Data and cybersecurity: best practices for electric bike brands

In the digital era, a lot of data is collected every day. By accompanying users on their daily journeys, connected bikes and the services they provide generate a mass of information.

Comparable to a gold mine, this data allows cycle industry players to understand how their products are used and to transform this data into services to improve the cycling experience. By analyzing it, brands can refine their strategy to meet cyclists’ expectations. In order to maintain user trust and comply with data security requirements, it is essential to protect data.

People working on the project to protect cyber security

The protection of personal data according to the law

In Europe, it is the General Data Protection Regulation (GDPR) that governs the actions of companies for data processing. This regulation is based on principles of purpose, relevance, transparency and responsibility. They impact the digital mechanics and the use of data for the actors of the cycle.  

Bike brands, what data can you collect?

The type of personal data collected will depend on the purpose of the collection: this is the principle of purpose and relevance. Brands are allowed to collect personal data for commercial purposes, but it must be in accordance with their activity and the purpose of the collection. A personal data is an information related to a physical person allowing to identify him. Thus, anonymized data are no longer considered as it.

So, the name, the first name, the age as well as the habits of use of your products can be collected because they will allow you to create a link with your cyclists. On the other hand, sensitive data such as political opinions or social security information cannot be collected.

The cyclist: a user with rights

The cyclist is above all a user whose rights must be respected. Therefore, before processing data, brands must ensure that they have the consent of their users: this is the right to object. Users must give their permission for their data to be processed. For this, brands must transparently indicate the nature and the purpose and of the collect. They must also indicate if the collected data will be shared with partners.

Once consent has been obtained, the user has rights over his or her data:   

  • The right to be deleted: Any user can request that their information be removed from your database and that you no longer use it.
  • The right of access and rectification: the holders of the data must be able to consult them and, if desired, to modify them.
  • The right to portability: this right allows the user to receive the data that has been collected on him/her in order to reuse it or to transmit it to another entity.  

Ensuring data protection: an obligation for brands

Optimal data security also requires a rigorous internal policy. This is why it is necessary for companies to have the right reflexes in terms of cyber security.    

Cybersecurity, an essential element of data processing

Beyond the financial cost, a bad data security also has a moral cost for the company, whose credibility may be impacted with consumers. Internally, brands can implement actions with their employees and around their IT servers.

Employees: the first line of cybersecurity protection 

Simple actions can ensure data protection:

salarié travaillant sur son ordinateur.
  • Employee training: for a cybersecurity policy to be effective, it is important to train employees to do the right thing, such as systematically locking their computers when they leave their workstations or learning how to secure their devices.   
  • Classification of information: classifying the information that your company possesses allows you to give access only to the information that your employees need thanks to specific user profiles adapted to their missions. This way, everyone can optimally protect the data in their possession.  
  • Strict password policy: Unique, complex, frequently changed passwords that are only shared with relevant profiles. 
  • The use of a professional VPN: VPNs allow for smooth browsing and secure exchanges thanks to encryption and anonymization of users at each connection. Employees will be able to use company software without compromising data security.   

Global measures for the IT system

Once the right actions are given to employees, additional steps must be taken to strengthen data security, avoid cyberattacks and their repercussions.   

  • Ensure the protection of the offices: the security of the offices is also part of the good gestures to protect oneself from attacks. Protecting sensitive areas and giving restricted access will reduce the risks. 
  • A regular saving of the company’s data: To avoid a complete loss of data during a cyber attack, it is important for companies to regularly save their data on servers outside the company’s network. As archives, they allow to have a retrospective look on the collected data but also to be reactive in case of difficulty with the internal server.  
  • Encrypt data: encrypted data cannot be read without a decryption key. This procedure can be applied between employees, but also during external communications of the company with other partners.   

Data processing and cybersecurity at Velco : transparency and co-ownership

2023 Velco team photo

At Velco, we have a clear data handling policy with our partners.

Securing our IoT products

Our cybersecurity policy starts with our IoT products.

  • When they are manufactured, they are individually protected by digital keys recovered directly from our servers to prevent intrusion.
  • The data communication of our IoT products is encrypted and configured as white-listed. Only authorized persons can access it.

Shared and anonymized data

Velco encodes the data collected from its IoT products.  Anonymized, the data we collect allows us to achieve our goal: to provide a safer, more serene and comfortable cycling experience. Therefore, the data we use are :

  • Identification elements of the bicycle: brand, battery brand, bicycode  
  • The use of the bike: distance travelled, condition of the bike, speed, degree of wear of the battery and its various components
  • Data via the cyclist’s phone: location, phone version, identifiers    

Internal measures to promote data security  

Internally, we are implementing measures for data security.  The partnership with Valeo has given Velco the opportunity to gain expertise by improving its data protection policy:  

  • Protected servers: our servers are equipped with firewalls that block unwanted traffic. In addition, our network is divided into specific environments. This allows us to manage user access but also to reduce the risks in case of intrusion; the rest of the network information is not accessible. Following intrusion tests conducted by Almond, we corrected any openings and consolidated our entire system.
  • To ensure continuity of our services, we also have mirror servers to store duplicate information.  
  • Internal training: training sessions on cybersecurity are organized for our teams. 

In a context of the industry digitalization, data management and security can be complex, but still essential. Velco will help you to understand data management as it relates to connected bikes. Do not hesitate to contact us so we can discuss about it!