As the Internet of Things (IoT) evolves, it will offer organizations the opportunity to create an unprecedented range of potential products and services. By embedding the internet into computer systems inside of cars, appliances, and other physical things, manufacturers will be able to offer new functionality as well as additional services. Smart homes and intelligent cars are already on the consumer market in many countries. Applications for this technology in a business-to-business environment are equally promising.
The IoT rests on the use of the data that IoT devices generate to shape additional engagement. For example, a television that is IoT enabled will create data around what is being viewed and when. For the user, this could be valuable – the device could suggest programming, or automatically record things it knows its users watch. This data could also be combined with information from other sources – area social-economic data, for example – to create a generic user profile for a neighborhood. This data could then be sold to marketing companies keen to better understand the dynamics of their audience. A TV manufacturer who didn’t get user permissions correct was recently fined in the US for doing just this.
For some opportunities, organizations may wish to partner with third parties – for example, if delivering a new service that is related to a product but not in an area of core competency. An example of this might be a concierge service for a car based on the data the car was sending back via the IoT. Other organizations may vertically integrate or evolve, acquiring new types of operations to help grow an IoT-based offering. Such expansion will most likely bring it into relationship with new third parties too.
Other organizations may not immediately recognize applicability of the IoT in their industry – these are, after all, early days. However, they need to be aware of the IoT because their third or fourth parties may be – consciously or unconsciously – using IoT devices to manufacture products or deliver services on behalf of the organization. Today office equipment may have IoT devices embedded into it, for example.
And so, with opportunity comes risk.
A recent study by the Ponemon Institute, The Internet of Things (IoT): A New Era of Third Party Risk” May 2017, that was conducted in association with Shared Assessments found that:
- 94% of respondents believed that an IoT incident could be catastrophic in their organization
- 78% of respondents believed that loss or theft of data could be caused by IoT at their organization
- 76 % of respondents believed that a cyber-attack could be executed through IoT at their organization.
Added to the layers of risk associated with IoT, is new and encompassing regulation in the form of the EU General Data Protection Regulation (GDPR). While organizations in all jurisdictions need to be aware of potential risks that the IoT may pose, those which are exposed to the European Union’s General Data Protection Regulation (GDPR) need to be even more thoughtful about the impact that the IoT may have.
Below are three key risks that organizations – and in particular those which are governed by the GDPR - need to keep in mind as they approach the new Era of the IoT.
The GDPR explicitly introduces a general mandatory notification regime. When there is a personal data breach, a supervisory authority needs to be notified within 72 hours once an organization becomes aware of a breach, and impacted individuals must also be notified if a certain threshold is met. With the IoT weaving personal data into the very fabric of goods, services, and companies, it’s clear that organizations and third parties are exposed like never before.
Related to this is the idea in the GDPR of “privacy by design” and “privacy by default.” All of the data that a IoT device creates will need to be classified as personal data, even if the data is not specifically linked to the owner of the device. This means that this data will need to be treated as personal information in the way it is gathered, stored and processed. All products and services will need to be designed from the beginning to take these requirements into account – which could be a difficult task, made even more complex by the presence of third, and fourth parties.
With May 2018 rapidly approaching, businesses need to be considering the impact of IoT and GDPR and the third party risk exposures for their enterprise. These issues should have visibility at the board and plans in place to understand and address them.