Dean Anthony Gratton
GDPR and its impact on the IoT
Updated: Jul 31, 2018
Well, May 25 came and went! Yep, General Data Protection Regulation (GDPR) day happened and we’re still all here. How many of you received that last-minute email flurry from companies seeking consent to retain your data? I for one counted and deleted a fair few!
Where does the data go?
In last month’s post, I tackled the subject with a heads-up in “GDPR: What do we really know?” And, I shared some interesting statistics from a British government study as to how many people were aware, how many had planned accordingly and how many had “beefed-up” their cybersecurity. The statistics revealed an alarming trend of an unprepared state across businesses both big and small.
So, in this month’s column, I’m approaching a subject matter that may affect your business even further, since the internet of things (IoT) will naturally be influenced by the legislation that was imposed by the EU on GDPR day. I fear this is a very large can of worms, so to speak, impacting your entire vertical IoT solution, that is from the endpoint (or device) to the gateway, cloud and to the enterprise and business. In this instance, you will need to ensure that there’s an inherent legacy within your solution to fundamentally know where every bit, nibble and byte is located.
The big data in IoT
One example concerns a patient who uses a smart injector device. She uses it to auto-inject her arthritis drug to alleviate the symptoms of her condition. She has chosen the auto-injector, as, due to her condition, she is no longer dexterous and yet she strives to maintain her independence.
The smart injector manufacturer wishes to track her adherence, frequency, time of day, the quantity of drug used and so on. This typifies the “big data” aspect of the IoT and the power it bestows, not only to the manufacturer of the device, but to physicians and healthcare professionals (HCP) who can monitor and track the effectiveness of their drugs to ensure that their patients receive the best remote care possible.
Delivering an IoT strategy
In this instance, the patient initially visited her physician, who examined her and offered her a number of remote care options, of which the smart injector was one. Once decided upon, the physician signed her up to use the smart injector, along with a drug that’s most effective at alleviating her condition. At the time she signed up, she provided consent for her data to be collected and shared with both her physician and her HCP. The physician explained the benefits of relaying her data to all parties involved in her ongoing treatment, including the manufacturer, and noted how she could monitor her progress to ascertain if the drug was helping. Of course, as part of this sharing of data, it isn’t just the patient who benefits, since the manufacturer also finds great value in learning more about the performance of the injector itself.
The manufacturer has mandated that the communication from the injector to the gateway to the cloud and enterprise be gathered, as it is important that the data flow is seamless. What’s more, the device itself passes information about its performance and how well it delivers the drug. Likewise, this assures the well-being of the device so that it performs effectively and continuously. For example, if the patient accidentally drops the device and is no longer able to use the injector, then the physician or HCP needs to be immediately alerted that the device is unusable or dangerous to use and another needs to be sent out as a matter of urgency. Moreover, the actual patient is immediately contacted via telephone or through their carer to inform them that the device shouldn’t be used.
So far so good and, for me, this way of working is an exemplary example of an IoT strategy – one which I have delivered I‘ll have you know! Sounds perfect, right?
How much do you know?
But now let’s offer a devil’s advocate perspective. Let’s say, that the patient’s son is concerned that so many people have access to his mother’s data and is equally concerned as to who is authorised and who might release such data (perhaps inadvertently) to a wider audience. As such, he makes a request that his mother’s consent for her data to be shared and used in this manner be withdrawn and that she’s entitled to be forgotten; that is, her “right to be forgotten.”
I have to openly admit, I’m not fully conversant with the entire GDPR legislation and how companies are going to be policed to ensure that they adhere to these new policies. The data captured by the patient is, as already discussed, not only valuable to manufacturers, but to the physicians and HCPs. It ultimately provides them with patient insights that could help other sufferers with the same condition; something that could be significant in establishing future treatments.
Until next time …
So here’s where this is going: Is it a selfish act to withhold data that could potentially break new ground in terms of healthcare progression and treatment? Or, is our anonymity and privacy a sacred value that should be respected and even encouraged? Is there, in fact, a way to relay the value in the data captured without revealing personal identification and therefore maintaining utter anonymity?
We, as individuals, who generate such data are allowed to make that decision. For me, there’s no right or wrong answer. It’s all about choice and our personal perspective regarding the data that we generate each and every day. More often, it’s the unsolicited abuse that scares us when we provide consent to others and unseen third-parties – this is how GDPR empowers us!
So, this is where an advocate of “data is the new currency” Dr. G signs off.
Originally published in Technically Speaking.