As most of the world starts to feel the looming imposition of the EU General Data Protection Regulation, there is a big push to understand all the implications. What type of data is covered? Who is liable for protecting it? And what exactly is meant by “state-of-the-art means” to protect data?
One question that worries me is “What about the data we don’t even realize we are collecting?” A data privacy audit is meant to systematically go through an organization’s departments, processes, apps and even suppliers to discover personal data and how it’s protected across various mediums. That implies that an organization knows its own processes. I predict that many organizations will find that they have a lot more data than they suspect. Either they will discover it themselves, or they will learn about it when the Data Protection Authority comes calling.
One example stands out: automobiles. For the last five years, most manufactures have been racing to enhance the infotainment systems in their vehicles. The “connected car” has network connections, collects all sorts of data about driving patterns and location and allows passengers to sync their mobile devices with their vehicles. Such systems allow drivers to place hands- free calls to anyone on their contact lists or play their favorite music directly from their devices. But how much of that data is transferred to the car? Many autos store all the contact info for every device that is synced to the infotainment system. Some even have 80 GB drives on board to store all that data.
An automotive manufacturer or leasing company may very well find itself the inadvertent collector of private information for many of its customers and their passengers! How will these companies comply with GDPR? What if a customer calls and asks to have his data erased under the provisions of Article 17?
And what about car rental companies? Their problem is compounded by potentially hundreds of users leaving behind personally identifiable information on those systems. The number of EU data subjects certainly falls within the scope and intent of GDPR.
So car companies, leasing companies and rental agencies have a problem with inadvertent data collection. What other examples can you think of? Game consoles? Smart TVs? Smart meters? License plate scanners on toll roads? Medical devices?
Tools are needed to provide secure and verifiable erasure for a new generation of products, from cars to IoT. Best to think about it now instead of after May 2018, when the GDPR goes into effect.