IoT has immense importance in highly regulated industries: smart devices and wearable tech can help collect data and produce insights on user health, IoT technologies can enrich the learning experience, from kindergarten to university studies. They can improve public management of city infrastructure and overall increase the quality of numerous aspects of life.
At the same time, IoT players in regulated industries need to work out a stringent regulatory landscape. A tough challenge from a comprehensive data collection and processing strategy to ensuring compliance with retention periods and ediscovery requests and ultimately delivering services to customers while protecting their privacy is a tough challenge.
This requires a data strategy that’s continually evolving, including input from all stakeholders, constantly revising where the company data is and what might become of it. And this challenge is further exacerbated by specificities that regulate each industry, and quite often, the regulations lag behind the technological advances. If we were to extract these, we come down to four essential questions:
- Do you capture and preserve all the data?
- What format is your data kept in?
- How modular and customizable are your data archives?
- Do you implement consistent IoT data policies?
Capturing and Preserving Totality of IoT Data
The first essential step in ensuring compliance is ensuring that all the data is kept and preserved, as data-keeping regulations dictate that all business data is properly preserved. What do we mean by this? Any data related to IoT products or any data generated in the course of day-to-day operations.
Highly regulated industries, including healthcare, financial institutions, schools, or government, need to preserve all the business records from any device, account, or communication channel. For IoT companies, this scope is clearly a lot broader. IoT companies work with sensitive data from dozens and hundreds of connected devices and accounts, and thus capturing all this data can be a fraught opportunity for non-compliance.
Of course, it goes without saying that data needs to be kept in unalterable, read-only format and that the data repository is non-impregnable, fully in line with top security standards.
Preparing IoT Data for Disclosure and Ediscovery
Preserving the data is only one part of the equation. The second one is retaining the data in the right format that can be used later. When working in the IoT industry, a lot of data is unstructured, which means that before the data is prepared for legal proceedings and ediscovery requests, they need to be moved to the right format.
As a general principle, most ediscovery requests require that you deliver the records that pertain to a particular client, but also the metadata: this means you should always make sure to provide information on:
- When the data is created
- If it was modified
- if it was assessed or retrieved or attempted to be assessed, and by who in the meantime
As you can see, this is just the bare necessity. The more sensitive information in question, the more stringent the requirements on how the data needs to be regulated.
IoT Compliance is a Team Sport
We’ve mentioned that a data strategy needs to be evolving along with the product roadmap.
Already from the MVP stages, IoT companies need to know exactly where the data is coming from, where it’s stored, who should nurture it, who should access it, how it is collected from devices, and then constantly communicating this information across the board.
Given the volume of data generated, everyone must be on the same page regarding how costly non-compliance is. Back in 2016, a company had to pay $1.5. billion worth of settlement for disclosing customer biometric data.
The bottom line is that everyone in the company generates data; by updating company profiles, communicating with customers, suppliers, or amongst themselves, or simply collecting and processing information, all our team members generate and handle business records that need to be kept tight.
Only through this comprehensive data strategy that’s nimble enough to keep up with the product development can the company account for each bit of information and ensure full compliance down the line.