Are privacy and security concerns holding back IoT in the workplace?
The Internet of Things (IoT) is rapidly becoming a real part of business operations, not to mention our everyday lives. With wireless sensors all around us, should we worry about what happens with all that data? There are certainly some valid reasons for concern about data privacy and security, but that doesn’t mean the IoT will not continue expanding because, despite the risks, the value it brings is too important.
The IoT means different things to different organizations. We would argue that the questions of data privacy and security in the world of smart buildings – although relevant – should be put in perspective. Ungrounded suspicions will diminish as people get more used to the technology and experience its benefits. Additionally, legislation is being updated to increase data processing transparency and build digital trust.
In this post, we will briefly discuss the privacy and security issues surrounding the IoT with a focus on the built environment and smart building applications.
The Internet of risky Things?
The growing number of connected devices in homes and buildings undeniably offers many benefits for the occupants. The flip side is that weaknesses in these devices – including your smart fridge, coffee maker or soap dispensers – can make you vulnerable to privacy and security threats.
The number of network-accessible ‘things’ already outnumbers the world’s population today. And it will grow to 20+ billion IoT devices by 2020, according to analyst firm Gartner. With so many connected nodes, IoT hacking can be extremely effective. By leveraging thousands of (unsecured) connected devices, hackers can launch (distributed) denial-of-service attacks that can cripple systems and infrastructure. Or access the underlying network to gather valuable (and sensitive) data.
In these circumstances, it is important to make smart building solutions tamper-proof. Here are important security safeguards that you can put in place:
- Only use thoroughly tested, secure, and reliable sensors
- Use end-to-end encrypted wireless technology (e.g. standardized LoRa open-source protocol)
- Operate the IoT applications separately from the corporate IT network and data (no use of corporate WiFi either)
- Use a fully encrypted and segregated data processing platform (such as the COBUNDU™ connected building platform)
Big data privacy – a big issue?
The use of the IoT in the workplace can significantly improve the health, productivity, and comfort of occupants. Smart building applications not only provide real-time assistance to workers, they can also optimize space usage and improve ambient conditions. This can go as far as offering personalized services or automatically adjusting the room temperature to a building user’s personal preferences. But for each positive scenario, one can also think of a negative one. What if an employer uses workplace tracking data in a ‘creepy’ way? For making performance assessments or as an indicator of health-related issues, for example? Or for profiling (using algorithms) and automated decision making?
The use of personal data for purposes other than communicated is a breach of confidence, if not downright illegal. The new European privacy regulation GDPR, for example, considerably strengthens data protection. Every processing of personal data in respect to an activity or transaction within the EU is subject to it (see also: GDPR for FMs – Are you ready for the new data protection regulation?). GDPR becomes enforceable 25 May 2018 and imposes heavy fines (up to €20 million or 4% of annual turnover, whichever is higher) for serious non-compliance. It will lead stakeholders to bake in data security right from the start.
To achieve compliance, organizations need to map all their data processing activities and ensure they meet GDPR requirements, including the need to:
- Establish a lawful basis for each processing
- Be transparent and clearly communicate what they are doing with the data
- Limit data processing to the stated purpose
- Aggregate or anonymize (IoT) data that can be directly or indirectly traced back to an individual
- Use data encryption for enhanced security
- Keep records to demonstrate compliance
What’s in it for me?
Aside from legal and technical issues, the success of workplace IoT depends on the acceptance of the underlying business case. The point of IoT investment is to enable new business scenarios and bring about positive change. And where there is change, you can expect resistance. Let’s say an organization decides to deploy occupancy sensors to support the transition to activity-based working (ABW). Some people just don’t like change and ‘agile working’. They want to hang on to the stuff they have on their (fixed) desks. Or are reluctant to give up their private office. If they don’t feel good about the new way of working, they might try to sabotage the technology tools supporting it, which can go as far as tampering with sensors, removing them or taping them off.
Good communication and change management are, therefore, crucial for success. This aspect is often underestimated. Getting people fully on board with WHY your organization is deploying sensors is half the battle. Employees should understand that sensors are not there to measure them, but their environment and how well it supports them. Take the time to clearly explain to your workforce how IoT applications will benefit them personally. Involve your employees in the journey, and involve them early. Give frequent updates and address privacy and security concerns. Build trust, ask for feedback and act on it.
Digital natives versus digital immigrants
An incredible amount has already been said about the generational gap between digital natives (millennials and generation Z, who grew up with connected technology) and digital immigrants (latecomers in the digital revolution). And how this reflects on attitudes towards tech and privacy, both in their private and professional lives.
Digital natives, the storyline goes, tend to believe in a meritocracy, shun hierarchies, and embrace the benefits of everything-as-a-service. They typically have more open profiles on social networks and like to share things and ideas with each other in real time. They are considered the disruptors in the workplace. But generalizations are always tricky. Research by Leesman, for example, suggests there is no evidence for what they call the ‘millennial myth”. Based on 250k survey data, Leesman insists we should stop talking about the mythical want and needs of millennials with regards to their working environment.
The conventional wisdom that younger generations don’t care about privacy is also, at best, an oversimplification. In fact, research indicates that young adults generally take more precautions than their elders when it comes to online privacy.
In conclusion: Instead of getting lost in hype and half-truths about generational differences, we should look seriously at how to make the workplace more effective for a diverse workforce and people of all ages. Responsible use of the IoT – and the data-driven insights it brings – is critical in realizing the full potential of our workplaces.