Information Commissioner's Office
Making or selling Internet of Things (IoT) devices? Six reasons you need to be thinking about data protection
Blog posted by: Peter Brown, Technology Group Manager, 07 March 2018.
With the demand for connected toys, smart watches and smart home accessories growing rapidly it’s safe to say the IoT market is booming.
At the same time, barely a week goes by without hearing of a connected device that has serious yet basic security flaws, leaving personal data potentially exposed to malicious third parties.
Most manufacturers and retailers pride themselves on their health and safety compliance when developing and selling products. But as internet-enabled devices process increasing amounts of personal data, as a manufacturer or retailer how much do you really know about the rules around IoT and the way your products use personal information?
Here are six points to consider as a starting point for manufacturers and retailers of IoT devices:
Your devices will probably be processing personal data
If you’re a manufacturer or service provider involved in the IoT industry then you’re very likely to be processing personal data. Remember, personal data doesn’t just involve things like names and email addresses—your devices may also be processing location data, or online identifiers like IP addresses.
This means that current data protection law applies to you – and you also need to be aware of the General Data Protection Regulation (GDPR), a change to legislation taking effect from May.
There can be complex layers of data processors and data controllers in the IoT world, including manufacturers, app developers, social media platforms and aggregation platforms. Those involved should examine carefully whether they would be a controller or processor under the GDPR.
- Privacy should be built in from the beginning if a device uses personal data
The GDPR requires you to adopt a ‘data protection by design’ approach to any product or service you’re developing. You need to consider data protection issues at the start of product development, and ensure that these are addressed through the lifecycle of any device or service. You also need to put appropriate technical measures in place to safeguard any personal data that your devices process.
A data protection impact assessment (DPIA) is a tool which can help you comply with data protection obligations when designing a device, product or service that processes personal data. It will allow you to identify and fix any data protection issues at an early stage of any new project or development and help you meet your customers’ expectations around privacy.
You should also be aware that in certain cases a DPIA is mandatory, such as when the processing is high risk.
- Data protection and cyber security go hand in hand
IoT manufacturers must remember cyber security and data protection are inextricably linked. Those IoT organisations that invest time and money in designing secure products will show a respect for their customers that will stand them in good stead for the long term.
Gone are the days when cyber security was for the IT team and data protection was a back room issue. Both are linked and both need to be high on the boardroom agenda.
- You want to build trust with your customers
The ICO was involved in an international study last year that found six in ten IoT devices don’t properly tell customers how their personal information is being used. Under the current and future law you need to be aware that you have obligations to inform customers how their personal information will be collected, used, disclosed and stored, and how they may exercise their rights over that data.
Trust is integral to innovation and can be easily lost when consumers discover you haven’t been completely honest about how you are using their information.
You have a duty to your customers
It’s also important that retailers take the safety of IoT devices into account when choosing which products to sell. Innovation in the digital economy relies on consumer trust.
Check the manufacturer has produced a safe product that is not going to put consumers’ personal information at risk. Look at how the device deals with personal information, and whether the manufacturer or service provider is transparent about how data is being used.
Consider the practical measures that manufacturers offer such as strong credentials and timely software updates.
- Shoddy products can ruin your reputation
IoT products might fly off the shelves when they’re new and exciting, or during certain times of year like the Christmas season, but consider the possible reputational damage to your business if they later turn out to be so badly designed that they put people’s data at risk.
Selling products that are secure and respect the public’s personal data will reap rewards in the long term.
What’s happening next?
Looking to the future of IoT, we’re working closely with the Department for Digital, Culture, Media and Sport (DCMS) on their Secure by Design project. The project is focusing on improving the security of consumer internet connected devices and associated services. DCMS will be publishing a report today which advocates a fundamental shift in approach to moving the burden away from consumers having to secure their devices and instead ensuring that strong cyber security is built into consumer IoT products by design. Going forward, we are keen to support DCMS’s work with developing their recommendations and encourage stakeholders to provide feedback on DCMS’s draft proposals during their informal consultation.
Peter Brown is Technology Group Manager, providing technical expertise to all ICO departments in order to support the broad range of activities undertaken by the ICO.
Latest News from
Information Commissioner's Office
Cabinet Office fined £500,000 for New Year Honours data breach02/12/2021 14:38:00
The Information Commissioner’s Office (ICO) has fined the Cabinet Office £500,000 for disclosing postal addresses of the 2020 New Year Honours recipients online.
ICO issues its largest fine to tackle illegal pension cold calls02/12/2021 12:25:00
The Information Commissioner’s Office (ICO) has fined EB Associates Group Limited £140,000 for instigating over 107,000 illegal cold calls to people about pensions.
ICO issues provisional view to fine Clearview AI Inc over £17 million30/11/2021 13:05:00
The Information Commissioner’s Office (ICO) has announced its provisional intent to impose a potential fine of just over £17 million on Clearview AI Inc – a company that describes itself as the ‘World’s Largest Facial Network’.
The certainty of change: regulation in a time of political and social challenges.29/11/2021 12:25:00
Elizabeth Denham reflects on her time at the ICO, in a speech delivered to BCS, The Chartered Institute for IT (26 November 2021).
ICO calls on Google and other companies to eliminate existing privacy risks posed by adtech industry26/11/2021 12:25:00
The Information Commissioner’s Office (ICO) yesterday set out clear data protection standards that companies must meet to safeguard people’s privacy online when developing new advertising technologies (adtech).
ICO's blog on its information rights work04/11/2021 12:25:00
Colleagues from the ICO’s FOI Directorate share their experiences and involvement in raising awareness of our regulation of access to information legislation.
The UK’s Information Commissioner’s Office and the Office of the Australian Information Commissioner conclude joint investigation into Clearview AI Inc.03/11/2021 13:10:00
The UK’s Information Commissioner’s Office (ICO) and the Office of the Australian Information Commissioner (OAIC) opened a joint investigation into the personal information handling practices of Clearview AI Inc in July 2020.
Joint statement on global privacy expectations of Video Teleconferencing companies27/10/2021 13:20:00
In July 2020, six data protection and privacy authorities from Australia, Canada, Gibraltar, Hong Kong SAR, China, Switzerland and the United Kingdom jointly signed an open letter to video teleconferencing (VTC) companies. The letter highlighted concerns about whether privacy safeguards were keeping pace with the rapid increase in use of VTC services during the global pandemic, and provided VTC companies with some guiding principles to address key privacy risks.