What does International Data Protection Day mean amongst the growth of connected devices?

华睿泰视角 January 27, 2022

In its fifteenth year, International Data Protection Day, or International Data Privacy Day for those outside of Europe, is held each year on January 28th to raise public awareness of data privacy.

Back in 2007, when the Council of Europe (an international organisation founded in the wake of World War II to uphold human rights) first decided to mark the occasion, the world of technology and data was a very different place. At the time, cloud computing was starting to emerge in the mainstream however, some of us were too busy to notice. Instead, we were captivated by the newly launched first-generation Apple iPhone. At that time, I was discarding my company-issued iPAQ and the seemingly ubiquitous Palm Pilot for a shiny new Blackberry. They joined the growing piles of abandoned corporate PDA devices in offices around the world.

As I reflect on the evolution of personal devices and read the news from the annual Consumer Electronics Show (CES) of new and upcoming tech products, it strikes me that data has become the core driving factor in our lives in a relatively short period of time. This is particularly true of our personal information used to identify us as unique individuals.

Today we rely on connected devices for everything from keeping our digital banking secure to managing our households via various smart devices and looking to our wearable devices to maintain a healthy lifestyle. While I am yet to be convinced about the benefits of biometric facial recognition to use my refrigerator, the interconnected nature of these devices means that they likely know more about you than your partner, family, or close friends.

Despite the premise that many of the CES devices aim to provide a unique user experience built upon the provided personal data, it appears many manufacturers struggle with data privacy. In particular, the necessity for embedding Privacy by Design and Default, a methodology that promotes and embeds privacy across the entire information lifecycle.

When the world was just starting to contemplate the possibility of a global COVID pandemic, critics highlighted the lack of consumer data privacy at CES 2020. Individuals are still being asked to provide excessive personal data to enable devices against the emergence of new robust privacy laws such as the European Union General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA).  Fast forward two years later, nothing much appears to have changed as Privacy regulators demand that manufacturers step up and comply with their privacy obligations.

In many ways, the growth of connected devices and the Internet of Things (IoT) ecosystem has been dependent on the increasing availability and affordability of cloud storage and accelerating network speeds. The rollout and adoption of 5G networks are expected to drive IoT device adoption to new levels—3.2 billion connected IoT devices by 2023. One consequence of this may be that the in-life management of personal information becomes a backseat consideration as manufacturers make their primary focus attracting and retaining customers at the expense of truly managing their increasingly complex consumer personal data stores.

We know a lack of management oversight allows personal data stores to go unmanaged and decay, meaning that there is a strong possibility that the necessary adequate technical and organisational controls to ensure data compliance are ineffective (or worse: absent), allowing privacy risks to propagate unseen. An incomplete understanding of personal data stores means basic compliance questions—what (data) it is, why we have it, where it is, how it is secured, and who has access—become increasingly difficult and potentially costly to answer. This is especially true in the growing interconnected IoT world where the increasing complexity and the sheer number of devices offer increased opportunities for a threat actor to gain unauthorised access to an enterprise environment and set in motion the conditions for a future data breach.

At Veritas, we believe that only by gaining a holistic view of your enterprise data, both on- and off-prem, can you understand your environments and develop the knowledge to better help manage your associated privacy and broader data risks. Having a deeper insight reduces complexity and organisations can pre-empt and mitigate data risks before they materialise into incidents, and make faster, better-informed decisions around how they manage their data more generally. This is in direct contrast to those organisations with a myopic view of their data. Their failure to recognise the risks that unmanaged data creates will inevitably drive non-compliance and ultimately regulatory breach reporting as risks materialise into incidents.

Today, I wish you a very Happy International Data Protection/Data Privacy Day. May this be the year your organisation manages its data stores with true insight and understanding to minimise your data risks. And if you’ve got a biometric facial recognition refrigerator, please drop me a line and tell me why.

Mark Keddie
Director, Legal
Veritas Office of the General Counsel