Published on the 13/11/2017 | Written by Steve Singer
New regulations may handbrake IoT deployments, writes Talend’s Steve Singer…
While regulations concerning data privacy are multiplying all over the world, including the fast approaching mandatory data disclosure laws here in Australia, one of the biggest challenges facing companies is likely to be the European General Data Protection Regulation (GDPR) regulation which comes into force in May next year, it will place significant new requirements on companies with operations or customers in the region. Any operating an Internet of Things (IoT) infrastructure could as well find complying with these requirements very challenging as soon as their connected objects can be explicitly linked with individuals in this region. “One of the biggest challenges facing companies is the European GDPR which places significant new requirements on operations in the region.” GDPR is designed to protect the privacy of EU citizens by requiring all businesses operating there to have strict data security and privacy conditions in place. They will need to track and trace sensitive data and determine how it is processed and stored across their entire information supply chain. Following a number of recent high-profile breaches, many businesses have so far been focused on data security when figuring out how they will comply with GDPR. Unfortunately, they have been less focused on the data privacy issues that also form part of the new regulations. This is problematic when it comes to IoT. The IoT privacy challenge These requirements have particular relevance in relation to IoT. The technology is built around the concept of the always-connected customer and many projects are designed to generate and capture large volumes of data about customer preferences and behaviours. The implications for privacy are significant. For example, information gathered from a connected car could affect the privacy of the car owner. Retailers of connected products are aware that, once a product is in a customer’s hands, all data broadcast through that product could be qualified as personal data. This means they need to apply privacy-by-design principles at every stage of that data being gathered, processed and stored. Earlier this year, consumer electronics company Vizio was fined US$2.2 million when the US consumer watchdog ruled it had sold data collected from the connected televisions of its customers. If Vizio should sell these devices to European customers and have similar privacy issues, they could potentially be exposed to a fine of US$292 million. The same thing could happen to any company selling connected devices into the region. Preparing for GDPR With May 2018 rapidly approaching, time is rapidly running out for businesses to ensure they are able to comply with the new regulations. Any wanting to both take advantage of IoT and ensure they comply with GDPR will need to start actively addressing these issues immediately. Steve Singer is ANZ Country Manager, Talend.
The GDPR legislation contains a broad definition of data privacy. It places far-reaching responsibilities on organisations to follow a ‘privacy-by-design’ strategy and implement appropriate technical and organisational measures to ensure data privacy no longer just an after-thought.
To avoid the prospect of being hit with large penalties, and suffering a significant dent to corporate reputation, any business providing IoT devices to customers in Europe needs to carefully consider and prepare for GDPR regulations before they come into force. Some of the steps that need to be considered include: