We live in an era in which data is gold. Robotics, AI, big data analytics – all these new technologies and more are flooding the digital ecosystem and offering new and improved ways for companies to manage and make sense of their data. Companies operating in IoT have never had so many exciting resources on their hands to help reach customers more effectively and cut internal operating costs based on intuitive KPIs. While the excitement is warranted, it does challenge long-standing laws defending personal privacy which have, up until recently, not kept pace with the rapid innovation in industry.
Indeed, anyone operating in the IoT space should be aware of incoming changes to the EU data protection program. The General Data Protection Regulation (“GDPR”) was created in May 2016 and will come into full legal effect on May 25th, 2018. These new regulations will change the operational and legal landscape for companies across the board. IoT device manufacturers will have to abide by a different regulatory code; application developers will have some updated requirements list to follow in designing their products; and IoT Cloud platforms will have a whole new set of legal obligations to abide by in setting their terms of use.
Here are three things to know about the incoming GDPR updates in terms of what they mean for business operations:
1. The Question of Security Breaches
In the interest of transparency, new GDPR regulation will bring general mandatory notifications for data breaches of all shapes and sizes. As of May 2018, data maintenance analysts will be obliged to report any data breaches to their supervisor; even in some cases alerting individuals that their data has been temporarily compromised. Alerts will need to be made within 72 hours of the incident by law. The goal of these new regulations will be to stem the tide of cybersecurity (which remains a commonplace issue) and offer more insight into user’s data history.
2. Consent Will Be Enlarged
The issue of consent regarding the sharing of information has been a hot topic for years. Many activists within the IoT community have been calling for more consent discussion between customers and their IoT providers for years – and the GDPR is meant to address these concerns by forcing companies to offer more ‘opt-in’ or ‘opt-out’ clauses. No longer can consent be assumed based on the inactivity of a customers. The GDPR will demand that data controllers get explicit consent form all customers before extracting their personal data. It’s as simple as that.
3. Stronger Data Subject Rights
A third major area of upheaval is coming in the subjects’ rights category. Up until now, data controllers had much more leeway than subject’s in terms of how data was recorded, and which data could be recorded, or not. Under these new changes, the subject will have much more far reaching control over their data. For example, subjects will be able to have their data be forgotten in the system. They will also enjoy data portability, essentially allowing users to access and use their own data across platforms and over time.
New Regulations, New Obligations
The importance of following these regulations should not be lost on a CEO or company executive engaged in the field, as the GDPR fines run in the thousands and can really set a company back. Also, with a number of cybersecurity issues already at play in the IoT industry, perhaps these new regulations will be all the impetus needed to bring more transparency.
In the meantime, we recommend executives to think differently about GDPR and try to turn getting prepared for GDPR into an opportunity to add value for their company. It’s not supposed to be just a cost to be added but an opportunity to leverage “privacy by design” for building Trust in your organization.
A three-minute free online GDPR DIAGNOSTIC can help you find out more about your organization’s posture and get the right help to fill-in the gap.