Five privacy linchpins
What could an IOT privacy framework look like? I think five core tenets would address the main risks and fears enumerated above.
1. Tested security. It’s one thing to adopt a set of security controls like the Payment Card Industry Data Security Standard, designed to reduce credit card fraud. It’s another thing for those controls to prevail in a sophisticated penetration test. The IoT would need to set the bar at this higher level to earn maximum user trust.
2. Data minimization. IoT components should maintain default settings that use the minimum amount of personal data to perform their service. Minimum can mean minimum types of data fields collected and exposed to other devices as well as minimum periods of data retention.
3. Controlled and transparent disclosure. Law enforcement and national defense around the world will seek to pursue their legitimate objectives within the IoT. Virtually every industry will seek to track or analyze their end consumers as they move through the system. Trust in the whole enterprise will collapse, however, if these pursuits are not counterbalanced with reliable disclosure controls that are proportionate to the identified threat, and widely known and understood.
4. Data portability. Users won’t want any one node of the IoT ecosystem to accumulate too much power by storing data in its own proprietary format. To bolster trust in the entire system, adopt a common data format that allows users to port their data from one platform to the next.
5. Right to be forgotten. The IoT should be safe for the most vulnerable in society: children, victims of crime and the poor. To protect their safety and thereby make the IoT the largest possible marketplace, enable users to completely opt out by being able to withdraw their data.
After reading these, marketers may be thinking, “Our consumers and customers aren’t asking for these features.” Product designers are probably saying, “I don’t know how we’d do all that,” and lawyers are adding, “We wouldn’t back this until we could do it.”
If IoT providers want to crack the European market, however, it’s going to be a lot cheaper to design these features in ahead of time instead of waiting for the new EU General Data Protection Regulation (GDPR) to mandate them. The GDOR includes requirements such as “data protection by design” and the “right to be forgotten.”
Sign up for CIO Asia eNewsletters.