Within the EU alone, the number of connected devices is estimated to increase from approximately 1.8 million in 2013 to almost 6 billion in 2020. (IDC and TXT Solutions (2014), SMART 2013/0037 Cloud and IoT combination, study for the European Commission.) The related data already collected already constitutes an enormous quantity. It is forecasted that the quantity of data will continue to grow by 40% a year over the coming 10 years, reaching approximately 44000000000000 gigabytes (44 Zettabytes) in 2020 (World Economic Forum). It is IoT which causes the exponential increase.
In other words the society is already data driven and we are all digital by default. The marketplace became transatlantic.
The marketer sits behind those data and companies of all sizes and from all sectors of the economy are involved to make connected devices cyber secure: manufacturers, service providers, and standard-setting bodies.
The individual becomes the center, or better said, the interface between a network of internet connected objects. The quantity of data is growing through IoT exponentially: it comes from everywhere, but especially we ourselves create it through our interactions with Internet driven objects. This data contains highly detailed information about the interests, networks, habits and the behavior of you and me as individuals. We will use, are using, them to manage our health, run our home, travel, drive and improve our quality of life in new and innovative ways. Businesses will benefit from more efficient systems to provide better service to their customers.
The General Data Protection Regulation (GDPR) will require businesses and, more specifically, IoT providers to implement new methods and technologies for the protection of personally identifiable information and security. The new GDPR clearly provides for two new principles which need to be taken into account when manufacturing products: “Privacy by design” and “Privacy by default”.
- Privacy by design requires that privacy protection is built in when developing new products, services and system, and that it is not added only afterwards.
- Privacy by default provides that privacy-protecting options are activated by default. Users then have to actively select less-privacy-friendly settings. For instance, in an application in which private data can be shared with other users, this option must be switched off as a less privacy-protective choice. Users must actively and consciously turn it on.
In parallel, the Network and Information Security (NIS) Directive aim is to achieve a high common level of security of network and information systems across the EU through improved cybersecurity capabilities at national level and increased EU-level cooperation. It also requires “operators of essential services” and “digital service providers” to take appropriate steps to manage security risk and to report security incidents to the national competent authorities. Industry and government must work collaboratively to drive the use of privacy- and security-by- design practices.
Member States will have until May 9, 2018 to implement the NIS Directive whilst the GDPR becomes applicable on 25th of May 2018. It comes all together.
A policy climate that focuses on managing risk, not blocking change is needed. As the greatest vulnerability of IoT is human error or lacking practices of cyber hygiene, (clicking on phishing links etc.), there is a need to increase awareness among consumers about cybersecurity. In parallel small and medium sized enterprises should be encouraged to implement best practices introduced by their more sophisticated peers in government and industry.
Marketers, developers, manufacturers need to “connect” in this battle to further coherent solutions to manage the risks inherent to devices.
Technology is not privacy-neutral anymore.