Blog

Three ways the Internet of Things and the GDPR will impact Third Party Risk

As the Internet of Things (IoT) evolves, it will offer organizations the opportunity to create an unprecedented range of potential products and services. By embedding the internet into computer systems inside of cars, appliances, and other physical things, manufacturers will be able to offer new functionality as well as additional services. Smart homes and intelligent cars are already on the consumer market in many countries. Applications for this technology in a business-to-business environment are equally promising.

The IoT rests on the use of the data that IoT devices generate to shape additional engagement. For example, a television that is IoT enabled will create data around what is being viewed and when. For the user, this could be valuable – the device could suggest programming, or automatically record things it knows its users watch. This data could also be combined with information from other sources – area social-economic data, for example – to create a generic user profile for a neighborhood. This data could then be sold to marketing companies keen to better understand the dynamics of their audience. A TV manufacturer who didn’t get user permissions correct was recently fined in the US for doing just this.

For some opportunities, organizations may wish to partner with third parties – for example, if delivering a new service that is related to a product but not in an area of core competency. An example of this might be a concierge service for a car based on the data the car was sending back via the IoT. Other organizations may vertically integrate or evolve, acquiring new types of operations to help grow an IoT-based offering. Such expansion will most likely bring it into relationship with new third parties too.

Other organizations may not immediately recognize applicability of the IoT in their industry – these are, after all, early days. However, they need to be aware of the IoT because their third or fourth parties may be – consciously or unconsciously – using IoT devices to manufacture products or deliver services on behalf of the organization. Today office equipment may have IoT devices embedded into it, for example.

And so, with opportunity comes risk.

A recent study by the Ponemon Institute, The Internet of Things (IoT): A New Era of Third Party Risk” May 2017, that was conducted in association with Shared Assessments found that:

  • 94% of respondents believed that an IoT incident could be catastrophic in their organization
  • 78% of respondents believed that loss or theft of data could be caused by IoT at their organization
  • 76 % of respondents believed that a cyber-attack could be executed through IoT at their organization.

Added to the layers of risk associated with IoT, is new and encompassing regulation in the form of the EU General Data Protection Regulation (GDPR). While organizations in all jurisdictions need to be aware of potential risks that the IoT may pose, those which are exposed to the European Union’s General Data Protection Regulation (GDPR) need to be even more thoughtful about the impact that the IoT may have.  

Below are three key risks that organizations – and in particular those which are governed by the GDPR - need to keep in mind as they approach the new Era of the IoT.

Risk 1: Response to breaches.
Today, the news is full of organizations that have suffered security breaches of their networks – from big, global corporations to political parties. The impact that such a security breach can have is devastating. With the IoT, the impact could potentially be even more threatening. Instead of “just” stealing data, an IoT hack could potentially take over the functionality of the device being hacked. For example, a IoT-hacked car could be driven off the road, or the systems and controls of a home could be manipulated. Another issue is the potential loopholes in firewalls – giving access to networks – that a poorly-designed IoT device could provide. The entry point could be a networked printer, a security camera, or a climate control device. Once inside the network, hackers could create mayhem.

The GDPR explicitly introduces a general mandatory notification regime. When there is a personal data breach, a supervisory authority needs to be notified within 72 hours once an organization becomes aware of a breach, and impacted individuals must also be notified if a certain threshold is met. With the IoT weaving personal data into the very fabric of goods, services, and companies, it’s clear that organizations and third parties are exposed like never before.

Risk 2: Consent and Privacy by Design.
A second area of concern forms around the way IoT products and services engage with clients. One area of focus is the ability of third parties – as well as the organizations they partner with – to embed “consent” into IoT devices and the materials that accompany them. The GDPR requires organizations to obtain a fairly high quality of consent from customers/users about the way their personal data will be used. Consent must be active – not the result of inactivity or pre-ticked boxes. The person giving consent must also understand how their personal data is being worked with – and this is the challenge, given the complexity of how this information may be used in products and services. Some legal experts even question the ability of IoT products and services to obtain the GDPR’s standard of consent at the moment. Companies and their third parties will have to ensure consent from clients covers both organizations.

Related to this is the idea in the GDPR of “privacy by design” and “privacy by default.” All of the data that a IoT device creates will need to be classified as personal data, even if the data is not specifically linked to the owner of the device. This means that this data will need to be treated as personal information in the way it is gathered, stored and processed. All products and services will need to be designed from the beginning to take these requirements into account – which could be a difficult task, made even more complex by the presence of third, and fourth parties. 

Risk 3:  Knowing where all the data resides.
A third area of focus for organizations and third party partners is knowing where all the data is, and being able to evidence this data to regulators and customers. For example, under the GDPR, an organization must be able to respond to a request by a client to see all of the data held on themselves within one month. There are a range of rights associated with this, including the right of rectification, the right for erasure (also known as the right to be forgotten), the right to restrict data processing, the right to object data processing, and the right to not be evaluated on the basis of automated processing. Being able to connect client data across silos – or even to eliminate silos – for organizations and third parties will become crucial when it comes to fulfilling this requirement. With IoT, it is going to be extremely difficult for some organizations to have a single source of truth for all their customer data.

With May 2018 rapidly approaching, businesses need to be considering the impact of IoT and GDPR and the third party risk exposures for their enterprise. These issues should have visibility at the board and plans in place to understand and address them.

 

Related Content:

White Paper - CyberSecurity Regulatory Radar: Five Top Trends in Cybersecurity Regulation

White Paper - The Business Case For Better Third Party Risk Management

Executive Overview - The New GDPR: Taking A Strategic Approach To An Internationally-Focused Data Protection Rule

OCC Update Briefing 2017-7 - The OCC's Supplemental Examinations Procedures for Third Party Relationships Raising the Bar for Banks' Third Party Risk Management

Blog - Third Party Risk: Why Global 2000 Companies Should Be Focused on Third Party Compliance

Expert Series Podcast - Session 1 - GDPR & Why Organizations Need To Be Thinking About Third Party Risk

Request A Demo of Aravo Third Party Risk Management Solutions

Topics: third party risk management, Data Security & Privacy, GDPR, information security, cybersecurity, cybersecurity regulation, cyber-security, cyber risk, cyber regulation, internet of things, IoT