In the context of COVID-19, the world has become more remote, and privacy is arguably more threatened than ever before, making data compliance essential for internet-connected devices. This necessity will only be further amplified by the advent of the EU's General Data Protection Regulation (GDPR) and the right of organizations and individuals to claim the deletion of their personal data.
While it's difficult for IoT companies to clearly and transparently understand how they collect, store, analyze, and share personal data, regulations such as the GDPR continue to test the industry. Furthermore, failing this privacy test can be costly. For example, if a company fails to comply, they could face fines of up to 4% of their annual turnover, or, depending on which amount is higher, fines equivalent to millions of euros.
Therefore, let's explore what device creators can do to ensure they maintain data compliance in the Internet of Things.
Avoid the clouds
The most important way to maintain compliance is to keep user data outside the cloud. This is because once uploaded to the cloud, the entire interaction chain between the client and the device becomes much more complex. Cloud computing presents security and privacy challenges; if you experience a leak or cyberattack, all data on the centralized cloud will be affected.
For example, let's consider how cloud storage usage affects GDPR regulations, which stipulate that personal data must not be stored for longer than necessary for its predefined purpose. This rule necessitates data retention periods and mandatory data deletion. Both of these requirements present challenges for the cloud – the difficulty lies in the fact that data can be stored in multiple locations, jurisdictions, and with different cloud service providers. Similarly, providers have a responsibility to demonstrate that any backups were considered when deleting data. Coupled with the risks of information leaks and third-party breaches, IoT device vendors should think twice before proceeding.
Generally, if you're a database-driven IoT company that stores data in a centralized cloud, complying with privacy rules is often much more difficult. One way to address this is to change the type of connectivity for your devices. For example, peer-to-peer connections bypass the cloud to provide direct connections between end-user clients. This solves the latency problem and ensures that data is securely stored on the IoT devices, not in the cloud.
Reduce the amount of data collected
With cloud computing becoming increasingly important, it's crucial for device creators to consider the data they collect and how this impacts compliance. Most IoT companies create, collect, organize, and store massive amounts of data daily. While data collected with user consent isn't a GDPR issue, storing data without user consent, especially large amounts of information that are difficult to track, can complicate matters.
This might sound too simplistic, but one solution is for companies to collect less data from their customers. The idea here is less data, less compliance risk. A proven way to reduce the amount of IoT data collected is to aggregate, filter, interpret, and compress data at the sensor or IoT edge level, as close to the data source as possible. Companies can also conduct audits to understand precisely what data they are collecting, whether it is necessary, and whether this data can be reduced.
Open to your policies
Today's remote reality only amplifies the importance of user trust and cybersecurity. In this sense, companies that fail to respect user data rights not only risk compliance failures but also damage their reputation. Therefore, my final advice is to be open about your policies. Avoid jargon, be frank, and ensure that employees and customers are clear about your company's policies.
EU data compliance regulations apply throughout the data supply chain to establish awareness of data collection. IoT companies can clearly explain what data they are collecting, at what stage, and why. Furthermore, it is best to advise companies to clearly explain how the data will be processed, who has access to the data, and how the data will be protected from data breaches.
For regulators and customers alike, keeping things simple is the best way to achieve IoT data compliance. After all, the driving force behind these regulations is to protect users, and companies that act in their best interests will avoid hefty fines and benefit from increased customer relationships. Especially with cybersecurity concerns at all-time highs, there will only be more companies prioritizing privacy by moving away from the cloud, reducing the amount of data collected, and adopting open-minded data policies.
