The Privacy Pro’s Guide to the Internet of Things
Recent stories about smart fridges being hacked, cars knowing our intimate secrets and energy companies predicting what we are having for dinner—OK, I made that one up—highlight the fascinating challenges that the Internet of Things (IoT) is set to bring. More fascinating, however, is the fact that addressing and successfully dealing with these challenges in a way that the opportunities are fully realised at the same time that our privacy is properly safeguarded rests with today's and tomorrow's privacy professionals.
The privacy issues raised by the IoT will test our skills in the same way that more traditional Internet uses have been challenging our professional ability to identify risks, assess their likely impact and deploy practical solutions for everyone's benefit. Here are some tips on how we may be able to handle the IoT revolution:
- Notice: Probably known as the number-one responsibility for any user of personal information, telling individuals about how their data will be employed in an IoT context throws in a few twists. What kind of privacy notice can a toaster provide? How often will our car remind us that it knows where we are? How politely can a running jacket tell me that I'm just trying too hard??? Privacy pros will need to be at their most creative to provide any kind of meaningful notice in this new environment. In the absence of universally understood icons—probably a few years away—our priority will be to identify the most appropriate points of interaction to get the right messages across.
- Purpose limitation: Linked to the above, it will demand a fair amount of creativity to think ahead of all possible purposes for which personal IoT data will be used. Here is where the level of interaction between the privacy pro and the rest of the organisation is absolutely crucial and needs to be nailed down. Close communication between the privacy folk and the business folk will be paramount going forward, so we might as well start to lay strong foundations now.
- Proportionality: In addition to good communication with the rest of the business, privacy pros need to develop a sense for where the “creepy line” is. This will be more effectively done if lawyers, regulators and privacy officers on the ground are able to listen to each other and take on board everyone's point of view. Data uses are a moving target, but each organisation and sector needs to establish where any such uses go too far and risk invading people's privacy in an unjustified way.
- Data accuracy: One of the advantages of the IoT is that the information generated is probably more personal than that generated by, say, a family computer. However, whilst this may help with the accuracy of the data collected, we must not take it for granted—particularly when decisions are made in a way that affect specific individuals. The answer has to be spotting the necessary points of identification of a given individual to ensure that any decisions made are indeed based on correct and up-to-date information.
- People's rights: People's ability to access and manipulate their own data is set to grow—and this is not just due to European public policy attempts to strengthen individuals' data protection rights. The IoT presents a great privacy opportunity in this regard. This is an area where privacy pros can truly demonstrate their value by helping their organisations make their offerings more trusted and welcomed by individuals. Here is the real win-win-win: People will be more in control of their data than ever; organisations will reap the benefits, and privacy pros will be the heroes of the day.
- Security: Here is where the battle will be won or lost, I'm afraid: At the moment, we are just about managing, but with greater dependence on data, our vulnerabilities will increase. So in relation to IoT data security, it really is a matter of all-hands-on-deck. Technologists will have a massive role to play deploying encryption, tokenisation or any other possible means of pseudo-anonymisation. But much of the burden will fall on service providers who will need to show beyond any reasonable doubt and on an ongoing basis that appropriate measures to protect the data are proactively being applied.
The IoT is developing at breathtaking speed. Privacy pros of all flavours and backgrounds must up-skill ourselves to take on these issues, which may not be entirely new but are starting to manifest themselves in ways never seen before.
About the Author
Eduardo Ustaran, CIPP/E, is a dually qualified English solicitor and Spanish abogado based in London and an internationally recognised expert in privacy and data protection law. He has been named by Revolution magazine as one of the 40 most influential people in the growth of the digital sector in the UK and is ranked as a leading individual for data protection by Chambers UK. Ustaran is also the author of The Future of Privacy, a book aimed at reshaping the global debate around data and privacy. Ustaran advises on the impact of EU data privacy law on the operational activities of all types of organisations and has assisted data protection regulators from different countries to align their positions and interpretation of the law. He is editor of Data Protection Law & Policy and a member of the panel of experts of DataGuidance. Ustaran is co-author of E-Privacy and Online Data Protection and of the Law Society’s Data Protection Handbook.