Digital transformation is often enabled by the proliferation of smart devices that connect and communicate with each other and with centralized processors to bring environment and usage information together in real time. This Internet of Things (IoT) not only includes personal consumer devices like smartphones, smart watches, home security cameras, and electronic personal assistants but also a plethora of scanners and sensors utilized in diverse industries. IDC forecasts spending on the IoT will reach $745 Billion in 2019. Data collected through IoT devices is enabling organizations of all types to gain real-time insight into operations, improve their business processes, and find new revenue streams as they connect more directly to their consumers and their field activities.
The opportunities brought forward by the boon of information brings with it some interesting challenges, not the least of which is the protection of individual privacy. Consumers don’t always consider the degree to which they are exposing their daily activities through the introduction of these devices they carry with them, or install in their homes, automobiles, and workplaces. Employees often have no choice but to be monitored throughout their workday as the eyes and ears of IoT cameras and sensors record their activities.
Organizations wishing to capitalize on the opportunities of IoT must take the protection and proper handling of this vast amount of information seriously. Unless it is designed in from the beginning, privacy protections can be difficult to get a handle on; this includes protection of the organization from compliance issues.
The primary considerations for privacy protection include:
Collection practices – Organizations must decide what information they are going to collect and properly classify. Information that falls under the protection of regulations, such as the European GDPR or California’s CCPA, should be identified immediately and properly labeled and controlled. Unstructured data that is collected must be analyzed and properly vetted for potentially sensitive information. Best practice would be to model the data thoroughly, determine what is valuable within the context of the effort, and collect only that which is deemed useful and manageable. This might include aggregating the information to retain its value to the organization, but de-identifying the individuals to eliminate or reduce privacy concerns.
Control of Access to data – Securing access to information in an IoT-based process can be challenging due to the widely distributed nature of the devices across many different environments and is the responsibility of the collector as well as any downstream organizations the information may be provided to. Organizations that use third-party services for collection, transformation, or analysis must ensure that the data is being properly protected throughout its lifecycle, including on the collection devices themselves, across the public networks on which the data often travels, and within the organization’s own processing facilities. The National Institute of Standards and Technology (NIST) is developing guidelines for securing IoT devices as a part of its NIST CyberSecurity Framework initiative. Proper access control includes making wise decisions about what data is retained and for how long.
Transparency of Use / Consumer Notices – Regulations require that individuals be informed as to how their personal information may be used. In many cases, they must be given the opportunity to allow their data to be collected, retained, or used in certain ways. Consideration of these restrictions in the design helps to ensure that notices and consents are properly crafted and gathered at the appropriate time in the process.
The challenges of protecting privacy within an IoT digital transformation can be significant. Advances in computing capabilities often make it more complex while also providing new ways of dealing with the challenges. Edge computing and analytics for example, provide organizations with the ability to gain insight and derive value from the data without having to transport and protect as much of the data into centralized processing facilities.
Protection of the data at the edge can nevertheless be more complicated and harder to manage. By distributing the processing, the work of consistently managing and enforcing data collection and handling policies also gets distributed. In another example of advanced capability, artificial intelligence and machine learning is being used by networking vendor Cisco and others to develop methods for detecting vulnerabilities and security risks within encrypted data streams. This enables the protection of the confidentiality and privacy of the data through encryption without having to decrypt it in order to determine if malicious or improper activities are included.
Consumer and employee privacy protection has become a significant obligation for organizations doing business in the digital economy. At infoedge, we offer expertise and services that can help you design and plan privacy protection as a key component of your IoT initiatives and help you identify the value and opportunities provided by IoT technology to your digital transformation.