IoT in the age of GDPR: 3 tips for success
How all global organizations can use GDPR as an opportunity to build best practices for IoT.
As organizations are beginning to build digital strategies that span web, mobile, and connected devices, they are encountering a new business landscape that poses unprecedented challenges around data management, integration, user experience, and security.
With the Internet of Things (IoT) driving a large part of this digitalization, enterprises are becoming more global and more connected than ever before. The line between industries is blurring as application programming interfaces (APIs) exchange data between app providers, payment processors, health and medical services, and consumer devices – to name just a few examples of their reach. It is vital then that modern organizations approach digital business with an international and industry-agnostic mindset.
Trust in technology, and its components of privacy and security, is an issue driving customer attention worldwide. This will translate increasingly to global regulatory mandates and legislation. Organizations therefore must be aware of how the regulations, challenges, and opportunities of doing business in specific countries or verticals will impact their enterprise – either directly or through their customers, partners, and the business landscape at large.
GDPR is one topical example. Although it is a European law, it will affect the majority of global businesses – especially those investing in IoT. Let’s look at the top 3 tips for preparing your IoT strategy for GDPR.
As the number of connected devices and services grows with your IoT strategy, it can be easy to simply collect as much data as possible. But with GDPR, businesses must decide if the value of data is worth the effort it will take to obtain the appropriate permissions and to put in place adequate security to safeguard it.
For example, IP address and GPS location are considered personal data, and will require a clear legal ground to use. GPS location has been a fairly standard data type to collect from mobile apps and connected devices, and provides value to many IoT solutions. Businesses must decide whether they will continue to collect this data, and if so, how to build the necessary features within their apps to obtain user permission.
Biometrics are also considered a special category under GDPR with more stringent regulations for their collection and use. As connected devices like Amazon’s Alexa enable new digital experiences such as voice recognition for mobile banking, global organizations building these types of integrations for customers must take into account GDPR and other privacy and security compliance requirements.
GDPR provides a strong framework for all companies to approach data protection: building security and privacy by design into IoT deployments. As you develop and build new applications, you must integrate a privacy and security mindset throughout that process. Not simply for compliance purposes, but also to drive real business differentiation.
For example, one question needs to be where data is stored and how it is secured, including who has access to it. Such thinking will allow your business to gain value from IoT, as data must not be locked up in legacy systems or in silos. Rather, a high degree of integration must exist for data flowing from connected devices, apps, business systems, and third parties.
Securing this data while enabling access will be crucial. This means supporting robust and scalable security from device to app to API to protect the “triangle of trust” – users, apps, and devices. To do so, enterprises must know where their data lives and be able to drill down to granular data such as at the device level. This enables both analysis and the ability to delete specific consumer data if directed to under GDPR.
Organizations with an IoT strategy are likely supporting a number of integrations at the device, system, or partner level. This exchange of data opens the enterprise to compromise for which it may be liable under GDPR, posing implications for many global, IoT-driven companies with broad partner or integration ecosystems.
For these organizations, robust API management solutions provide security at the API level to protect enterprise data leaving the organization. They enable authorization and access management that ensures that only trusted third parties have access to data, and only to data that the business has designated or is legally able to share. This makes it easier to track permissions at a high-level for partners and consumers.
Building a digital strategy with the above three tips in mind better prepares you for success in IoT, taking into account GDPR and what comes next.
To learn more about GDPR, hear from CA’s Chief Privacy Strategist.
Visit CA’s IoT resource hub for more information on building a secure, scalable IoT strategy.