#23 Making IoT and personalization work for your business

Hello everyone, and welcome to another episode of The Power of Digital Policy!

For the past five or more years, we have heard that the Internet of Things, or IoT, will revolutionize digital marketing. The claim by most industry experts has been that the very devices that allow us to receive personalized environments such as self-learning thermostats and predictable timing coffee machines will generate hordes of new data. And based on inordinate amounts of new data, companies can market more precisely, more predictably, with greater relevance and value.

Has this hype really matured into reality? And what do organizations now need to be thinking about insofar as digital policies, IoT, and personalization is concerned.

Well first, off, I think we are getting close to the 2014-2016 predicted reality. I tend to think of myself as a lager when it comes to digitally connected devices. Still, at my house, there are two cars, two heating, and cooling units, and a geofencing alarm system hanging out on the home network. There are ample bumps with all of these products, and none of them truly perform perfectly as we would like them to. For example, the connected Volvo cars can’t self-schedule a maintenance appointment because we don’t subscribe to the Volvo internet plan. One of the heating and cooling systems has glitchy software and hasn’t been updated in the two years. All of those issues mean that none of the companies have the user experience quite right, and I doubt they are any better at collecting the personal data about our family. If they were to collect the data, they are still unlikely to be able to do much with it, based on what I have seen from email, postal mail, or any other type of targeting.

But then we also have the advanced devices, like the Apple Watch, which is insanely advanced compared to the heating and cooling company in terms of IoT capabilities, data collection, usable services, and even marketing.

The difference between companies in the IoT arena is immense, especially when it comes to the ability to collect data and use it for personalization, marketing, ongoing consumer engagement and brand loyalty. We can argue what makes one organization more mature than another, or how their digital strategy accounts for technology cadence. But to make IoT and personalization meaningful and the underlying data have integrity, we need to have sound digital policy in place. Here’s what I see as the key considerations whether you are just easing into the shallow end or are swimming in the deep end of the pool and want to doublecheck yourself. I’ve purposefully broken down the considerations into three areas: policy authors, drafting considerations, and lifecycle management considerations. Let’s take a look at each one of these.

• Policy authors: If you are the digital policy steward inside of your organization, or even if you are looking to define a policy that makes sense at a peer-to-peer level, the first thing you should ask yourself is who will help define your policy. In my experience, the team that will sit around the table and defines the IoT and personalization policies needs to be interdisciplinary. That is, applications, networks, database/ storage, system infrastructure, and operations need to come together with product managers and the digital marketing team. That’s because for IoT to work, it must cross the boundaries and engage the resources of all of these disciplines.

As a side note, if you are also focused on internal IoT, it will still involve people in the business, especially if the projects are focused on automating machines on the manufacturing floor. After all, it is the folks in manufacturing and engineering that define the business processes and the rulesets that will be needed for the IoT, while IT ensures that the technology works. This means that cooperative partnerships between IT and end business units should be in place before any IoT work is started.

• Policy drafting considerations: Over the years, I’ve seen some things that work and others that don’t when it comes to IoT and personalization to drive sound digital products and services. First, you have to get policies right that is in no way, shape, or form exciting. This is the basic homework that nobody likes to do, but everyone has to if you want to have a good foundation for the exciting stuff. By the basics, I mean:

1. Decide what you are doing around your backend-as-a-service (BaaS). This is the approach your organization will use to easily create, standardize, and repeat microservices needed to connect IoT devices with existing infrastructure. More often than not, this is the part that most marketing and product folks forget about, which is why duct tape exists. But as with anything in life, it is easier to get it right out of the gate than trying to backdoor engineer after the fact.
2. The DevOps tools are your next consideration. Whether you will be using vendors (or especially if you are using vendors!) or your in-house team, you need to enable developers to speed up the development and deployment of microservices. Consider the policies around DevOps tools and document what can and cannot be used.
3. APIs are your IoT and personalization lifeline as they allow you to aggregate all the structured information needed to connect, coordinate, and exchange information. Again, this is another duct tape moment that you can prevent by defining your guardrails upfront. When all is said and done, your data can be aggregated no matter where it comes from, and you can see a single view of your user.

Once you are done with the foundational IoT considerations, it is time to really roll up your sleeves and discuss with the team key policies around maintenance, security, and reliability. Of course, your policies will depend on your industry and company tolerance for risk, but here are some fundamental truths:

• Maintenance is such a tricky area of IoT. Consider who owns the IoT device you have developed. If the data goes hand-in-hand with the device, does your opinion of who owns the device change? If you are creating an IoT device such as a wearable watch, will you own it going forward, the consumer? And who will own the maintenance, not just of the device, but the services on the back end? Apply has created an entire set of policies around this, and you should to. After all, how will ownership be enforced? And if it is a device inside of a home, will you require updates? What if the device is tweaked for a really bad purpose? Will you still maintain it? Contractually you may have to, so think through the legal and court aspects of the policy.

• If you are in the medical IoT device arena, especially ingestible or highly sensitive products where people’s health and well-being is tied to an IoT device, don’t skimp on security, from collection and transmission to storage and accessibility. The risks to consumer privacy and to your organization should a breach occur can’t be underestimated. (And I strongly encourage you to include your legal team in all of the conversations you’ll cover here.)
• I would expect most developers to understand that any connected device would be subject to data privacy standards. The problem is that we haven’t figured out exactly what that means when it comes to things like new IoT devices, such as ingestible. Develop your policy carefully, consider what is ethical and right versus what you are trying to do, and make no assumptions about the location of the IoT device since many easily travel between borders and cause you a whole new world of privacy considerations.

Data ownership is a very complex area for IoT, so before you jump ahead, separate the IoT device policy discussion from the data and consider risks and opportunities in the context of both. Regulations like the HIPAA and the GDPR suggest that the data would belong to the individual. So how would that work when it comes to gaining consent for something that is implanted into a person, like a cancer treatment device inside of a person? Will your Terms of Service state that you can use all of the information for any purpose? Or will you need to get separate consent for each possible use of the data? Will you need to obtain renewed consent on a regular schedule?

And then there’s the device itself. Will personal data be stored on the device? If so, can it be erased or deleted remotely, or will it require a medical procedure? Medical device risks are alarming, but they can be mitigated. Early in the development process, brainstorm as many privacy scenarios as you can come up with, and develop a policy for each of them.

Most companies struggle to keep their disaster recovery plans updated, and IoT is no exception. Since IoT presents unique security challenges, this is one time that your disaster recovery and business continuity policies might need to extend from legacy into the digital arena. Consider what happens, for instance, if the IoT fails? Do you have the ability to manually override it and keep things running? This is especially important in IoT infrastructure monitoring and functions, and in areas like unmanned vehicles, drones and robots.

• Policy lifecycle management: When it comes to policy management, you will need to follow your standard digital policy management lifecycle. But for change management planning purposes, ask yourself: Is your management on-board with IoT and personalization? Before starting any IoT and personalization project, you should check internally for sponsors and evangelists, such as your board of directors, the CEO, and other top-level officials. Make sure that you present IoT and personalization initiatives as value initiatives for the business. Many times, the business case can make a difference in how IoT and personalization policies are integrated into the enterprise.
• And don’t forget to include a method for defining and measuring the ROI of your IoT and personalization policies, which might be an extension of the overall program of projects. Like other digital projects, IoT will enjoy a time when everyone is excited, before calming down and starting to look for a return on the investment. Make sure you are ready to address it!

As you can tell, there is so much to consider in the IoT space, and the policy is but a small part of the planning you will need to do. I have a slew of resources on my site, and also encourage you to visit the IoT for All website, where you can read policy advice from me and others.

To help you further think through policy considerations and the value of IoT and personalization, I’ve invited Jon Melnick of Lux Research to share his insights. As personalization is sweeping nearly every industry, including IoT and wearables, healthcare, pharma, nutrition, CPGs, and more, Jon will help us break down the business case for personalization trends and tell us what it means for the growth (or decline) of consumer-focused companies.

Until next time, be well and do great policy work.

‍