We live through unprecedented times but also very exciting times. Never before did we have so much information at our fingertips. We are incredibly fortunate to see so many developments around privacy and security standards around devices and the supply chain. NIST has recently announced their draft IoT guidance and at the same time the European Commission has released their view on the risks surrounding the supply chain ecosystem.
Privacy Deep Insight #1 – appropriate Information Protection Policy
- IoT sensors in public and private environments can contribute to the aggregation and analysis of enormous amounts of data about individuals.
- Individuals do not control how much or when certain information about them can be released
- The aggregation of data can create a new reality about individuals that may not be at all accurate
- IoT network interfaces often enable remote access to physical systems that previously could only be accessed locally. This introduces another vulnerability vector that can be exploited.
Privacy Deep Insight #2 – Risk Management Framework coverage
With IoT, a framework is required to protect personal information from data generation, through passing through the supply chain, re-use through to end of life. Some post-market capabilities for conventional IT systems, such as network-based intrusion prevention systems, antimalware servers, and firewalls, may not be as effective at protecting IoT devices as they are at protecting conventional IT. This means:
- Privacy risk assessment of the ecosystem (on an ongoing basis) especially when there is a lack of device identifiers or remote accessing capabilities
- Privacy risk assessment (or PIA) at the device and purpose level – at least once a year
- Incident detection must be enforced, as it may be difficult to achieve in the supply chain due to lack of utilities for specialized IoT devices
- Vulnerability scans must be conducted routinely on devices where such preventative methods cannot be automated
- Access Control enforcement is critical, given that IoT devices may not support use of logical access privileges within the device that is sufficient for a given situation
Privacy Deep Insight #3 – Personal Data Inventory and Data Flows Mapping
Include IoT devices and processing activities in the Personal Data Inventory:
- A data inventory will not miss IoT devices or sensors which are not usually part of a classic IT inventory
- A data inventory appoints an Owner which is critical for privacy compliance, given that in an IoT chain, ownership is heterogenous
- Where upgrades are not part of the regular computer network upgrades so they can be missed. An owner is responsible for their inventory of data
- Data flow diagrams must include all the devices where data passes through
Privacy Deep Insight #4 – Privacy by Design throughout the ecosystem
Demonstrating accountability for your privacy compliance program includes your supply chain. A recent CNIL fine re-affirms that the controller organization (primary organization) is responsible for safeguarding personal information across the supply chain, through documented instructions and verifying these instructions are implemented:
Verification and conducting PIAs identifies areas in the supply chain where:
- Privacy By Design controls may have failed and functionality is not a privacy “positive sum”
- Security controls that are no longer effective may be ignored for an unacceptably long period of time
- Adequate ownership and accountability is not established
- Mechanical (non-electronic) components may be part of the supply chain
- Training may need to refreshed and re-enforced
Privacy Deep Insight #5 – Protecting Individuals’ Privacy
Analytics is the biggest area of concern for the protection of individuals’ privacy in a supply chain ecosystem. It’s all about extracting value from massive amounts of data, however when this data is of personal nature, additional rules must be implemented. Consideration should be given to:
- Data governance that is now part of several bills and proposed laws
- Open-source solutions and platforms and data lakes
- Inability of individuals to provide consent for the processing of their PII or condition further processing of specific attributes, locate the source of inaccuracies in their PII or simply access their data on the chain
- Ongoing PII processing through the chain while the purpose for processing is changing
- Aggregation of disparate data sets may lead to re-identification of PII.
For any additional resources for handling your Supply Chain Privacy download our Practical Privacy Playbook and uncover your supply chain due diligence tools we have to offer.
For additional insights and certified expertise:
 7 PbD Principles: Principle 1 – Proactive not reactive: preventative not remedial. Principle 2 – Privacy as the default setting. Principle 3 – Privacy embedded into design. Principle 4 – Full functionality: positive-sum, not zero-sum. Principle 5 – End-to-end security: full lifecycle protection. Principle 6 – Visibility and transparency: keep it open. Principle 7 – Respect for user privacy: keep it user-centric.
 GDPR states in Art 25 “[…] appropriate technical and organizational measures [must be implemented] both at the time of the design of the processing system and at the time of the processing itself, […] in order to maintain security and […] prevent any unauthorized processing.”