The Internet of Things and the threat it poses to GDPR compliance

The pending EU General Data Protection Regulation (GDPR) is already significantly impacting businesses across Asia. Slated for mandatory compliance by May 2018, the GDPR will drive significant requirements across all companies dealing with Europe to closely manage and track personal data information. The rules affect every entity that holds or uses European personal data both inside and outside of Europe – including Asia. Organisations need to take action now to make certain they are adequately capturing, integrating, certifying, publishing, monitoring and of course, protecting their data to ensure GDPR compliance. 

Businesses in Singapore will be the most affected in Southeast Asia, since the country is the EU's largest commercial partner in ASEAN, accounting for slightly under one-third of EU-ASEAN trade in goods and services. 

Complying with GDPR and similar regulatory requirements like Singapore’s PDPA is a significant challenge, not least because enterprises have typically locked up or compartmentalised their data in applications silos, spread across legacy and modern systems ranging from 40-year-old mainframes to on-premise storage and the cloud. The challenge is real as according to EY’s Global Forensic Data Analytics Survey 2018, the majority (Singapore 70%, global 78%) consider data protection and data privacy compliance a growing concern. The survey also found that only 12% respondents in Asia-Pacific have a compliance plan that addresses the GDPR, with only 10% of the respondent in Singapore have a GDPR compliance plan in place.

Furthermore, as Singapore aspires to become a Smart Nation, the country’s cloud infrastructure, broadband penetration, and ease of doing business as well as startup-friendly environment are facilitating the growth of Internet of Things (IoT) in the country. Based on IDC's APeJ Nations and IoT: A Comparative Assessment report, Singapore is considered most capable and ready for the Internet of Things (IoT). 

Although IoT offers new ways for businesses to create value, the constant connectivity and data sharing also create new opportunities for information to be compromised. Hence, it’s essential for organisations to know the what, where, and who of their data assets—alongside an understanding of the security measures their organization has in place. With the number of well-publicised data breaches escalating, Asian businesses have so far focused on data security in formulating their response to GDPR. They are typically less well organised in their approach to the data privacy issues surrounding the new regulation, and that’s a serious concern for two main reasons.

First, GDPR has a broad definition of data privacy. It places far-reaching responsibilities on organisations to impose a specific 'privacy by design' requirement and expands the need to implement appropriate technical and organisational measures to ensure data privacy and data protection is no longer an after-thought.

Second, the emergence and growing prevalence of the Internet of Things (IoT) exacerbates these issues. At the heart of IoT is the concept of the always-connected customer. Businesses are looking to generate and capture large volumes of data about customer preferences and behaviours to drive a competitive edge.

Even though much of this data is related to products, rather than data subjects, it still has the potential to impact privacy. Information provided by a connected car, for example, is likely to affect the privacy of the car owner if his ownership of that vehicle is known, even if the data itself is not specifically linked to him. Retailers of connected products are aware that once a product is under a customer’s hands, all data broadcast through their product could be qualified as personal data, which means that they need to apply privacy by design principles together with all their suppliers involved in gathering, storing, and processing the data.

Consumer electronics product developer Vizio was recently fined $2.2 million after the US consumer watchdog found that it had been using content recognition software to track users without obtaining their permission. The company reportedly installed software on 11 million Internet-connected TV sets it had sold to track customers' detailed viewing habits, linked that data with specific household demographics and then sold the information to third-party marketers. In its defence, Vizio said its televisions "never paired viewing data with personally identifiable information such as name or contact information."

The punishment meted out to Vizio sounds like a significant penalty. But, let’s consider that Vizio (now part of LeEco, a Chinese company worth $7.3 billion revenue), delivers its HDTV and soundbars in Europe by May 2018 and faces similar privacy issues: They would then be exposed to a fine of $292 million!

Knowing where your data is
Another big challenge organisations face is knowing both where all of the private, sensitive data within their organisation resides and who is responsible for taking care of it. Many businesses are unclear about this because their data is siloed in different department sales, marketing, finance, services, etc., and that is an increasing concern under the new, more rigorous GDPR stipulations.  

Under GDPR, the data controller must respond to subject access requests within a month, with the possibility of extending this period for particularly complex requests. This is typically more stringent than existing regulations. Under the UK’s Data Protection Act, for example, the response time is 40 days. In addition, the rights for data subjects are not restricted to data access: GDPR also mandates the right for rectification, the right for erasure (also known as the right to be forgotten), the right to restrict data processing, the right to object data processing, or the right to not be evaluated on the basis of automated processing. All those rights have significant impact on the data management practices.

Putting a response in place
So given the issues outlined above, how can Asian organisations best respond to the challenge with respect to their data management practices? In our view, this should start by carrying out an inventory of data so that they at least know exactly what they have and where it is located. Once a clear map of the data has been developed, companies will be better placed to start assigning responsibility for looking after it. That’s in a sense the minimum requirement. However, this can then start to act as the foundation for establishing a stronger data governance policy which is a key element of what GDPR requires.  

Closely linked to data governance is the issue of data quality - an especially pressing concern when organisations are building out their IoT capability. That’s because the desire to keep costs down in the IoT world often means that organisations are forced to work with low-quality networks and data quality may suffer as a result.

In the context of GDPR, data quality and harmonisation can be a critical concern, particularly if it makes it difficult for the organisation to achieve ‘a single view’ of the customer - something which is mandated by the regulation. One of the most significant data quality issues in this context derives from the business keeping separate siloed pools of data which are not readily integrated. Take the scenario where the business knows a customer partly through IoT and partly through its marketing applications.

If the customer then wants to know what private data the business has on him and the organisation ends up just revealing a fraction of that data due to these separate data pools, then it is ultimately the organisation’s responsibility that a full set of data has not been provided. That, in turn, is likely to be a breach of GDPR. It’s a stark warning that to comply organisations effectively need to reconcile the information they get from different parts of their organisation, including IoT.

Scoping the IOT data challenge
IoT is set to bring a raft of benefits to organisations across the world as they generate vast volumes of new data that they can subsequently leverage to help drive the decision-making process. And, because IoT enables companies to connect the physical and the digital world, it provides them with the potential to shape the future of customer experiences. However, as this article has shown, this generated data brings challenges not least in its implications for data privacy and the consequent challenges that businesses will face in achieving GDPR compliance.

With May 2018 fast approaching, time is rapidly running out for Asian businesses. If they want to take advantage of the IoT and ensure they comply with GDPR, they need to put these issues on their boardroom agenda and start actively addressing them right away.