Information Commissioner's Office
Making or selling Internet of Things (IoT) devices? Six reasons you need to be thinking about data protection
Blog posted by: Peter Brown, Technology Group Manager, 07 March 2018.
With the demand for connected toys, smart watches and smart home accessories growing rapidly it’s safe to say the IoT market is booming.
At the same time, barely a week goes by without hearing of a connected device that has serious yet basic security flaws, leaving personal data potentially exposed to malicious third parties.
Most manufacturers and retailers pride themselves on their health and safety compliance when developing and selling products. But as internet-enabled devices process increasing amounts of personal data, as a manufacturer or retailer how much do you really know about the rules around IoT and the way your products use personal information?
Here are six points to consider as a starting point for manufacturers and retailers of IoT devices:
Your devices will probably be processing personal data
If you’re a manufacturer or service provider involved in the IoT industry then you’re very likely to be processing personal data. Remember, personal data doesn’t just involve things like names and email addresses—your devices may also be processing location data, or online identifiers like IP addresses.
This means that current data protection law applies to you – and you also need to be aware of the General Data Protection Regulation (GDPR), a change to legislation taking effect from May.
There can be complex layers of data processors and data controllers in the IoT world, including manufacturers, app developers, social media platforms and aggregation platforms. Those involved should examine carefully whether they would be a controller or processor under the GDPR.
- Privacy should be built in from the beginning if a device uses personal data
The GDPR requires you to adopt a ‘data protection by design’ approach to any product or service you’re developing. You need to consider data protection issues at the start of product development, and ensure that these are addressed through the lifecycle of any device or service. You also need to put appropriate technical measures in place to safeguard any personal data that your devices process.
A data protection impact assessment (DPIA) is a tool which can help you comply with data protection obligations when designing a device, product or service that processes personal data. It will allow you to identify and fix any data protection issues at an early stage of any new project or development and help you meet your customers’ expectations around privacy.
You should also be aware that in certain cases a DPIA is mandatory, such as when the processing is high risk.
- Data protection and cyber security go hand in hand
IoT manufacturers must remember cyber security and data protection are inextricably linked. Those IoT organisations that invest time and money in designing secure products will show a respect for their customers that will stand them in good stead for the long term.
Gone are the days when cyber security was for the IT team and data protection was a back room issue. Both are linked and both need to be high on the boardroom agenda.
- You want to build trust with your customers
The ICO was involved in an international study last year that found six in ten IoT devices don’t properly tell customers how their personal information is being used. Under the current and future law you need to be aware that you have obligations to inform customers how their personal information will be collected, used, disclosed and stored, and how they may exercise their rights over that data.
Trust is integral to innovation and can be easily lost when consumers discover you haven’t been completely honest about how you are using their information.
You have a duty to your customers
It’s also important that retailers take the safety of IoT devices into account when choosing which products to sell. Innovation in the digital economy relies on consumer trust.
Check the manufacturer has produced a safe product that is not going to put consumers’ personal information at risk. Look at how the device deals with personal information, and whether the manufacturer or service provider is transparent about how data is being used.
Consider the practical measures that manufacturers offer such as strong credentials and timely software updates.
- Shoddy products can ruin your reputation
IoT products might fly off the shelves when they’re new and exciting, or during certain times of year like the Christmas season, but consider the possible reputational damage to your business if they later turn out to be so badly designed that they put people’s data at risk.
Selling products that are secure and respect the public’s personal data will reap rewards in the long term.
What’s happening next?
Looking to the future of IoT, we’re working closely with the Department for Digital, Culture, Media and Sport (DCMS) on their Secure by Design project. The project is focusing on improving the security of consumer internet connected devices and associated services. DCMS will be publishing a report today which advocates a fundamental shift in approach to moving the burden away from consumers having to secure their devices and instead ensuring that strong cyber security is built into consumer IoT products by design. Going forward, we are keen to support DCMS’s work with developing their recommendations and encourage stakeholders to provide feedback on DCMS’s draft proposals during their informal consultation.
Peter Brown is Technology Group Manager, providing technical expertise to all ICO departments in order to support the broad range of activities undertaken by the ICO.
Latest News from
Information Commissioner's Office
ICO and Office of the Privacy Commissioner, New Zealand, sign Memorandum of Understanding12/05/2021 15:15:00
The Information Commissioner’s Office (ICO) and the New Zealand Office of the Privacy Commissioner (OPC) have today signed a Memorandum of Understanding (MOU).
Blog: Work on updating the ICO’s Journalism code continues10/05/2021 09:10:00
Blog posted by: Anulka Clarke, Acting Director of Regulatory Assurance, 07 May 2021.
Five things we learned from DPPC 202107/05/2021 15:20:00
The ICO’s Data Protection Practitioners’ Conference 2021 was held this week, bringing together more than 3,000 data protection professionals from across the country.
Data Protection Practitioners’ Conference 202105/05/2021 14:15:00
Elizabeth Denham’s speech at the Data Protection Practitioners’ Conference on 5 May 2021
Digital Regulatory Cooperation Forum’s response to DCMS on the future of the digital regulatory landscape05/05/2021 12:05:00
The Digital Regulatory Cooperation Forum (DRCF) has submitted its response to the Department of Digital, Culture, Media and Sport (DCMS) on the future of the digital regulatory landscape and how to achieve coherence in regulatory approaches across digital services.
Blog: Free advisory check-ups help small businesses make the best use of their data30/04/2021 16:25:00
A blog from Syed Ali, Lead Engagement and Regulatory Assurance Officer
Data protection is an enabler for trust and confidence in the implementation of digital identity systems23/04/2021 12:25:00
Blog posted by: Steve Wood, Deputy Commissioner (Executive Director, Regulatory Strategy), 22 April 2021.
How the ICO Innovation Hub is enabling innovation and economic growth through cross-regulatory collaboration21/04/2021 14:20:00
The COVID-19 pandemic has changed work for so many of us around the world; forcing innovation and new ways of working. And that’s just as true for regulators – we’ve had to adapt to develop new ways to support organisations.