Akamai Diversity

The Akamai Blog

Don't Let Regulatory Concerns Derail Your IoT Strategies

Businesses around the globe are standing on the cusp of truly incredible change. The emergence of the Internet of Things presents new opportunities to gather valuable data and spin that information into powerful and impactful insights.

Nothing's as easy as it seems, though, and when it comes to the IoT, one obstacle in particular stands in the way of progress: regulatory compliance. Every industry is beholden to data privacy standards of some kind, whether it's the Health Insurance Portability and Accountability Act, Payment Card Data Security Standards or the General Data Protection Regulation. With good reason too: data breaches are on the rise, and businesses should do everything they can to protect sensitive user information.

However, there's no reason why brands can't enjoy the best of both worlds: data-driven IoT strategies alongside steadfast data security practices. It's a balancing act to be sure, but customer identity and access management solutions can be your ace in the hole.

IoT Takes the World by Storm

Just a few years ago, the IoT was nothing more than a theoretical concept -- the prediction that any household item could become a connected device. Today, we're witnessing the early days of the IoT revolution. Thanks to technology as diverse as smartphones and IP-enabled security cameras, there are more connected machines than ever before.

Consumer products like smart thermostats have added new objects to the traditional network -- and that means new opportunities to collect user data. As homes, retail stores and various public areas become populated with these IoT sensors, more information will be created at an incredible rate, allowing businesses to draw insights on everything from consumer preferences to service models. The end result promises to be stronger customer engagement, strategic decision-making and more successful business operations overall.

IoT in Action

One powerful use case for IoT-based customer engagement is improving loyalty programs and personalizing the brand experience. When a loyalty program participant enters a retail store, the sensor in their smartphone and local beacons will trigger specialized offers for that specific location, based on past purchases and historical preferences. These alerts can guide in-store shoppers to products they didn't initially intend to buy, driving sales and building stronger engagement by delivering exclusive promotions.

In fact, a 2015 study commissioned by the American Marketing Association revealed that making just one unplanned purchase can open the floodgates. Researchers from the University of Notre Dame discovered that once shoppers had crossed that initial threshold, they were more likely to make subsequent unplanned purchases. The reason? That first cue reminds the customer of all the other products they may need, but had not necessarily intended to buy during that shopping trip.

"[A]n unplanned selection increases the probability that the next selection will be unplanned versus planned, and this effect grows larger as the shopping trip continues," the study's lead author, Timothy Gilbride, wrote.

Brands can take loyalty program performance even further by employing some form of gamification. Customers can earn "points" or other rewards in exchange for committing some desired action, such as purchasing certain items and scanning in-store barcodes. Such strategies can be crafted to increase the amount of time individuals spend inside a store -- and as the American Marketing Association study noted, the longer you shop, the more money you'll spend. It's a win-win situation: Customers buy more products and the brand builds a stronger sense of engagement through targeted personalization.

IoT's Regulation Problem

Adding such large numbers of new endpoints to brand networks presents a number of data privacy, security and regulatory concerns, but none more so than the ramifications on consumer-focused compliance demands. Accessing customer data is both an opportunity and a risk, as regulatory bodies continue to crack down on companies that follow sloppy security and privacy protocols. Earlier this year, for instance, the Federal Trade Commission slapped electronics manufacturer Vizio with a $2.2 million fine for collecting consumer data through its television sets without proper authorization.

Those compliance requirements will become even more strenuous in 2018 when the General Data Protection Regulation goes into effect. The IoT will especially present a problem for brands given GDPR's stance on what constitutes "personal data." The E.U.-based regulation considerably expands the definition of personal data to include everything from location data and IP addresses to mobile device IDs. As such, companies will be on the hook to protect the integrity and privacy of much more customer-related information, and the IoT will create a deluge of extra data to account for.

Given the hefty fines businesses will face for violating GDPR standards, they may feel that IoT-driven strategies just aren't worth the risk to their bottom line and brand reputation. However, there is a clear path forward to enjoy both industry-best data privacy practices and incredible digital customer engagement strategies. The answer is Customer Identity and Access Management (CIAM), typically delivered in the form of Identity as a Service (IDaaS), a cloud-based software solution specifically designed to manage consumer identities.

Drive IoT Strategies Forward with CIAM Solutions

Meeting the dual challenges of regulatory compliance and IoT-driven customer engagement requires a better handle on identity access management and the ability to safeguard data without impeding brand interactions. An end-to-end IDaaS solution facilitates both needs by implementing ironclad security measures like encryption and drawing a stronger connection between the user and the device or platform.

IDaaS can provide a complete overview of your customer identity environment, allowing compliance officers to verify that regulatory guidelines such as consent management and right to be forgotten are being met. IDaaS also supports the creation of strong authentication controls to prevent unauthorized access to data that falls under regulatory compliance.

When selecting an IDaaS provider, a good rule of thumb is to go where the security certifications are. Health care organizations, for instance, should look for a vendor with HIPAA and HITECH certifications to verify it follows compliance best practices for that industry.

Although there are no official GDPR-related certifications, brands can still protect themselves against violations by working with IDaaS providers with a preponderance of other security achievements like SOC2 Type II, ISO/IEC 27001:2013 SAS70 Type II audits, as well as the aforementioned HIPAA and HITECH requirements. Such diligence shows a strong culture dedicated to securing data at all levels, and that's the kind of attention to detail you need to work with the IoT under heavy regulatory scrutiny.