BACKGROUND IMAGE: iSTOCK/GETTY IMAGES
Industries of all kinds face governmental regulation. It’s the price of doing business in civilized societies. But how businesses approach regulations has enormous bearing on organizational success. We got a stark reminder of the huge gulf between acting “by the book” and, well, something more earlier this month when United Airlines forcibly removed a paying passenger from a flight leaving Chicago. The airline’s choices in this case earned it a PR drubbing and a serious erosion of customer trust, with more pain likely to come.
Air travel is a highly regulated consumer service industry. A range of options is always available when considering how to handle the challenges of trying to fit crew members onto an already full flight. Speaking of “having to re-accommodate” customers reflects a by-the-book, compliance-oriented mindset. If that’s one end of the range, what’s the other end? Seeking to build trusted relationships with customers and end users of your product by offering them transparency and control.
What does dragging and dropping passengers have to do with privacy?
What does all this have to do with the EU General Data Protection Regulation — or the internet of things? Good question. It’s clear that IoT is leading to an explosion of business opportunities. But companies attempting to develop their own IoT solutions from soup to nuts are quickly learning that providing safe, secure, privacy-sensitive interactions is extraordinarily difficult. At the same time, as May 25, 2018, the date of GDPR implementation, approaches, this far-reaching regulation looks likely to be the central governing framework for consumer-oriented companies pursuing IoT business models across the globe. If your organization works with the personal information of anyone in the EU, whether you’re based there or not, GDPR applies to you.
What are the regulatory objectives of GDPR? Data privacy with choice and control: strengthening the exercise of fundamental privacy rights of individuals and putting users back in control of their personal data.
The lesson here for any organization looking toward realigning its privacy practices for May 2018 couldn’t be clearer: Never miss out on an opportunity to create a trusted digital relationship. Too often organizations fall into process-oriented thinking: “Technically speaking we’re in compliance here, so it’s all good.” You fall into this trap at your peril!
So what to do? Take these steps to make progress in your IoT data privacy journey and get ready for your GDPR close-up with actual users.
Step 1: Identify where digital transformation opportunities and user trust risks intersect
We know IoT is driving all the interesting business opportunities, from connected clothing and athletic gear to breakthrough smart health devices. But where have data flows lain fallow because it’s impossible to build them securely and in a compliant fashion? These unacceptable trust risks can potentially be made acceptable if the right stakeholders from the privacy and business professional sides of the house can work together. You can work to bring these dark data relationships into the light once you know what they are.
Step 2: Conceive of personal data as a joint asset
Often businesses — or at least their marketing departments — become quite proprietary about the personal data they collect from consumers. However, in the GDPR era, that’s simply not a useful mindset. Thinking of users’ personal data as something you both have a stake in sets you up for success. It puts you into your users’ shoes, which is always useful because on another day, for another product or service, you yourself are “just another user.” It’s also good for compliance, since regulations do tend to change and grow (new GDPR guidance documents are coming out at a rapid clip lately).
Step 3: Lean in to consent
GDPR defines six legal bases for processing personal data. One of them is consent, and if used, it gives various information management freedoms and responsibilities to an organization. Crucially, it also comes with user trust implications. Some others, like “in the exercise of official authority vested in the controller,” essentially tie the organization’s hands. But some others, like “necessary for the purposes of legitimate interests pursued by the controller or a third party,” could be used for trust-destroying mischief.
Step 4: Take advantage of identity and access management for building trust
The IoT world seems to be quickly picking up on a lesson that the web and API worlds took a lot longer to learn: Adding security and privacy features is a lot harder if you don’t have a means of checking for authenticated identities and then authorizing their access. Identity and access management infrastructure has a great deal to offer toward building trusted digital relationships.
Think of building trust in layers of identity support. The data protection layer lays the groundwork for your organization’s trustworthiness against security breaches; it includes identity data governance and building a single view of the customer across what may be many individual smart devices and applications. The data transparency layer ensures all these devices and apps have proper terms of service, privacy notices, federated connections to other systems and provable consent; this is about giving users a single view of their consents. The data control layer ensures users can proactively start, monitor and stop sharing as they see fit at a fine grain — for example, deciding to give access to insulin pump data, or even to the pump’s control functions, to a doctor or caregiver.
Trusted digital relationships with users are yours to lose
The GDPR it is intended to be one of the most contemporary regulations in a long time. That’s lucky for all of us, since the internet of things is one of the fastest-moving technology and business spaces in a long time.
To prepare for the GDPR, organizations need to go beyond data protection and embrace data transparency and data control. The choices you make about your customers’ data increasingly reflect on not just your data protection officer’s actions but your entire business model. Addressing user trust risks is certainly something you can do something about; the more important question might be whether you can afford not to.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.