The E.U.’s General Data Protection Regulation won’t take full effect until May 25, 2018. But multi-national companies need to take thoughtful action now to be certain their E.U.-based operations will be fully compliant when the time comes.
With WannaCry, the world’s largest ransomware attack fresh in their minds, most global businesses are hyper-focused on data security in formulating responses to GDPR. However, many are less well organized in their approach to the data privacy issues related to the new regulation. The lack of a well-formulated approach should give global companies pause though, particularly because the definition of data privacy under GDPR is especially broad, and because harnessing IoT data can be very challenging.
First, the GDPR data privacy definition places far-reaching responsibilities on organizations to impose specific privacy by design requirements. In doing so, it forces organizations to implement appropriate technical and organizational measures that ensure data privacy and data protection is no longer an afterthought.
Secondly, at the heart of IoT is the concept of the always-connected customer. Businesses are looking to generate and capture large volumes of data about customer preferences and behaviors to drive a competitive edge.
Even though much of this data is related to products, rather than data subjects, it still has the potential to impact privacy. Information provided by a connected car, for example, is likely to affect the privacy of the car owner if his ownership of that vehicle is known, even if the data itself is not specifically linked to him. Retailers of connected products are aware that once a product is in a customer’s hands, all data broadcast through the product could qualify as personal data, which means that retailers – together with all their suppliers involved in gathering, storing, and processing the data – need to apply privacy by design principles.
Knowing Where your Data Is
Another big challenge organizations face related to GDPR is knowing both where all of the private, sensitive data within their company resides and who is responsible for taking care of it. Many businesses are unclear about this because their data is siloed in different departments, spread across areas such as sales, marketing, finance, services, etc.
Under GDPR, an organization’s data controller must respond to subject access requests within a month, with the possibility of extending this period for particularly complex requests. In addition, the rights for data subjects are not restricted to data access: GDPR also mandates the right for rectification, the right for erasure (also known as the right to be forgotten), the right to restrict data processing, the right to object data processing, or the right to not be evaluated on the basis of automated processing. All those rights have significant impact on the data management practices.
Putting a Response in Place
So given the issues outlined above, how can organizations best respond to the challenge with respect to their data management practices? In our view, this should start by carrying out an inventory of data so that they at least know exactly what they have and where it is located. Once a clear map of the data has been developed, companies will be better placed to start assigning responsibility for looking after it. That’s in a sense the minimum requirement. However, that step can establish the foundation for a stronger data governance policy which is a key element of what GDPR requires.
Sound data governance is closely linked to data quality – and that’s an especially pressing concern when organizations are building out their IoT capability. The desire to keep costs down in the IoT world often means that organizations are forced to work with low-quality networks and data quality may suffer as a result.
In the context of GDPR, data quality and harmonization can be a critical concern, particularly if it makes it difficult for the organization to achieve a single view of the customer – something which is mandated by the regulation. One of the most significant data quality issues in this context derives from the business keeping separate siloed pools of data which are not readily integrated. Take the scenario where the business knows a customer partly through IoT and partly through its marketing applications.
If the customer wants to know what private data the business has about him, and the organization reveals just a fraction of that data because it resides in separate data pools, then it is ultimately the organization’s responsibility if a full set of data has not been provided. That, in turn, is likely to be a breach of GDPR. It’s a stark warning that to comply with GDPR, organizations effectively need to reconcile the information siloed in different parts of their organization, including their IoT data.
Scoping the IoT Data Challenge
IoT is set to bring a raft of benefits to organizations worldwide as they generate vast volumes of new data and subsequently leverage that data to help drive decision-making processes. And, because IoT allows companies to connect the physical and the digital world, it provides them with the potential to shape the future of customer experiences. However, as discussed, this generated data brings challenges not the least of which is its implications for data privacy and the consequent challenges that businesses will face in achieving GDPR compliance.
With May 2018 fast approaching, time is rapidly running out for global businesses. If they want to take advantage of the IoT and ensure they comply with GDPR, they need to put these issues on their boardroom agenda and start actively addressing them right away.
About the author: Jean-Michel Franco is director of product marketing at Talend.
Edited by Ken Briodagh