Telecoms.com periodically invites expert third parties to share their views on the industry’s most pressing issues. In this piece Erik Ramberg, CEO at Springworks, a company driving connected car services on behalf of mobile operators, looks at the implications of the General Data Protection Regulations (GDPR)on this potentially lucrative opportunity.

Big data, analytics and privacy. Three topics and areas of discussion that has dominated telecoms conference agendas and industry editorial commentary for the last 3-4 years. Mobile operators remain the custodians of an extremely valuable customer data source and have been contemplating how best to use it to drive incremental revenue and customer retention. After all, thanks to the ability to track users’ whereabouts in the network, assess the type of content they consume and where they access it, mobile operators can build strong contextual profiles for all their customers. As always, with great power becomes enormous responsibility. The advent of GDPR is the EU’s attempt to ensure all companies, not just mobile operators, take these responsibilities seriously.

Customer context and connected cars

Connected cars is one of the fastest growing IoT use cases. Its success is based on its ability to deliver significant levels of convenience and practicality to all drivers. By tracking things like driver behaviour, car location and vehicle condition, mobile operators can create a wealth of driver data that can be used to generate personalized and tailored services from themselves and third-party providers. These can include insurance companies, breakdown service providers or roadside retailers, among others. Operators can brand these services as their own, offer them to their customers through a consolidated platform, and remain visible to their subscribers in a way that massively enhances their brand value.

History has taught us that mobile operators have taken their obligations regarding customer privacy extremely seriously. This has at times seen them criticized as being slow to react to new opportunities and cede position to internet service providers in the battle for consumer mindshare. Taking such a meticulous approach in the creation of connected car services is an absolute necessity however, given the nature, quantity and quality of consumer data they place at their disposal.

The user owns the data

One of the key provisions of GDPR legislation is that mobile operators, like all other companies, need to make sure they clearly communicate while asking for personal data and clarify its intended usage. These rules are consistent with the notion that the user, or as is most often the case with connected cars, the driver, owns the data and how it is used, not the operator. This may seem like an obvious statement to make, but it has big implications for the growth of connected cars.

The connected car ecosystem comprises of many different participants. At a basic level, the mobile operator is required for the connectivity (various vendors are also complicit here through the development of middleware, dongles and in-car terminals etc.) Obviously, the OEMs provide the cars and a whole wealth of existing and upcoming third parties are developing new and innovative services looking to capitalize on an increasingly captive driver audience. With so many constituent players, managing privacy controls from so many sides creates incredible complexity. Since the mobile operators collect the data, and decide the purpose for its processing, they also carry the GDPR liability. This means they could face the potential of being fined up to 4% of global revenues should data breaches occur. For larger group operators, this could see fines in the billions of dollars.

Aggregation, aggregation, aggregation

Put simply, the complexity of managing so many partners and so much resulting data could appear as too great a GDPR risk for some operators to take. In order for operators to take their place at the heart of the connected car ecosystem, they need partners that can manage this complexity, and provide a data protection strategy that ensure drivers maintain their rightful position as the owners of their own data and masters of their own connected car destiny. In practical terms, operators need a centralized platform that can aggregate the processing of driver data, managing its availability on a user-permission basis. They then need to share this data and permissions with third parties to ensure the resulting services they receive back remain within the boundaries of what the customer is expecting.

GDPR doesn’t need to be a roadblock for mobile operators wanting to launch connected car services. In fact, for the historically privacy-sensitive operator, it could represent a blessing in disguise by providing new secure boundaries to operate within and demonstrate heightened levels of data responsibility back to the customer.

Erik Ramberg is co-founder and CEO of Springworks.