29. January 2020

Responsible use of data in the age of IoT (Internet of Things)

European data protection law grants privacy rights to the individuals in particular with regard to to their personal data, such as the right to information, to request access, correction or erasure. The organizations that are in charge of the processing of personal data have obligations towards the data subjects that exercise the rights on their behalf, including the security of data.

Today, individuals have more power and control over their personal information, and they make more informed choices before giving personal data to the organizations. That puts an enormous amount of responsibility on organizations that collect and process personal data.

Fairness, transparency, and security are central topics of today’s business environment and they must be embedded in every process, strategy, and application. Organizations should answer the following questions before they develop software, start projects, or choose a tool or service provider:

· Does it respect relevant privacy principles?

· Does it comply with applicable laws and regulations?

· Does it create legal or compliance risks?

Recent advancements in technology and innovation have major impact on data security and privacy governance. The wide utilization of software as a service, and the rise of the Internet of Things (IoT), cloud computing and agile software improvements, have implied that the way how and the extent to which personal information is collected and processed across multiple entities has changed significantly. These technological developments create new open gates to data breaches and infringements of privacy rights.

IoT device manufacturers are expected to comply with new laws and ensure the application of “privacy by design”. However, this process can present financial and technological issues that not every manufacturer can thoroughly address – which means users’ data is not always secure.

According to an infographic by CISCO Systems, it is estimated that by 2020, there will be about 50 billion physical devices connected to the IoT, ranging from handheld devices to cardiac monitors.

The fact is that any vulnerabilities in devices connected to the Internet of Things could potentially be breached and exploited, leaving targeted devices open to criminal activity, and possible physical manipulation.

In recent years, data breaches have become both more common and more severe. In its Global Risks Report for 2019, the World Economic Forum (WEF) placed data theft and data fraud at number 4 and cyberattacks at number 5 in the top 10 risks that are most likely to occur in the global risk landscape.

Over the past few years, numerous issues have arisen concerning how companies process and protect personal data. As in the Cambridge Analytica scandal, personal data was processed for political and economic reasons without the consent of the citizens. IBM reports the cost of a data breaches affecting over 50 million data sets to be $350 million.

Executive School Programmes:
Law & Management

Data Protection Officer

The new European data protection legislation (General Data Protection Regulation - GDRP) has been in force since 25 May 2018. It aims to make companies and public administrations genuinely responsible for protecting the personal data of individuals.

Despite of the strict fines imposed according to GDPR, most businesses, particularly in Europe, choose not to publicly unveil data breaches. A new study report illustrates that less than one fifth of the companies shared official information about the breaches they had suffered from during the last 5 years.

This strengthening of data protection requires the responsibles to take effective measures to manage data transparently, reinforce the mechanisms for the collection of consented data and apply security measures according to the risk posed by each process.

The organizations also have to understand that the information in their databases does not belong to them and that they can only use it according to the prior permission granted to them by its owners.

Complying with complex laws and regulations requires an in-depth knowledge of the entire privacy life cycle and to protect the information at all times, from its initial collection to its deletion.