Sharing is caring?
The market of telematics devices and applications is thriving. Connected vehicle technologies and telematics services are merging and shape the future of the automotive industry – and our lives. While these innovations will no doubt bring incredible opportunities and advantages, we are also entering uncharted territory in terms of data security and privacy concerns.
A brand new world with brand new risks
The spread of IoT technology brings unprecedented opportunities. It is in fact quite easy to see why telematics has become inescapable in fleet management. For commercial fleets, the benefits delivered by automotive telematics devices are many. Before we pop a bottle of bubbly, though, a number of major risks must be addressed.
Data sharing between industries: the key to the kingdom
In every second, terabytes of telematics data is generated, collected, stored, analyzed, shared and transmitted. And when it comes to Big Data, the corny phrase ‘knowledge is power’ is true in every possible sense of the word.
Telematics data carry a wealth of business insights with tangible financial benefits. Data sharing between industries in order to gain access to this data treasure is key to capitalize on the information gathered.
The emphasis here is on ‘treasure’: whoever owns data has the opportunity to convert them to profit. It is only natural - well, at least not surprising - that a number of interested parties queued up for a slice of this lucrative business opportunity.
Business insights vs personal matters
To further complicate matters, there are two categories of data to deal with separately: vehicle data and personal data. In short, these data provide unique business insights for efficient fleet management. Both are crucial but for different reasons.
Monitoring a moving asset by GPS tracking devices and onboard diagnostics can be considered as vehicle data. Vehicle data may provide a global view covering the whole organization. Used to improve safety for personnel, vehicles and cargo, these data may offer substantial leverage over competitors.
Onboard services are also a great source for safety metrics. By analyzing driver behaviors, overall fleet safety can be improved significantly. But – there always seems to be a ‘but’ – this involves a vast amount of personal data. However, handling information that relates to drivers, i.e. private individuals is a sensitive issue for quite a few reasons. It also raises a number of questions – questions that have never been dealt with before concerning storage, process and protection.
My technology. My fleet. My data.
Whoever owns the data may decide how and for what purposes they use it – and monetize the information. At first glance, the whole controversy about who may sell the data and get the big bucks would go away if we could answer one fundamental question: whose data is this after all?
Interested parties have come up with a number of approaches to determine ‘title rights’:
- Automotive companies argue that data belongs to the entity that owns the device that produces data.
- Telecommunication and IT companies along with players in the telematics services industry may reason that data belongs to the entity that provides the technology to extract and process data.
- Fleets claim, quite understandably, that data belongs to the entity that generates them. At this point, though, drivers may have a thing or two to add.
Here again, we are talking about two different aspects: there is an explicit difference between who creates the data and who has access to it.
Access trumps ownership
Despite delays and gaps, there are considerable legislative efforts to catch up with technological developments. When it comes to the legal aspects of data processing, it is not ownership that matters most but access.
As for ownership, there is a blurred line between intellectual property rights and copyright issues. To make things even more frustrating, the whole matter gets mind-bogglingly complicated when personal data is involved: individuals’ rights are under strict data protection regulations.
In the age of cloud computing, there are no state borders when it comes to data transfers.
Every organization that processes any data of EU residents must observe the stipulations of the EU General Data Protection Regulation (GDPR) no matter where their seats, headquarters, offices or servers are located. And the GDPR is not in the least interested in ownership issues: title rights are not even defined in the preamble. The sole aim of the Regulation is to define and manage rights attached to individuals’ data.
Personal data: Handle with care
Monitoring driver activities and behaviors to predict and prevent accidents – and thus improving the efficiency of the fleet and the safety of the staff – sounds like an innocent enough and rational interest of both concerned parties, i.e. drivers and fleet managements. It is also obvious why the issue is so delicate.
The pros and cons for tracking drivers’ activities, however, are beyond the scope of this article. Our point is that this information is subject to privacy concerns and entails legal consequences.
What counts as personal data?
The GDPR gives a broad definition on this one: “any information relating to an identified or identifiable natural person”. Further elaborating the definition, “an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
Furthermore, companies are not allowed to process just any information: they must be able to prove that the data collected and processed is absolutely necessary for a specific reason. In short, to comply with GDPR and respond to data privacy challenges, businesses must develop substantiated policies on data protection.
Understanding risks is crucial
Telematics solutions provided by Inventure do not generate data. While Inventure is not directly concerned with data protection issues, as a responsible company we keep a close eye on trends and threats and encourage a conscious company culture.
Data means power but then again, power comes with enormous responsibility in terms of security. No business is immune to cyber attacks and the damage caused may be irreparable. At this point, understanding risks is critical. Legal obligations aside, companies must put up a robust IT security system and adopt a comprehensive data protection compliance framework to prevent breaches.
The growing number of security threats and the dangers they pose are a topic for next time.