Industry Thought Leadership

Redefining Data Rules for a Data-driven Business Environment

February, 2017
Andrea Faggiano
Partner and Head of SASCAR (Strategic Advisory Services for Competition and Regulation)

Co-Authors Rajesh Duneja

Rohit Sethi

Arthur D. Little

Pressing need for data management
A key lever for innovation and overall value generation within the IoT ecosystem is gathering, processing, storage and sharing of data. However, to ensure that such data sharing protects the rights of all users as well as preserves national security, it is important to provide regulatory clarity for overall data management in a clear, consistent and responsible manner. In the past, regulators have addressed data privacy and security issues with telecom operators but with IoT the problem is bigger and more complex. The stakes are higher with IoT devices capturing and sending out a range of sensitive data such as individual health status which is of interest to insurance providers, or status of the national energy grid, which can be processed in remote locations in a cloud to generate strong analytical insights. At present, most of the policy makers do not have clear stands and are beginning to contemplate introduction of new regulations/ legislations.

Ideally, there is a requirement for strong national data protection regulations/ legislations to be in place in every country, which make it clear to all IoT ecosystem stakeholders on how to manage data along its lifecycle, that is, from collection to erasure. Once such guidelines are in place, businesses can draft contracts with their users in a way that all involved entities adhere to the stipulations. Given that IoT service providers offer global services using common platforms, it would be preferable that policies and legislations developed by various countries are aligned as much as possible so to avoid conflicts that can be detrimental to the growth of the IoT ecosystem.

Regulators are slow to respond
Many developing countries have very few data management regulations and advanced nations have regulations that were developed for specific use cases such as protection of individual creditworthiness information however, they are inadequate for IoT applications. The European Union in April 2016 published “General Data Protection Regulation” (GDPR) (Regulation (EU) 2016/679) on protection of natural persons with regard to processing of personal data and on the free movement of such data. This regulation provides an extensive overview of considerations involved in drafting such regulations and generally accepted principles around the same. The regulation will enter into application in May 2018 after a two-year transition period.

Key aspects to be addressed
There are four aspects in data management that are key from an IoT requirements perspective and are required to be addressed:

Data classification: This is the first step in a comprehensive data management process and is a key input into how different types of data can be handled. A commonly used consideration for data classification is the adverse impact that can be created in case of a confidentiality breach or uncontrolled disclosure of data.

Data ownership: In addition to data classification, the other determinant into designing an appropriate and adequate consent administration is data ownership. Clear assignment of data ownership is a challenge that is becoming more prominent in the IoT world. To cite an example, if a car records its performance and usage statistics, who would be the rightful owner of such data, the car manufacturer or the individual owning the car? As a commonly accepted guideline, as long as a natural person can be identified directly or indirectly by means of combination of different types of data, the data gets classified as personal data. In case the data refers to a private entity by means of its usual business, and is sufficiently decoupled from personal data of any individuals involved in its generation, the data is considered to be owned by business/ enterprise.

Consent administration: Seeking an informed consent from the data owner is a key requirement for all kinds of data processing starting from data gathering all the way to erasure of the data once the processing has been completed. A common best practice is to vary the degree of consent sought along explicit opt-in, explicit opt-out or no consent to be administered based on a logic that is a function of a combination of data classification and data ownership.

Data storage: This covers aspects such as the duration for which data can be stored, the type of data that can leave or not leave the country borders for processing, and eventually the erasure of data (‘right to be forgotten’). Not many countries have drafted clear regulations on this yet. While some countries are liberal with cross-border transfers of personal data, some others allow such transfers to countries only where the data privacy and security laws are equivalent or higher than their own. Another key mechanism for cross-border transfer of data is corporate rules such as EU’s “Binding Corporate Rules” (BCR) where groups of corporate affiliates may send data to non-EU countries within their corporate group as long as the group has a set of rules that are approved by an EU data protection authority.

Opportunity for the Middle East
There is a strong opportunity in the Middle East region now to modify/ update existing data protection regulations, which have primarily been drafted from a telecommunications perspective and cover stipulations such as non-disclosure of subscriber’s personal information to other parties. Cyber-security regulations published more recently cover cybercrimes such as when someone violates data privacy, however these regulations are inadequate in providing the expected clarity to IoT service providers. Therefore, there is a clear requirement for a comprehensive data management framework at the country level.

Authorized entities in each country should initiate work, if already not done so, towards drafting of these national data protection regulations to provide adequate clarity to all stakeholders, for timely development of the IoT ecosystem within their countries and preferably aligned at least at the regional level.