The following is an excerpt of an article I wrote that first appeared on the Information Systems Audit and Control Association (ISACA) website.
The day has arrived. A Wisconsin-based tech company will soon offer its employees microchip implants. The company expects to chip more than 50 employees, allowing them to access technology with just a wave of the hand.
Microchipping could provide a wide range of benefits and prove to be an increasingly pervasive and powerful business tool. However, with great power comes great responsibility, and its extremely important to understand the potential business, security and privacy risks involved.
To fully appreciate the risks of microchipping, you first need to ask yourself some key questions:
? What data is being collected by the microchips?
? How will the data be used?
? With whom will the data be shared?
Once you establish the answers to these questions, consider just a few of the many possible risks to the business:
? Bad press. If employees dislike the idea of being chipped and complain to others outside of the business, there is high probability of negative publicity hurting the business and lowering brand value. Other bad press could occur if the chipping results in physical harm to the individuals, if the data is breached, or if the chipping systems have security failures.
? Breaches or downtime. What happens if the chipping system doesnt play well with other systems and causes networks to slow to unacceptable speeds or go down completely? What if the systems implemented are not mature and, as a result, data is not processed correctly?
? Lawsuits from those chipped. Even if chips are optional, it is possible those who agreed to get them will regret their decisions. Perhaps it causes pain or some other physical problem. Or, maybe they read a report about how the chips data is used, and then feel like they were tricked into getting them. Consider employee lawsuits have risen 400 percent in the past 20 years.
? Noncompliance violations. It is quite possible the implementation and use of these chips or use of the associated data could be violating applicable data protection laws and regulations. For example, consider the many actions you would need to take if you wanted to use microchips in a way that is in compliance with the EU General Data Protection Regulation (GDPR).
You also need to consider the potential privacy harms that could impact the associated individuals. See the full ISACA article for this information.
Before any business makes any decisions involving personal data whether gathered from a microchip or something else , it needs to ask three basic questions:
? Will this improve business?
? What are the risks?
? What are the harms?
If the answers to these questions indicate there will be greater benefits than business risks and personal privacy harms, and those risks and harms can be acceptably mitigated, then happy chipping! Otherwise, you need to do more research or simply conclude its not a good action for your business.
I recommend every business perform a privacy impact assessment (PIA) for any type of new system that involves personal data. Think like Peter Parker: Before implementing a microchipping system, do a PIA to reinforce the great responsibility of even thinking about using such a powerful system.