Feature Article

Free eNews Subscription>>
December 11, 2017

Privacy and Compliance: The Next Big IoT Challenge

While securing the IoT against botnet attacks, cybercriminals, IT administrative errors, and more has been an area of increasing concern and active analysis, including by this publication, IoT developers, vendors, solutions providers and followers may be missing the next big thing: privacy.

Kabir Barday, CEO of OneTrust, a rapidly growing company specializing in the management of privacy and protection of consumers and the businesses who serve them, this week at Gartner’s IAM Summit, shared his insights on what could be a tsunami of impact on the IoT industry that many may not have seen coming.

Barday, who is an expert in privacy policy, technology and regulatory movements around the world, suggests that while the imperative to secure the obvious healthcare, banking, web, mobile and e-commerce applications is well-understood, implementing privacy in a world of hyperconnected things is just now coming into view. This is a consciousness Barday is on the move to raise, and for very good reason.

“The GDPR will massively impact IoT, M2M, AI, and machine learning as much as it will more mature technologies,” Barday said. GDPR is the European Union’s legislation driving heightened standards for the collection and processing of personal information of individuals within the EU. The Regulation covers all global companies dealing with EU citizen data and sets out principals for data management and rights of the individual, requiring companies to undergo significant operational reform to meet increased obligations.

Adopted by the European Parliament in July 2016, and entered into force the following month, the Regulation gives Member States until Spring of 2018 to apply the standards into their national laws, and half a year more to identify those companies who will supply essential services.

While the GDPR provides a legal means to dramatically upgrade the overall level of cybersecurity across the EU, and protect the privacy of citizens and businesses, companies across industries are scrambling to meet the legal measures and technical requirements of the Regulation – or face serious fines.

Requirements include methods for structured sharing and exchange of information, incident notification, technical and organizational information system risk management and more, and those requirements come with the imperative to put privacy policies into place, be able to report and manage, and comply with audits.

In the world of more mature applications and platforms, companies have become accustomed to responding to regulatory requirements in headquarter countries and those countries they do business with. But when it comes to the relatively nascent IoT – we will be grappling soon with a wilder, wild west ensuring everything from consumer wearables, to smart thermostats, digital doorbells, smart cars, and the exploding number of personal assistants like Alexa and Siri will need to be secured.

As the challenges mount for governments, organizations, enterprises and consumers, to keep data, information, critical infrastructure and systems that impact daily lives safe, risk management is becoming more complex and expensive, and IoT with it’s “power of N” endpoints will add layers more of complexity and risk – a topic Barday is passionate about addressing up front.

“We’ve been active for many years in meetings, supporting the demands GDPR and other similar privacy regulations and initiatives are creating,” Barday said. “IoT always has been a big area of discussion, with an increasingly intense focus, including the relationship of connected things and the artificial intelligence and analytics that go along with it. People know there will be a massive impact technically and economically, but few understand prescriptively how.”

Privacy regulations are not new. There are over 120 countries with privacy regulations in place today, including in the US where those regulations are largely segmented by sector (healthcare, financial services, payments, e-commerce and the web generally). What’s different in 2018 is the extremely detailed nature of the regulations and huge fines that will be imposed.

For example, if a subsidiary of Alphabet does not comply with the new regulations, their parent company can be fined up to 4 percent of total annual revenues. For Alphabet, one fine could be as high as $800 million, assuming Alphabet continues to hover around $20B in revenue annually.

The good news, according to Barday, is that most privacy principles across the 120 countries are common:

  • Minimize the data you collect
  • Make the information available
  • Give people a choice

Until now, companies have been able to manage privacy policies by updating them on websites and in other disclosures, saying they are following these principles. But according to Barday, “New privacy laws completely change this. There is a huge – tectonic – shift underway and IoT companies, manufacturers, systems integrators, solution providers and even the companies who simply provide connectivity need to be very aware and start planning now.”


To avoid legal damages.

To qualify to trade and otherwise conduct commerce in regulated regions.

To enhance their own brands, whether they are directly interacting with consumers or are just part of an infrastructure, as the liability extends as a “daisy chain” Barday describes as highly interconnected and impossible to avoid.

Barday laid out five “brace for impact” areas for the IoT industry saying:

  1. GDPR is going to have a major user experience impact in IoT. It requires companies and their products to interact with their customers (“data subjects”). Any smart product company will be required by law to give choices to customers. Products will ship with an “OFF” default, and will require that end-users opt in for any possible collection of data. Additionally, the interface and communications journey must be simple and easy to understand, must be provided in visual language (using icons, for example) and make “consent and notice” prominent. “Smart products are not like smart phones or laptops. There is no screen, for example, to display the consent and notice content, so look for companion apps in iOS and Android that connect with the smart product an enable the consumer to agree and opt in (or out) via a digital conversation associated with the device.” Alexa is already providing this as she explains the rules, while other providers are considering sending messages over email or text. Regardless how this may be handled technically, it is an additional burden and business expense.  
  2. “There are a lot of very creative and interesting models around IoT,” Barday said. He referenced advertising-based business models, for example Dash buttons.  “In the near future, the selling of information between companies will be regulated and new barriers to get people to opt-in may become so high that certain models will require total reconstruction.”  If companies have based their economics on an advertising model and are dependent on data that people may not want to provide and can easily opt-out of, start-ups and their investors could suffer.
  3. Related, Barday sees major disruption to business valuations in the IoT category. “An IoT company’s valuation could drastically diminish, because there is so much data IoT companies collect and this is often very sensitive data.” According to Barday, VCs are becoming increasingly aware of this risk and are including privacy management in their due diligence processes.
  4. IoT companies will need to confront the cost issues associated with staffing implications as well. “IoT sensors and applications can collect such sensitive data that this will trigger clauses in the GDPR requiring them to hire a Data Protection Officer (DPO) for compliance with GDPR. Based on the new legislations, if the company doesn’t like what the officer says they cannot fire that person; if company didn’t listen to the DPO, the fines will be higher.” Barday went on to say that it is difficult to find qualified DPOs causing salaries to be high, and additional funding required.
  5. “These regulations are very healthy for consumers, but will result in huge unanticipated overhead for IoT companies attracting those consumers – operational, PR, product development. For example, given data portability requirements, Apple will be required to make data they collect available to a Fitbit if the consumer decides to switch.” The cost of ensuring personal data is portable from one wearable device to the other – more complexity, more cost.

In summary, Barday cautioned that everything connected will become VERY transparent, and that consumers will be able to lodge complaints, engage in class action lawsuits, and cause massive PR headaches for companies who don’t manage this “new reality.”

OneTrust is backed by the founders of Manhattan Associates (NASDAQ: MANH) and AirWatch and serves more than 1,500 organizations with data privacy compliance software. With the GDPR enforcement date set at May 25, 2018, non-compliant global organizations could be fined up to 4% of worldwide revenues for improperly collecting, using, or disclosing personal information on employees or customers.  

Edited by Ken Briodagh

FOLLOW MobilityTechzone

Subscribe to MobilityTechzone eNews

MobilityTechzone eNews delivers the latest news impacting technology in the Wireless industry each week. Sign up to receive FREE breaking news today!
FREE eNewsletter