Here’s a rhetorical question: What comes to mind when you think of the word data? Chances are for your business, data means opportunity. As a consumer, data means something much more personal—something you’d like to protect. But in the IoT (Internet of Things) world, data means both opportunity and risk for most folks.
Data really does open so many doors for new services and revenue streams, better customer support and personalization, predictive maintenance, and streamlined operations. But the reality is you can’t leverage IoT devices and solutions without opening yourself and your business up to some risk.
Data security, therefore, is simply woven into the fabric of the data discussion. You can’t get away from it. For this column, we are going to head Europe to examine the GDPR (general data protection regulation).
The deadline for compliance is coming up. Now is a great time to take closer look at what the regulation means and how interoperability will impact manufacturers here in the U.S., how the data is transmitted between the things. There is so much to talk about here, we will break this column into two parts.
First, why is the EU (European Union) amending its regulation for data security and privacy? And why now? To answer these questions, we need to take a look at the current landscape for data security.
Now, we just came off a month full of really great discussions and content about blockchain technology, (see our January archives) so that was a nice primer for this security discussion. To give some insight into the world of data security, I’m going to look at Experian’s 2018 Data Breach Industry Forecast.
Some of the key points in the report include the predictions that the U.S. may experience its first large-scale attack on critical infrastructure. The reality is that cyber attackers seem to be zeroing in on government entities, and the fact that vulnerabilities in IoT devices are leading to new security regulations. This indicates all three of these trends are most certainly related.
If our infrastructure, government entities, and IoT devices are truly being targeted, then our economy, data, and, at the extreme end of the spectrum, our very lives are being threatened.
As a result, security best practices—and, yes, regulations—are an important part of the IoT picture going forward.
Experian puts it this way: vulnerabilities in IoT devices will create “mass confusion,” which will lead to new security regulations. Let’s hope it won’t take an incident large enough to cause “mass confusion” to get us on the right track when it comes to securing our devices and systems.
However doomsday-ish Experian may sound, it’s mostly right in saying that in the rush to develop IoT technologies and meet customer demand, developers and manufacturers often put going to market quickly ahead of security. This is a destructive way of doing business.
And it’s not only destructive for one business and its customers, but also for the industry as a whole. To prevent incidents and support growth and innovation, we’ve seen legislation being developed here in the U.S. that aims to improve IoT security awareness and increase the use of industry best practices in order to protect end users. But all the focus right now is on the EU and its general data protection regulation.
Here’s what you need to know: After four years of preparation and debate, the EU parliament approved the GDPR in April 2016, giving companies just over two years to comply with the new rules.
Fast forward to today, and the deadline of May 25, 2018 is just around the corner. The regulation is being called one of the most extensive overhauls to data protection rights in recent memory.
The GDPR will replace the previous data protection directive that was put in place in the 1990s to harmonize data privacy laws across Europe. The updated GDPR aims to protect EU citizens by laying out strict requirements on how companies should process, store, and secure citizens’ personal data.
For instance, a few of the key changes under the GDPR include an extended jurisdiction, strengthened conditions for consent, mandatory breach notification, customers’ right to access and the “right to be forgotten,” and the appointment of data protection officers.
To break this down a little bit more, extended jurisdiction means the GDPR will apply to more companies regardless of their location. Basically, if a company is handling the data of an EU resident, it must comply with the regulations, even if the data isn’t being processed in the EU.
Further, organizations must be able to justify their reasons for obtaining data pertaining to an EU citizen, and the request for consent must be straightforward, accessible, and transparent. Breach notification rules will change, becoming mandatory within 72 hours.
The GDPR also expands the rights of data subjects through the right to access their personal data and request to know how it is being used. In addition, the new regulation gives EU residents the right to be forgotten by requesting the deletion of their personal data.
The GDPR also recommends the appointment of a DPO or data protection officer. Oh, by the way, here’s another acronym you might want to remember. So, a lot of this stuff is already a part of what companies are doing based on industry best practices, but the difference here is that the EU is making this law.
That means there are consequences for not following the law, and that’s where this gets interesting. Again, it’s important to remember the GDPR will apply to any business that handles data on EU residents.
In my next column, I will dig deeper into the implications of this regulation for global companies, including compliance milestones and hurdles and consequences for turning a blind eye. Security is one of two big hurdles we talk a lot about in the IoT, the other being interoperability.
Both issues—data security and device interoperability—affect the industry in a huge way. If we just push forward and ignore the call to make devices secure and interoperable, we’ll be missing out on the long-term vision of the IoT. If you’re interested in diving into the interoperability debate, check out the current issues, which we are delving into this topic extensively during the month of February and on The Peggy Smedley Show.
Want to tweet about this article? Use hashtags #M2M #IoT #blockchain #EU #security #GDPR #data #cybersecurity #cyberattack #AI #analytics #machinelearning #bigdata Experion