When it comes to data privacy regulations, change is on the horizon. And there is no doubt that these imminent changes will affect organizations that analyze internet of things data.
The European Union’s General Data Protection Regulation (GDPR) comes into effect in May 2018, putting high stakes on how enterprises deal with the collection and transfer of personal data. However, that’s not the only change enterprises need to be aware of.
In January, the European Commission revealed a proposed regulation on Privacy and Electronic Communications (known as the “ePrivacy Regulation”) that would replace the existing ePrivacy Directive (commonly known as the “EU Cookie Directive”). Sections of the existing ePrivacy Directive related to the privacy of electronic communication lacked clarity, harmony across the EU member states, relevance to recent technological changes and proper enforcement. The proposed ePrivacy Regulation addresses these issues and brings the communications privacy rules in line with the protection rules under the GDPR. It also covers more than just “cookies,” to include communications content and its associated metadata. Metadata about communications, such as endpoints, time and duration of the communication, are commonly used for analytical purposes. The ePrivacy Regulation incorporates GDPR requirements such as end-user consent and anonymization to the use of this data.
The net-net is that organizations dealing with personal data must be ready for the compliance regime of the 21st century. And in today’s IoT economy where data is the new currency, it’s common for enterprises to come in contact with personal data at unsurpassed rates. With these existing and future privacy regulations that directly affect how companies collect, analyze and utilize personal data, here are three things to keep in mind
1. Choose wisely about what data you want to analyze.
Just because you have access to certain types of personal data, doesn’t mean you have to analyze it. Another thing to take into account is that the fines and penalties are generally proportional to the amount of data failing compliance. The larger the data set, the larger the fine.
Considering all of the connected devices that have the ability to collect personal data, organizations have unsurpassed access to huge amounts of data about everything from names to medical history. Yet, just because you can access it doesn’t mean you should analyze or store it. Carefully consider what information adds value to you and your customers. For example, do you need to upload customers’ first and last names? If that doesn’t add value, don’t subject yourself to the risk.
Assuming that personal information truly is needed for analysis, there are ways to make it useful while still meeting compliance requirements. For example, organizations can encrypt fields, tokenize fields or anonymize data records. In today’s regulated landscape, these practices will become your best friend.
2. Consider how you will keep customers in the know.
Most of these regulations, which are more comprehensive than the ones in the U.S. that tend to be state-based or sectoral, require organizations to notify customers about data collection. Keeping track of what data is collected, how it’s collected, what it is used for and if that corresponds to the original notification is a significant task. Furthermore, it’s widely expected that organizations must notify users and authorities about data breaches within a specific timeframe and uphold the right to be forgotten with the ability to delete personal data.
This becomes even more daunting when you consider global enterprises that have data siloed across departments and regions. While the issues are generally more tractable for small businesses, they often rely on fewer resources. How many small companies have a privacy professional or an executive staff that has a deep understanding of compliance issues? With the proliferation of connected devices and IoT, personal data is being collected and stored at astounding rates, making it even more complex to uphold the standards. Organizations must engineer both their technologies and their business processes with these standards in mind.
3. Educate yourself and your employees about new regulations.
Keeping a pulse on regulation changes is crucial to avoiding hefty fines. This is especially true for large enterprises with locations all around the world. While the harmonization of regulations was a key point of the EU Data Privacy Directive and the EU GDPR, and at a 30,000-foot-level the data protection rules may look the same across the EU, there are still EU member state differences that need to be taken into account as you analyze personal data. Furthermore, larger data sets include the possibility of having more regulations come into play, thus complicating how to collect and process the data.
Having a deep understanding of these regulations, and articulating them to those who deal with the data every day, is crucial to minimizing risk. Even in cases where companies have a firm understanding of compliance regulations, employees may not understand the requirements and may start to analyze or process the data outside of the original notification given when the data was collected.
With rapid advances in IoT technology, the increasingly complex use of personal data and stricter regulations on the horizon, these three key things must be top of mind for today’s organizations. As fines become heftier and customers become more critical of sharing their data, it’s in every organization’s best interest to be able to meet the highest of data protection standards.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.