May 25, 2018, will certainly be in the mind of CISOs and data
managers around the world for some time to come. At this point in time, the
companies had to be compliant with the EU General Data Protection Regulation
(GDPR). The focus of the act is for persons who are citizens of the European
Union (EU) to have greater control over their data. As applied this provides
for much greater accountability for the businesses handling, processing,
managing, and storing a person’s data. The act is far-reaching, as it follows
your data. Your data can be the obvious (e.g. name, address, username, ID
number, race/ethnicity, genetic data, phot, and banking details). This also covers
any data that can be used to directly or indirectly trace you. For the latter,
this may be your IP address, cookie identifier, and other data points.
There are volumes of articles on GDPR, the fines, and how
this applies to the enterprise. The issue not explored nearly as much is the
application to embedded systems. These are present in equipment and machinery
used globally in vehicles, trucks, farm equipment, and many other uses. These
also use various apps for the user’s experience.
Data
For this article, we will not be focusing on who or which
entity owns the data. This topic is reserved for law review journals. The GDPR
is rather clear in the data created from the vehicle is the property of the
owner. While this appears clear, there still may be issues. The connected
vehicles connect a mountain of data now. This is going to increase substantially
as time passes and the vehicles become more complex. This will apply to the
user’s data within the vehicle’s infrastructure, managed by the processes, and
uploaded to the cloud. While the data collected is rather substantial, the only
data collected per the GDPR relates directly to the vehicle’s
operation. This data is vital with many uses, including predictive analysis.
With the data being pertinent for the vehicle’s operations, along with the
analysis, there is a value held here. To keep the environment secure, the
infrastructure would need to be secured and data encrypted, in the least.
Why is this
important?
The data not related
or identifiable to a person is their private data. This describes their life. The
data could be used for malicious purposes, to track people who have done
nothing wrong, for predicting future activities (i.e. where they probably will
be at a certain day and time), and other inappropriate uses. This data, while
held at the company, would continue to be the target of the attackers. While
this would not be ethical, there is a more direct dis-incentive for companies
involved with this type of behavior. For every data or GDPR breach, there could
be a fine of up to €20M or 4% of the annual worldwide turnover (revenue),
whichever is greater. Recent fines, include $840k to BKR, $600k to Google
(Belgium) and $50m to Google, €99M
to Marriott International, and £183m to British Airways. These amounts
are significant. If a portion of these fines is paid, the amounts are still
enough to get the attention of any person in finance and the Board.
Vehicle
Application
Vehicles collect and hold an enormous amount of data. This
data partially consists of the user’s data. This data is private and
confidential. This extra data, which may be collected by the vehicle, also
could be used to identify the user. Based on what is currently done with the
vehicle’s operations, the GDPR does apply. The next step is to determine the
responsible party. *This article should not be used as legal advice; please
seek your own legal advice from a qualified, licensed attorney.* For a clearer
understanding, we need to clarify a few aspects. We need to know the purpose of
the data collected, how the data is collected and does one party or several
control the data. These questions are designed to bring the broad issue to a
reasonable level of analysis.
Resources
GDPR.edu. (n.d.). What is GDPR, the EU’s new data protection
law? Retrieved from https://www.gdpr.edu
Jung, M.M. (n.d.). Why is data protection so important in
the context of connected and autonomous vehicles? Retrieved from https://www.dotmagazine.online/issues/on-the-road-mobility-connected-car/making-connected-cars-safe/data-protection-for-connected-cars
Lydian. (2020, May 14). Connected vehicles and GDPR-A status
update after the public consultation. Retrieved from https://www.lexology.com/library/
Scaldis-Conseil. (n.d.). The impact of GDPR on ownership of
connected data.
Valerio, P. (2018, June 7). GDPR: A security headache for
connected car makers & OEMs. Retrieved from https://www.tu-auto.com/channels/services/
No comments:
Post a Comment