The Internet of Things (IoT), or the Internet of Everything, as some refer to it, is changing the world for businesses, governments, and consumers. Devices and services are increasingly connected to the Internet in real-time, 24/7.
This allows for the practically ubiquitous collection, storage, and sharing of data on an always-on basis, which heralds countless innovations for enterprises and individuals alike.
However, with increased connectivity comes the potential for increased vulnerability—in both the cyber and physical worlds. This is why privacy by design is a paramount business practice for companies engaged in the IoT space, as well as a consideration steadily more expected by consumers.
The Internet of Things Continues to Grow Exponentially
The IoT is a short-hand term that refers to the interconnected environment in which previously offline, data-siloed objects can now continually communicate information among other objects and people.
According to one estimate, the number of IoT-connected devices will number 38.5 billion in 2020, up from 13.4 billion in 2015: a rise of over 285%.
Consumer-focused, “smart home” devices are already fixtures in many retail outlets – think fitness wearables, connected refrigerators, sous-vide precision cookers, smart thermostats, lighting systems, etc.
The next several years are expected to see IoT maturity in areas as diverse as connected cars, smart grids and cities, digital healthcare, agriculture, and various industrial channels. There’s no scarcity of interest in the application of IoT connectivity across sectors because of the granular insights that it facilitates.
The Connected World Requires Pre-Conceived Privacy by Design
A recently released survey conducted by Ipsos on behalf of TrustArc/NCSA found that 89% of respondents say that they avoid companies that do not protect their privacy. This reality—that brand reputation and consumer trust are inextricably linked—is especially true in the IoT context.
This is why privacy by design, or building privacy and security controls into a product or service at the outset of the planning process rather than as an afterthought, is imperative.
There is no statutorily-defined, one-size-fits-all prescriptive list of what constitutes privacy by design. In the context of IoT devices, it ultimately depends on the types and quantity of information a device collects, the sensitivity of the data, and the overall risk posed to end users.
Still, some issues should form the basis of any privacy by design assessment throughout product development, and these include:
Data Minimization
Whereas early IoT devices may have focused on collecting information indiscriminately, on a “we’ll find a use for this data later” basis, such an approach will no longer be tolerated by regulators. Most privacy laws mandate that only data relevant to the purposes for which consent was originally given may be processed.
And with the new EU GDPR’s application to data controllers and processors of fines equaling up to 4% of global turnover for serious infractions, every organization should be mindful to collect only what is necessary to achieve their business goals (and in keeping with their disclosures and public promises).
Perform Privacy and Security Risk Assessments Throughout All Stages of Development
These complement an overall risk-based approach that includes, from the start, having a full inventory of the type and variety of personal information collected, as well as end-to-end understandings of data flows for the life cycle of any data.
As the FTC has noted: “An evolving inventory serves triple duty: It offers a baseline as your staff and product line change over time. It can come in handy for regulatory compliance. And it can help you allocate your data security resources where they are needed most.”
SaaS-based Assessment Manager was designed with this in mind by automating the privacy impact assessment process for companies so that they may efficiently assess privacy risk, produce on-demand compliance/audit reports, and monitor privacy matters on an ongoing basis.
Use Security Hygiene Best Practices
Utilize security transmission protocols and encryption techniques for personal information in transit and at rest. Build proper authentication controls and limit access and permissions.
Train company staff in privacy and data security best practices for using smart devices.
Vet Vendors and Partners
Privacy by design considerations do not end with the device manufacturer. They extend to the partners and service providers associated with the device maker.
Accordingly, IoT companies should embed processes to review third party providers’ practices as well as have contractual provisions in place that clarify responsibilities and liabilities before any product or service goes to market.
Transparency and Control
Organizations must be transparent with consumers about how their troves of data are collected and used in easy to understand language and format.
This means up-front and accurate privacy statements, building mechanisms for ongoing notice and choice (including just-in-time notices), having conspicuous user privacy controls/dashboards, effective communication beyond the design phase of access options, recommended security updates, and respect for users’ preferences.
The Future of IoT Privacy by Design
As more devices, platforms, and infrastructure connects to the Internet in real-time, the most successful industry participants will regard Privacy by Design as an opportunity to demonstrate that they are worthy of consumers’ trust.
Industry self-regulatory frameworks, such as the OTA IoT Trust Framework, are available to help companies to operationalize privacy by design. Time will tell whether this is enough to pre-empt the need (in the eyes of external regulators) for legislation.
Also unclear are issues of interoperability in the IoT context, as well as questions of whether a one-time consent by consumers can realistically serve as “informed” consent as connected devices become a perpetual presence in our daily lives