While regulations concerning data privacy are multiplying all over the world, including the fast approaching mandatory data disclosure laws here in Australia, one of the biggest challenges facing companies is likely to be the European General Data Protection Regulation (GDPR) regulation which comes into force in May next year, it will place significant new requirements on companies with operations or customers in the region. Any operating an Internet of Things (IoT) infrastructure could as well find complying with these requirements very challenging as soon as their connected objects can be explicitly linked with individuals in this region.

“One of the biggest challenges facing companies is the European GDPR which places significant new requirements on operations in the region.”

GDPR is designed to protect the privacy of EU citizens by requiring all businesses operating there to have strict data security and privacy conditions in place. They will need to track and trace sensitive data and determine how it is processed and stored across their entire information supply chain.

Following a number of recent high-profile breaches, many businesses have so far been focused on data security when figuring out how they will comply with GDPR. Unfortunately, they have been less focused on the data privacy issues that also form part of the new regulations. This is problematic when it comes to IoT.

The IoT privacy challenge
The GDPR legislation contains a broad definition of data privacy. It places far-reaching responsibilities on organisations to follow a ‘privacy-by-design’ strategy and implement appropriate technical and organisational measures to ensure data privacy no longer just an after-thought.

These requirements have particular relevance in relation to IoT. The technology is built around the concept of the always-connected customer and many projects are designed to generate and capture large volumes of data about customer preferences and behaviours.  The implications for privacy are significant.

For example, information gathered from a connected car could affect the privacy of the car owner. Retailers of connected products are aware that, once a product is in a customer’s hands, all data broadcast through that product could be qualified as personal data. This means they need to apply privacy-by-design principles at every stage of that data being gathered, processed and stored.

Earlier this year, consumer electronics company Vizio was fined US$2.2 million when the US consumer watchdog ruled it had sold data collected from the connected televisions of its customers. If Vizio should sell these devices to European customers and have similar privacy issues, they could potentially be exposed to a fine of US$292 million. The same thing could happen to any company selling connected devices into the region.

Preparing for GDPR
To avoid the prospect of being hit with large penalties, and suffering a significant dent to corporate reputation, any business providing IoT devices to customers in Europe needs to carefully consider and prepare for GDPR regulations before they come into force. Some of the steps that need to be considered include:

• Know where customer data is located: This can be a challenge for many organisations as private customer data tends to be siloed in different departments such as sales, marketing and finance. Under GDPR, a company must respond to requests from authorities within a month. If it doesn’t know precisely where that data is stored, this can be difficult. Affected businesses should begin with a thorough audit of all data stores so it is clear exactly what is being gathered and where it is located. It will then be possible to assign responsibility for that data and establish strong governance policies.
• Check data quality: Because of a desire to keep a lid on costs when it comes to IoT, many organisations end up working with low-quality networks and data quality can suffer as a result. This issue is important in the context of GDPR as it could make it difficult for an organisation to achieve a single view of each customer – something mandated by the regulation. One of the biggest data quality issues in this context stems from a business keeping separate siloed pools of data that are not readily integrated. This could occur, for example, when a business gathers some data on customers via an IoT infrastructure and some from marketing campaigns. Being unable to combine the two could put the business in breach of GDPR, for example when the customer ask for his right to be forgotten.
• Establish clear data governance policies: GDPR legislation creates permanent requirements to which businesses must adhere, so clear long-term policies need to be formulated and put in place. These policies need to cover a range of factors including data collection methods, handling processes and where it will be physically stored. The appointment of a Data Protection Officer could become mandatory for most businesses and that person will play a key role in the formation of effective governance policies. However responsibility for the policies will still be shared by everyone within the organisation, especially when data is spread across multiple locations.
• Ensure data is open: There will also be a need for businesses to not only protect customer data but also make it available to them. Under the terms of GDPR, customers have the right to ask businesses to provide them with relevant data they hold about them. They can also ask for the ‘right to be forgotten’ or for corrections. Businesses must be able to comply with these requests.

With May 2018 rapidly approaching, time is rapidly running out for businesses to ensure they are able to comply with the new regulations. Any wanting to both take advantage of IoT and ensure they comply with GDPR will need to start actively addressing these issues immediately.

ABOUT STEVE SINGER//

Steve Singer is ANZ Country Manager, Talend.