GDPR meets the connected car

(Image credit: Image source: Shutterstock/LifetimeStock)

They say you can tell a lot about someone from their car. Traditionally, this has meant their social status or whether they are clean or tidy. Today, with the growth of sensors in cars, it means even more. Internet of Things (IoT) technology means that a single connected car has the potential to produce gigabytes of data each year, which could be as simple as where the car has driven, to more complicated technical details on how the vehicle is performing and if it has any faults.

It is hard to think of an industry that isn’t actively trying to collect and analyse data. In the case of the automotive industry, large data pools can produce insight into how vehicles are performing once they have left the manufacturer. The next step if for them to extract the value from this insight, creating actionable plans for innovation, in order to create the best possible vehicles for their customers.

Yet data privacy must be respected. Regulations such as GDPR are a force for good, protecting consumers from those who would try to steal their information and compromise their digital identities. However, those regulations apply equally to businesses, even if they have their customer’s best interests at heart. The challenge for automobile makers is to ensure they can keep using that data without violating the data rights of their customers. In a post-GDPR world this challenge has gotten harder, but a new approach to data collection can square the circle.

The problem of data

Privacy regulations distinguish between data that can be used for customer intelligence and data that constitutes personally identifiable information (PII). PII is information that can be used to find out the identity of an individual – though in practice, it is far more complicated. PII is a legal term, not a technical one. This means what it is can differ drastically by jurisdiction, and its definition is always changing. It can range from a person’s name to their IP address depending on where they live.

For a car manufacturer, the most precious data a connected car can provide is on driver behaviour and usage information. This tells you how the user interacts with the components that make up the car – from how often they engage the windshield wipers to the use of their hazard lights. In isolation, data from a single car does not say much. However, when that same data is pulled and analysed from potentially millions of vehicles, manufacturers can properly evaluate performance and drive improvements.

However, under GDPR, what can be defined as PII has broadened considerably, and now includes much of the data that connected automobile companies have been collecting for years. The reasoning is sound – even an anonymised vehicle identity number can be used to find out who the owner is with access to the right databases.

GDPR, of course, does not prevent car companies from collecting this data, but it does put heavy restrictions on how they can use it and who has access. A customer must provide consent for you to collect and use their data, then they retain the right to delete it whenever they want. Companies of all shades continue to experiment with how this can be achieved, yet for connected car companies there is a larger security issue at stake.

What’s under the bonnet?

Under GDPR, you cannot allow unmitigated access to the bulk data you are collecting. Typically, connected vehicle companies will aggregate all their big data into one or several data lakes. This then allows the company’s data scientists to easily explore, analyse and seek insight using as much raw data as possible. The problem is that these environments contain both customer intelligence and PII, and companies too often make little attempt to classify between them or restrict access to data that’s protected under GDPR. This gives a potential bad actor plenty of opportunities to steal customer information and cause reputational and regulatory harm to the business.

However, connected car manufacturers can avoid this risk simply by aggregating their data in a different manner. Data should be stored by its classification - whether it’s personal or commercially valuable - and user permissions applied to ensure that PII cannot be accessed by just anyone. To heighten security further they should also apply unique policies to personal data, ensuring that even those with access – or those who have acquired access through nefarious means – cannot do harm. The system could be set up, for example, to detect and stop anyone performing bulk data transfers or using unfamiliar third-party applications on the data source.

Proper data characterisation and a greater use of user permissions allows companies to secure their data lakes without jeopardising their utility. Data scientists would still be able to view the data in aggregate and spot potentially valuable trends on the surface. Bad actors would just not be able to reach below and steal data for their own purposes.  

Connected cars dominated the news cycle in 2018, and there’s no doubt that they are the future. While many vehicle manufacturers have led the charge on these developments, others are only just starting to dip their toes in. For both groups, it’s vital that they balance customer experience and respecting data privacy. Putting a foot wrong on data privacy can cost businesses their reputations as well as a hefty fine. For consumers the hit can be even harder – leading to fraud or even vehicle theft. It’s not a secondary consideration – it should be built in from the start.

At the same time, customers always demand the smoothest, most seamless digital experience. For that to become a reality, data is essential. So long as the boundaries are made clear, and customers can knowingly sign up to let their data be used to improve their experience, both concerns can be met.

While privacy may seem a blocker for innovation, the two concerns are actually perfectly compatible. By taking the right precautions, vehicle manufacturers can have the best of both worlds.

Wayne Stallwood, head of AWS, KCOM
Image source: Shutterstock/LifetimeStock