When it comes to data privacy regulations, change is on the horizon. And there is no doubt that these imminent changes will affect organizations that analyze internet of things data.
The European Union’s General Data Protection Regulation (GDPR) comes into effect in May 2018, putting high stakes on how enterprises deal with the collection and transfer of personal data. However, that’s not the only change enterprises need to be aware of.
In January, the European Commission revealed a proposed regulation on Privacy and Electronic Communications (known as the “ePrivacy Regulation”) that would replace the existing ePrivacy Directive (commonly known as the “EU Cookie Directive”). Sections of the existing ePrivacy Directive related to the privacy of electronic communication lacked clarity, harmony across the EU member states, relevance to recent technological changes and proper enforcement. The proposed ePrivacy Regulation addresses these issues and brings the communications privacy rules in line with the protection rules under the GDPR. It also covers more than just “cookies,” to include communications content and its associated metadata. Metadata about communications, such as endpoints, time and duration of the communication, are commonly used for analytical purposes. The ePrivacy Regulation incorporates GDPR requirements such as end-user consent and anonymization to the use of this data.
Considering all of the connected devices that have the ability to collect personal data, organizations have unsurpassed access to huge amounts of data about everything from names to medical history. Yet, just because you can access it doesn’t mean you should analyze or store it. Carefully consider what information adds value to you and your customers. For example, do you need to upload customers’ first and last names? If that doesn’t add value, don’t subject yourself to the risk.
Assuming that personal information truly is needed for analysis, there are ways to make it useful while still meeting compliance requirements. For example, organizations can encrypt fields, tokenize fields or anonymize data records. In today’s regulated landscape, these practices will become your best friend.
2. Consider how you will keep customers in the know.
Most of these regulations, which are more comprehensive than the ones in the U.S. that tend to be state-based or sectoral, require organizations to notify customers about data collection. Keeping track of what data is collected, how it’s collected, what it is used for and if that corresponds to the original notification is a significant task. Furthermore, it’s widely expected that organizations must notify users and authorities about data breaches within a specific timeframe and uphold the right to be forgotten with the ability to delete personal data.
This becomes even more daunting when you consider global enterprises that have data siloed across departments and regions. While the issues are generally more tractable for small businesses, they often rely on fewer resources. How many small companies have a privacy professional or an executive staff that has a deep understanding of compliance issues? With the proliferation of connected devices and IoT, personal data is being collected and stored at astounding rates, making it even more complex to uphold the standards. Organizations must engineer both their technologies and their business processes with these standards in mind.
3. Educate yourself and your employees about new regulations.
Keeping a pulse on regulation changes is crucial to avoiding hefty fines. This is especially true for large enterprises with locations all around the world. While the harmonization of regulations was a key point of the EU Data Privacy Directive and the EU GDPR, and at a 30,000-foot-level the data protection rules may look the same across the EU, there are still EU member state differences that need to be taken into account as you analyze personal data. Furthermore, larger data sets include the possibility of having more regulations come into play, thus complicating how to collect and process the data.
Having a deep understanding of these regulations, and articulating them to those who deal with the data every day, is crucial to minimizing risk. Even in cases where companies have a firm understanding of compliance regulations, employees may not understand the requirements and may start to analyze or process the data outside of the original notification given when the data was collected.
With rapid advances in IoT technology, the increasingly complex use of personal data and stricter regulations on the horizon, these three key things must be top of mind for today’s organizations. As fines become heftier and customers become more critical of sharing their data, it’s in every organization’s best interest to be able to meet the highest of data protection standards.
This article was originally published in TechTarget’s IoT Agenda on April 6, 2017.