While the IoT industry has been affected by the Covid-19 pandemic, its growth projections are still optimistic. By 2029, the global number of IoT connections will reach 5.8 billion.
This upward trend will mean more opportunities for IoT players worldwide, but is also bound to bring about new strategic challenges regarding the massive set of data generated:
- How will the unstructured data be preserved?
- In which format will companies restore this data?
- Will there be a unified cloud archive where data from distributed devices will be stored or will we have connected data centers? How will they communicate with each other?
- How will long-term IoT data strategies need to evolve to support new technologies?
- How ready is the IoT sector for ediscovery and litigation and what of the data preparation costs?
These are just the top-of-the-mind questions that CIOs and CTOs need to answer going forward. And clearly, these don’t have a one-size-fits-all answer. Still, strategic consideration can help navigate IoT companies through an increasingly complex regulatory landscape and certainly helps lay the groundwork for compliant operation.
Where does data go?
One of the compliance issues that can prove particularly challenging for the IoT sector is the collection and presentation of all data generated across various sources.
Whether your company manages a fleet or provides smart healthcare services, all the data needs to be securely collected and preserved in an unalterable format, for later use.
Without going into the specifics of each piece of legislation that requires business information be kept for a predefined retention period, as a rule of thumb, it’s good to remember the following:
- All data related to your IoT products/services falls into the category of business data. This goes for your business emails as well as for any other means of communication and the data generated via smart devices. This means all this data needs to be preserved.
- Similarly, all this data needs to be available for later use, in case of ediscovery or litigation. We’ve already seen ediscovery cases involving IoT companies — in a 2016 court case, the company had to pay $1.5 bln worth of settlement for disclosing customers’ biometrics data.
- As a result, preserving data requires preserving them in a non-alterable fashion, with metadata. Only with metadata can your company prove the authenticity of its most valuable currency.
- Finally, your data repository needs to be impregnable. Given the nature of IoT work, you’re often dealing with highly sensitive information. Customer’s biometrics, location data, data generated on wearable technology are subject to lawsuits and stringent fines.
Data strategies for IoT companies
The competition is getting more fierce by the day for IoT companies. And this means that in addition to ticking all the functionality and customer appeal checkboxes, companies need to stay nimble.
On the opposite end of the spectrum lie data privacy laws, which albeit starting to change more rapidly and becoming broader in scope, still lag behind the advances in IoT technology.
One way to reconcile these differences is the adoption of a data strategy from the get-go. Now, this might sound abstract and, truth be told, it is. Not to mention that it is another task on a large pile of tasks that you already need to sort out.
Staying in the domain of strategic planning, while each data strategy will differ, there are some guidelines to make them worthwhile for your IoT.
First of all, your data strategy will be evolving alongside your product. In a world of iterative and incremental development, fast shipping and constant customer feedback, it’s impractical to prescribe a thorough data strategy that will be set in stone. Instead, it needs to be fluid and should describe how you develop your product and manage data, with key guidelines that will help you stay compliant.
In short, this data strategy needs to include:
- Type of data produced, along with its format, metadata, data sources, where it will be kept
- Who has access to which data and how data in your company is generally managed
- Procedures and guidelines on how data is used and for which purpose
- Roles responsible for data safekeeping and the scope of their responsibilities
- How data is to be stored, retrieved and security guidelines for anyone working with the data
- Handling customer data requests and potential legal proceedings
- How data should be analyzed and how you analyze them at the moment
- Determine the costs of collecting, preserving and disclosing the data
- Determine the tools that will allow the recovery and collection of smart data
Ediscovery and litigation
The regulatory landscape is starting to pick up with the IoT sector and smart devices could soon become the focal point in many ediscovery and legal dispute cases.
We’ve seen fitness devices used in murder discovery cases, though there is still a long way to go before the reliability of such data is undisputed. Geolocation data has been used for contact tracing, and personal healthcare wearable devices are handy in providing historical data of a patient’s health. But what about managing this data in case of ediscovery and litigation?
In the most common scenario, when you receive an ediscovery request, your legal team will need to place a legal hold on an account or records, meaning that as of that point the data in question cannot be altered in any way.
Second, you will often need to collect all the data pertaining to a case and prepare it for disclosure in a required format. All of this needs to be done within a relatively narrow time frame (narrow due to the sheer volume of data, exacerbated by the number of devices this data is generated on).
Now, what does this mean for your IoT? Well often, the data generated via smart devices is transferred to cloud locations in order to support the storage of data volume. Once the ediscovery request comes your way, your legal team would need to place a legal hold and start to comb through the data and accounts in order to prepare them for the disclosure.
This can prove particularly laborious if you lack any of the points from the suggested data strategy. And even then, it might take a lot of time and resources to ensure full compliance with the request — including all the data, in the right format, without infringing the privacy of parties not involved in the case.
It’s clear that there’s no easy way to do this, but one general direction can make a difference: constantly work on your data strategy, keep it up-to-date and ensure there are people specifically responsible for data strategy. In case of a potential pitfall, this will help save not only your data but your reputation as a trusted IoT provider.