example, the response time is 40 days. In addition, the rights for data subjects are not restricted to data access: GDPR also mandates the right for rectification, the right for erasure (also known as the right to be forgotten), the right to restrict data processing, the right to object data processing, or the right to not be evaluated on the basis of automated processing. All those rights have significant impact on the data management practices.
Putting a Response in Place
So given the issues outlined above, how can organisations best respond to the challenge with respect to their data management practices? In our view, this should start by carrying out an inventory of data so that they at least know exactly what they have and where it is located. Once a clear map of the data has been developed, companies will be better placed to start assigning responsibility for looking after it. That’s in a sense the minimum requirement. However, this can then start to act as the foundation for establishing a stronger data governance policy which is a key element of what GDPR requires.
Closely linked to data governance is the issue of data quality - an especially pressing concern when organisations are building out their IoT capability. That’s because the desire to keep costs down in the IoT world often means that organisations are forced to work with low-quality networks and data quality may suffer as a result.
In the context of GDPR, data quality and harmonisation can be a critical concern, particularly if it makes it difficult for the organisation to achieve ‘a single view’ of the customer - something which is mandated by the regulation. One of the most significant data quality issues in this context derives from the business keeping separate siloed pools of data which are not readily integrated. Take the scenario where the business knows a customer partly through IoT and partly through its marketing applications.
If the customer then wants to know what private data the business has on him and the organisation ends up just revealing a fraction of that data due to these separate data pools, then it is ultimately the organisation’s responsibility that a full set of data has not been provided. That, in turn, is likely to be a breach of GDPR. It’s a stark warning that to comply organisations effectively need to reconcile the information they get from different parts of their organisation, including IoT.
Scoping the IOT Data Challenge
IoT is set to bring a raft of benefits to organisations across the world as they generate vast volumes of new data that they can subsequently leverage to help drive the decision-making process. And, because IoT enables companies to connect the physical and the digital world, it provides them with the potential to shape the future of customer experiences. However, as this article has shown, this generated data brings challenges not least in its implications for data privacy and the consequent challenges that businesses will face in achieving GDPR compliance.
With May 2018 fast approaching, time is rapidly running out for businesses. If they want to take advantage of the IoT and ensure they comply with GDPR, they need to put these issues on their boardroom agenda and start actively addressing them right away.