Three Tips to Stay Data Compliant In IoT

Carsten Rhod Gregersen -
Data Compliance
Illustration: © IoT For All

We live in an era in which data is gold. New technologies are flooding the digital ecosystem and offering new and improved ways for companies to make sense of their data. This is especially true of IoT, which is a sector fueled by big data and consumer insights.

In the context of COVID-19, where the world has gone remote, and privacy is arguably more under threat than ever before, it is integral that internet-connected devices are, and remain, data compliant. This necessity is only heightened by the emergence of the European Union’s General Data Protection Regulation (GDPR) and the right for organizations and individuals to ask for their personal data to be deleted.

While it is difficult for IoT companies to be clear and transparent about how they collect, store, analyze, and share personal data, regulations such as GDPR continue to test the industry. Moreover, failure to pass this privacy test can be costly. If businesses fail to comply with the regulation, for example, they could face fines of up to four percent of their gross annual turnover or, depending on which sum is higher, the equivalent of millions of Euros.

So, let’s explore what device creators can do to ensure they stay data compliant in IoT.

Avoid the Cloud

The most important way to stay compliant is to keep user data off the cloud. This is because the entire chain of interaction between the client and the device becomes more infinitely more complex once uploaded to the cloud. Cloud computing poses both security and privacy challenges, and if you experience a leak or a cyber-attack, all data on the centralized cloud will be affected.

For example, let’s consider how the use of cloud storage impacts the GDPR stipulation that personal data may not be stored longer than needed for its predefined purpose. As a result of this rule, data retention periods must be implemented, and data deletion must be enforced. Both of these requirements become a challenge with the cloud — the difficulty being that data can be stored on multiple locations, under multiple jurisdictions, and by different cloud service providers. Likewise, it is incumbent upon providers to prove that any backups are also accounted for when deleting the data. This, combined with the danger of information leaks and third-party breaches, should make IoT device vendors think twice.

In general, if you’re a database-driven IoT company storing data on a centralized cloud, it is often far more difficult to remain compliant with privacy rules. One way to solve this issue is to change the connection type of the device. Peer-to-peer connections, for example, bypass the cloud to provide direct connectivity between the end-user client. This solves latency and ensures that data is stored securely on the IoT device rather than the cloud.

Reduce The Data Collected

With the cloud taken care of, it is also important for device creators to consider the data they collect and how this can impact compliance. Most IoT companies create, collect, organize and store enormous volumes of data daily. While this is not an issue under the GDPR if the data collected has been given user consent, data that does not have user consent for storage, especially vast amounts of information that is hard to keep track of, can make things difficult.

Perhaps it might sound too simple, but one solution is for companies to collect fewer data from their clients. The idea here is with fewer data, there are fewer compliance risks. Proven approaches for reducing the volumes of collected IoT data are data aggregation, filtering, interpretation, and compression at the sensor or IoT edge level, as close to the data source as possible. Companies can also perform an audit to see exactly what data they are collecting, whether necessary, and whether it can be reduced.

Be Open About Your Policy

The remote reality of today has only increased the importance of user trust and cybersecurity. In this sense, companies that do not respect user data rights not only run the risk of failing compliance but damaging their reputation. So, my final piece of advice is to be open about your policy. Avoid jargon, be upfront and make your company’s policy clear to employees and customers alike.

The EU data compliance regulation applies to the entire data supply chain to build awareness around data collection. IoT companies can explain exactly what data is being collected, at what stage it is being collected, and why. Further, companies are also best advised to clearly explain how the data will be processed, who can access it, and how it will be protected from data breaches.

Keeping things simple for both regulators and customers is the best way to approach IoT data compliance going forward. After all, the driving force behind these regulations is to protect the user, and companies that act in their best interest will avoid large fines and benefit from increased customer relations. Especially when cybersecurity skepticism levels are at an all-time high, companies that prioritize privacy by staying away from the cloud, reducing the data they collect, and being open about their data policy will only grow.