IoT Threatens GDPR Compliance

Posted by Jeff Pelliccio on Apr 6, 2018 9:00:00 AM

In ICS insights

Big data is bigger than it ever has been. This means organizations need to be working harder than they ever have to make sure their data is properly captured, integrated, certified, published, monitored, and protected. By ensuring these goals are met, this helps to maintain compliance with the General Data Protection Regulation (GDPR), which enters into application in May of this year (2018). 

Data breaches are becoming increasingly common, and even well-publicized ones are escalating, causing many businesses to hone their focus on data security, especially in response to GDPR. Unfortunately, though, these businesses tend to be less organized in relation to data privacy issues regarding the new regulation, which is leading to two very serious concerns. 

Concerns of GDPR

Concerning data privacy, the GDPR has an extremely broad definition. There are far-reaching obligations placed on organizations by the GDPR, requiring entities to put into place privacy-by-design requirements. The GDPR also mandates that certain technical measures be implemented to stay up-to-date with the latest data privacy and data protection practices. 

The second concern of GDPR is that the Internet of Things (IoT) is exacerbating data privacy and protection issues. The goal of the IoT is that customers can always stay connected, allowing all of their needs to be met, including physical, mental, medical, and consumer needs. The IoT makes it possible to capture big data and analyze it so that the always-connected customers' behaviors can be used to determine what products and services can best meet their needs; this allows businesses to maintain a competitive edge by intuitively meeting consumers' needs. Businesses are better able to meet the needs of consumers even when the consumers don't know they have needs that need to be met. 

Much of the data that is caught in the middle of data privacy issues is not directly focused on consumers. Instead, it relates to products. For example, when a car is connected to the IoT, the data that it produces is related to the car itself, but it still has the ability to impact the privacy of the car owner. This is why it is so important that businesses understand once a connected product is in the hands of a consumer, the data it produces from then on should be considered personal data. This means that certain security and protection protocols should be enforced to ensure the data is properly gathered, stored, and processed in a way that it does not impact the privacy of the consumer. 

Companies Disrespect Consumers' Privacy Rights

Vizio is a large and well-known electronics product developer that was recently involved in a major privacy lawsuit when it was found that the company used content recognition software to monitor and track users of its products without first obtaining permission from the consumers to do so. As a result, the company was fined $2.2 million. How did this happen? It started with the company installing software on an estimated 11 million TV sets that were connected to the Internet. The company sold the TVs with the software already installed in hopes to track customers' viewing habits. It then captured this data and sold it to third-party marketers. 

Where Is Your Data?

One of the biggest questions that organizations must ask themselves relating to data privacy is "where is the data?" It can become extremely confusing determining where the data is coming from, how it is being captured, and what happens to it after it is captured, including where it is stored and how it used. This is why businesses must take time out of their normal daily routine to host meetings that focus on data capturing and privacy. In fact, many businesses will benefit from dedicating several employees to meet data-related needs. These employees can make sure that regardless of where data is coming from -- marketing or finance departments -- that it is going to stay in compliance with the rigorous GDPR regulations. 

One such GDPR regulation that businesses must make sure they can stay in compliance with is the ability for data controllers to respond to subject access requests within a period of 30 days. This time may be able to be extended, but only under certain conditions, such as the access request being extensively complex. Existing regulations give data controllers up to 40 days to turn over information related to subject access requests. Other ways in which GDPR is transforming the data privacy landscape is by mandating:

  • The right for rectification
  • The right for erasure
  • The right to restrict data processing
  • The right to object data processing
  • The right to not be evaluated on the basis of an automated processing

How Can Businesses Properly Respond to GDPR?

The first step in making sure GDPR compliance takes place is by first putting measures into effect that pinpoint an accurate inventory of data; this will help businesses determine where their data is coming from and where it is being stored. Once an inventory map has been developed that clearly outlines where data is located, businesses can then start assigning employees to look after it. Once data responsibilities are handed out to appropriate workers, this then allows for further GDPR compliance to take place.

In response to data quality and harmonization that is related to the context of GDPR, it is imperative companies keep data integrated in a way that it allows them to achieve 'a single view' of the customer. Keeping separated pools of data related to a single customer needs to be avoided at all cost. When customers ask a company what information is being kept on them, the company needs to be able to access all data using a streamlined process, even if data is being pulled from different departments. Businesses need to avoid only providing customers with a fraction of the data that is being kept on them; this is illegal and unethical and does not meet the GDPR compliance. 

The Takeaway

IoT can bring about many benefits to businesses, but only if it is used appropriately. More importantly, the data that it gives businesses access to must be stored and used appropriately. And with so much data available, businesses may as well as plan on spending a significant amount of money on proper data storage and protection practices. May 2018 is almost here, and it is time to make sure GDPR compliance is possible; this starts by adding GDPR compliance topics to the next boardroom agenda and staffing appropriately. 

With increased threats, it is more important than ever to have your compliance roles in place. Contact ICS for help finding your dream team. We have a network of professionals who are ready to jump right into your organization and start making great strides towards becoming compliant. Start your search by clicking below. 

Find Talent NOW

FTN Legal Compliance