Privacy by Design -- The GDPR, and Inpixon's Proactive Commitment to Privacy and Security

It’s been many months since I first heard about General Data Protection Regulation (GDPR), and to be honest, at first I assumed it was one of those idealized, politician-driven regulations. But, as I dug into the details, and as I have worked closely with the GDPR-specialized legal counsel that we’ve retained to advise us, I’ve come to embrace GDPR -- not only its ideals, such as transparency and giving users control over the collection and retention of their personal information, but also its specific requirements. I don’t find GDPR requirements to be particularly onerous; they just require one to be thoughtful about how one uses another person's information. And that makes good sense. That’s why, at Inpixon we are building privacy not only into our everyday practices but deep into our product design. It's "privacy by design."

As one example of Inpixon's proactive commitment to privacy and security, let's look at MAC addresses. While we believe Inpixon products do not collect personal information, we recognize some might consider a device's MAC address to be personal information. Because of Inpixon's forward-thinking privacy stance, well before GDPR we made the decision to enable our customers to utilize unidirectional, tokenization of device MAC addresses. So, while MAC addresses are collected as part of the unencrypted, "in-the-clear" information broadcast on public frequencies, we randomize and then delete that data early in the system processes.

But it’s about more than MAC addresses. Here at Inpixon we follow a three part approach to address comprehensive privacy.

1. We brought into GDPR compliance our public-facing interfaces such as our website, and have updated and made easily accessible our privacy policy, cookie policy, and website cookie usage disclosure notices. We also provide links to instructions on how to delete existing cookies and to modify the behavior of cookie storing.
2. We are taking steps to formally raise the awareness of, and train employees on, GDPR regulations and requirements. For example, our Inpixon Academy is building an e-learning course that will be mandatory to pass for employees, globally. This course will also be required for all of our partners and customers who want to earn a certification in our products.
3. We are instituting stringent and formal privacy practices and methodologies into our product development. Privacy considerations will be considered as early as the ideation stage, through to concepting, prototyping, testing, product development, and product enhancement. We'll have formal validation criteria so every product proposal, design and deliverable meets the intended privacy objectives. We will follow not only privacy-by-default but also privacy-by-design. This includes things like, minimizing the collection of sensitive data, locating sensitive data as far away from users as possible, and tokenizing sensitive data so it could not later be associated with persons. We will also give our customers solutions that include privacy as the default setting and easy-to-use tools that allow them to maximize privacy in the configuration and use of the products. One example of our commitment is shown in our successful migration to Amazon AWS infrastructure, which is a robust platform to help ensure GDPR compliance and will enable us to offer the entire application stack and all data stores to be hosted within the customer's host country or region.

So, I’m excited about GDPR and other privacy- and security-related regulations that raise the bar in protecting personal information. I’m proud of Inpixon's commitment to both the ideals and the specifics of these regulations. And I’m especially proud to be leading our "privacy by design" mindset.

I'd love to hear what you think about these topics. Drop me an email at info@inpixon.com.

Thanks,

Shirish Tangirala
Chief Product Officer