[BreachExchange] The Internet of Things and the Threat it Poses to GDPR Compliance

[Audrey McNeil]

https://www.cso.com.au/article/621039/internet-things-threat-it-poses-gdpr-
compliance/

The pending General Data Protection Regulation (GDPR) is already
significantly impacting businesses across Europe. Organisations need to
take action now to make certain they are adequately capturing, integrating,
certifying, publishing, monitoring and of course, protecting their data to
ensure compliance when GDPR enters into application in May 2018.

With the number of well-publicised data breaches escalating, businesses
have so far focused on data security in formulating their response to GDPR.
They are typically less well organised in their approach to the data
privacy issues surrounding the new regulation, and that’s a serious concern
for two main reasons.

First, GDPR has a broad definition of data privacy. It places far-reaching
responsibilities on organisations to impose a specific 'privacy by design'
requirement and expands the need to implement appropriate technical and
organisational measures to ensure data privacy and data protection is no
longer an after-thought.

Second, the emergence and growing prevalence of the Internet of Things
(IoT) exacerbates these issues. At the heart of IoT is the concept of the
always-connected customer.  Businesses are looking to generate and capture
large volumes of data about customer preferences and behaviours to drive a
competitive edge.

Even though much of this data is related to products, rather than data
subjects, it still has the potential to impact privacy. Information
provided by a connected car, for example, is likely to affect the privacy
of the car owner if his ownership of that vehicle is known, even if the
data itself is not specifically linked to him. Retailers of connected
products are aware that once a product is under a customer’s hands, all
data broadcast through their product could be qualified as personal data,
which means that they need to apply privacy by design principles together
with all their suppliers involved in gathering, storing, and processing the
data.

Consumer electronics product developer Vizio was recently fined $2.2
million after the US consumer watchdog found that it had been using content
recognition software to track users without obtaining their permission. The
company reportedly installed software on 11 million Internet-connected TV
sets it had sold to track customers' detailed viewing habits, linked that
data with specific household demographics and then sold the information to
third-party marketers. In its defence, Vizio said its televisions "never
paired viewing data with personally identifiable information such as name
or contact information."

The punishment meted out to Vizio sounds like a significant penalty. But,
let’s consider that Vizio (now part of LeEco, a Chinese company worth $7.3
billion revenue), delivers its HDTV and soundbars in Europe by May 2018 and
faces similar privacy issues: They would then be exposed to a fine of $292
million!

Knowing Where your Data is

Another big challenge organisations face is knowing both where all of the
private, sensitive data within their organisation resides and who is
responsible for taking care of it. Many businesses are unclear about this
because their data is siloed in different department sales, marketing,
finance, services, etc., and that is an increasing concern under the new,
more rigorous GDPR stipulations.

Under GDPR, the data controller must respond to subject access requests
within a month, with the possibility of extending this period for
particularly complex requests. This is typically more stringent than
existing regulations. Under the UK’s Data Protection Act, for example, the
response time is 40 days. In addition, the rights for data subjects are not
restricted to data access: GDPR also mandates the right for rectification,
the right for erasure (also known as the right to be forgotten), the right
to restrict data processing, the right to object data processing, or the
right to not be evaluated on the basis of automated processing. All those
rights have significant impact on the data management practices.

Putting a Response in Place

So given the issues outlined above, how can organisations best respond to
the challenge with respect to their data management practices? In our view,
this should start by carrying out an inventory of data so that they at
least know exactly what they have and where it is located. Once a clear map
of the data has been developed, companies will be better placed to start
assigning responsibility for looking after it. That’s in a sense the
minimum requirement. However, this can then start to act as the foundation
for establishing a stronger data governance policy which is a key element
of what GDPR requires.

Closely linked to data governance is the issue of data quality - an
especially pressing concern when organisations are building out their IoT
capability. That’s because the desire to keep costs down in the IoT world
often means that organisations are forced to work with low-quality networks
and data quality may suffer as a result.

In the context of GDPR, data quality and harmonisation can be a critical
concern, particularly if it makes it difficult for the organisation to
achieve ‘a single view’ of the customer - something which is mandated by
the regulation. One of the most significant data quality issues in this
context derives from the business keeping separate siloed pools of data
which are not readily integrated. Take the scenario where the business
knows a customer partly through IoT and partly through its marketing
applications.

If the customer then wants to know what private data the business has on
him and the organisation ends up just revealing a fraction of that data due
to these separate data pools, then it is ultimately the organisation’s
responsibility that a full set of data has not been provided. That, in
turn, is likely to be a breach of GDPR. It’s a stark warning that to comply
organisations effectively need to reconcile the information they get from
different parts of their organisation, including IoT.

Scoping the IOT Data Challenge

IoT is set to bring a raft of benefits to organisations across the world as
they generate vast volumes of new data that they can subsequently leverage
to help drive the decision-making process. And, because IoT enables
companies to connect the physical and the digital world, it provides them
with the potential to shape the future of customer experiences. However, as
this article has shown, this generated data brings challenges not least in
its implications for data privacy and the consequent challenges that
businesses will face in achieving GDPR compliance.

With May 2018 fast approaching, time is rapidly running out for businesses.
If they want to take advantage of the IoT and ensure they comply with GDPR,
they need to put these issues on their boardroom agenda and start actively
addressing them right away.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170622/ae7ea7f0/attachment.html>