Personal blood sugar monitors are typical of the sort of common medical devices that have revolutionized patient care around the world. They allow users to read their blood sugar levels accurately and determine any further treatment that might be required. When the monitor is connected to a smartphone, cloud services can also be leveraged to provide further insight and analysis. However, while such devices empower the user they also put them at greater risk of personal data loss and misuse.
“Whether in healthcare (monitoring devices), the automobile industry (connected cars), agriculture (precision farming) or appliances in the home environment, Internet of Things (IoT) devices generate an unprecedented amount of data, which – as in the case of the blood sugar monitor – is often of a sensitive and personal nature,” says Bart Willemsen, research director at Gartner.
Gartner predicts that, by 2021, regulatory compliance for critical infrastructure will drive IoT security spend to $1 billion globally, up from less than $100 million today. Security and risk management (SRM) leaders must ensure that their personal data management strategies address end users’ concerns in applying IoT in their daily lives.
Undertake Continuous Risk Assessment
As regulations and consumer awareness of privacy increase, SRM leaders must base their approach on continuous risk assessment. There is a need for clear guidelines on the retention, use and security of the data.
Existing and upcoming privacy laws, including the European General Data Protection Regulation (GDPR), will dramatically impact an organization’s strategy, purpose and methods for processing personal data in IoT.
“Much of the data generated in IoT will be considered ‘private’ or ‘personal’, and therefore requires appropriate protection,” says Willemsen. “SRM leaders must ensure that organizations aren’t overstepping their boundaries when it comes to data collection, especially if clients and consumers aren’t kept properly informed. They must engage with stakeholders and get involved in all IoT initiatives to influence design principles, ensure personal data generated is adequately protected and determine appropriate method(s) of enforcement, balancing the measure to the risk.”
Seek Legal Counsel
Existing and upcoming privacy laws, including the European General Data Protection Regulation (GDPR), will dramatically impact an organization’s strategy, purpose and methods for processing personal data in IoT. Jurisdictions such as Australia, Canada and the EU advocate the “purposeful use” of personal data. “Determining the reasons for processing personal data is imperative to assess possible gaps in compliance. Once processing purposes are defined and documented, it is far easier to decide what data is necessary to achieve that purpose,” says Willemsen. “To mitigate risk from abuse, loss, misinterpretation or other unintended negative results, it is key to control the data life cycle in connection with the identified purposes.”
Organizations must enable business stakeholders to increase control throughout the personal data life cycle and assess risks with legal counsel for regulatory non-compliance in all business-relevant jurisdictions. Data retention schemes should be defined and documented in accordance with purpose of use and excess data should be removed at the end of its defined life cycle.
Focus on Long Term Privacy Compliance
Many IoT devices will process data in insufficiently protected states, posing significant challenges to SRM leaders seeking to ensure data security and privacy compliance. Critical areas to focus on include data flow, threat response and people awareness. Furthermore, they will need to determine if the business aims to launch an IoT initiative on legacy devices or on new custom devices that allow influencing the security design. Each scenario will require a different approach to enable security, and ultimately ensure privacy.