The smart home sector of IoT alone could be worth as much as $490 billion in just a few years by some estimates. The IoT sector is founded on the idea of freely available data coming in from a variety of sensor origin points, providing information about the way we live our lives and using that information to automate tasks, provide new goods and services and make things easier, faster or cheaper.
However, this is all based on the idea of freely available data. And freely available data is coming to an end. In May 2018, the General Data Protection Regulation (GDPR) came into full effect in the EU. This landmark law is aimed at giving consumers more control over how their personal data is collected and is forcing companies to be more transparent on how that data is used and protected.
I am a big believer that data privacy is a human right and the treasure trove of data we all produce on a daily basis is inheritably owned by each individual creating it. The days of an unregulated marketplace of buying and selling consumers’ data is changing and we can thank the GDPR for helping to lead the way.
For those of us who reside in the US, we can’t look the other way. GDPR should be on the forefront in every organization, particularly those that operated a subsidiary in the EU or do transactions with both businesses and consumers who reside in the EU, basically covering the entire web. Thus far, regulations regarding data privacy and security in the US have been mainly up to each state. Take for example, the “Massachusetts Standards” – the benchmark of state data and security regulations. The Massachusetts Standards detail the specific element that each business’s information security protocol should contain and goes on to require the encryption of personal information stored on devices and transmitted across public networks. This type of legislation is transforming how other states are thinking about data privacy and security.
A big issue facing many clients right now is how to anonymize this information. A company may look at all the data they collect and then ask themselves, how do we make this data not associated with a particular person? How do we make it anonymous? And at the same time, how do they stay compliant, while still offering the better, faster, cheaper goods and services they are quickly becoming known for?
That is the million-dollar question and is why data protection experts are in such high demand right now. The concept is more than just having consumers opt-out of data sharing. Many consumers wouldn’t mind allowing companies to access their data, as long as they know that data is being used and stored securely. It requires companies to adopt a “privacy by design” concept, which forces companies to educate consumers on how their data is being collected, how it’s being used and what the organization is doing to protect it. Organizations need to be asking themselves how they are going to be more deliberate in what they are asking for and designing a specific reason behind the collection of each piece of data.
Establishing digital trust
Establishing “digital trust” is imperative for companies to survive. The goal should be to establish a system of trust from the customer to create a climate of mutually beneficial exchange between the company and consumer. A data protection program should incorporate identifying risks and then taking the appropriate actions to mitigate those risks and create robust technical controls.
IoT companies can opt out of their data sharing agreements with third parties. This will most likely affect the bottom line of some organizations, but given the risk, it might be more cost effective to not have the data in the first place. Often, the cost of protecting data can have more of an impact to the bottom line than doing away with collecting it in the first place.
The term data is subjective, and just as criminal laws change frequently, companies should be able to pivot to what I am sure is going to be a fluid landscape of data privacy legislation. However, I am confident that it will all be for the common good of protecting our human right of securing our data footprint.