Information Commissioner's Office
Making or selling Internet of Things (IoT) devices? Six reasons you need to be thinking about data protection
Blog posted by: Peter Brown, Technology Group Manager, 07 March 2018.
With the demand for connected toys, smart watches and smart home accessories growing rapidly it’s safe to say the IoT market is booming.
At the same time, barely a week goes by without hearing of a connected device that has serious yet basic security flaws, leaving personal data potentially exposed to malicious third parties.
Most manufacturers and retailers pride themselves on their health and safety compliance when developing and selling products. But as internet-enabled devices process increasing amounts of personal data, as a manufacturer or retailer how much do you really know about the rules around IoT and the way your products use personal information?
Here are six points to consider as a starting point for manufacturers and retailers of IoT devices:
Your devices will probably be processing personal data
If you’re a manufacturer or service provider involved in the IoT industry then you’re very likely to be processing personal data. Remember, personal data doesn’t just involve things like names and email addresses—your devices may also be processing location data, or online identifiers like IP addresses.
This means that current data protection law applies to you – and you also need to be aware of the General Data Protection Regulation (GDPR), a change to legislation taking effect from May.
There can be complex layers of data processors and data controllers in the IoT world, including manufacturers, app developers, social media platforms and aggregation platforms. Those involved should examine carefully whether they would be a controller or processor under the GDPR.
- Privacy should be built in from the beginning if a device uses personal data
The GDPR requires you to adopt a ‘data protection by design’ approach to any product or service you’re developing. You need to consider data protection issues at the start of product development, and ensure that these are addressed through the lifecycle of any device or service. You also need to put appropriate technical measures in place to safeguard any personal data that your devices process.
A data protection impact assessment (DPIA) is a tool which can help you comply with data protection obligations when designing a device, product or service that processes personal data. It will allow you to identify and fix any data protection issues at an early stage of any new project or development and help you meet your customers’ expectations around privacy.
You should also be aware that in certain cases a DPIA is mandatory, such as when the processing is high risk.
- Data protection and cyber security go hand in hand
IoT manufacturers must remember cyber security and data protection are inextricably linked. Those IoT organisations that invest time and money in designing secure products will show a respect for their customers that will stand them in good stead for the long term.
Gone are the days when cyber security was for the IT team and data protection was a back room issue. Both are linked and both need to be high on the boardroom agenda.
- You want to build trust with your customers
The ICO was involved in an international study last year that found six in ten IoT devices don’t properly tell customers how their personal information is being used. Under the current and future law you need to be aware that you have obligations to inform customers how their personal information will be collected, used, disclosed and stored, and how they may exercise their rights over that data.
Trust is integral to innovation and can be easily lost when consumers discover you haven’t been completely honest about how you are using their information.
You have a duty to your customers
It’s also important that retailers take the safety of IoT devices into account when choosing which products to sell. Innovation in the digital economy relies on consumer trust.
Check the manufacturer has produced a safe product that is not going to put consumers’ personal information at risk. Look at how the device deals with personal information, and whether the manufacturer or service provider is transparent about how data is being used.
Consider the practical measures that manufacturers offer such as strong credentials and timely software updates.
- Shoddy products can ruin your reputation
IoT products might fly off the shelves when they’re new and exciting, or during certain times of year like the Christmas season, but consider the possible reputational damage to your business if they later turn out to be so badly designed that they put people’s data at risk.
Selling products that are secure and respect the public’s personal data will reap rewards in the long term.
What’s happening next?
Looking to the future of IoT, we’re working closely with the Department for Digital, Culture, Media and Sport (DCMS) on their Secure by Design project. The project is focusing on improving the security of consumer internet connected devices and associated services. DCMS will be publishing a report today which advocates a fundamental shift in approach to moving the burden away from consumers having to secure their devices and instead ensuring that strong cyber security is built into consumer IoT products by design. Going forward, we are keen to support DCMS’s work with developing their recommendations and encourage stakeholders to provide feedback on DCMS’s draft proposals during their informal consultation.
Peter Brown is Technology Group Manager, providing technical expertise to all ICO departments in order to support the broad range of activities undertaken by the ICO.
Original article link: https://iconewsblog.org.uk/2018/03/07/making-or-selling-internet-of-things-iot-devices-six-reasons-you-need-to-be-thinking-about-data-protection/
Latest News from
Information Commissioner's Office
ICO reprimands Thames Valley Police for releasing witness details to suspected criminals02/06/2023 12:25:00
The Information Commissioner’s Office (ICO) has issued a reprimand to Thames Valley Police (TVP) after details were released which led to suspected criminals learning the address of a witness.
ICO issues Ministry of Justice with reprimand after confidential personal information left in prison holding area26/05/2023 12:10:00
The ICO has issued a formal reprimand to the Ministry of Justice (MoJ) after confidential waste documents were left in an unsecured prison holding area.
“It’s important not to get caught out.” - New SARs guidance for employers issued24/05/2023 16:05:00
The Information Commissioner’s Office (ICO) has today published new guidance for businesses and employers on responding to Subject Access Requests (SARs)
Information Commissioner John Edwards' opening remarks at the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE), delivered on 23 May 2023.23/05/2023 12:25:00
Information Commissioner John Edwards' opening remarks at the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE), delivered today.
ICO fines two businesses £180,000 for making unlawful marketing calls17/05/2023 09:10:00
Regulator launches three new videos aimed at helping small businesses navigate electronic communications law.
ICO takes action against both Plymouth City Council and Norfolk County Council for failing to respond to information access requests16/05/2023 09:10:00
The Information Commissioner’s Office (ICO) has reprimanded two councils that have failed to respond to the public when asked for personal information held about them – known as a Subject Access Request (SAR).
ICO takes action against Shropshire Council for failing to respond to Freedom of Information requests10/05/2023 09:10:00
The Information Commissioner’s Office (ICO) has issued an enforcement notice to Shropshire Council for its poor handling of requests made under the Freedom of Information Act (FOIA) 2000.
Necessity and proportionality: questions police must ask when considering sharing personal information with the public09/05/2023 15:25:00
In February, the ICO announced it would be asking Lancashire Police to set out how they reached the decision to include personal information in media statements as they sought to find Nicola Bulley.
Blog: Protecting privacy during a pandemic: our work on the UK’s Covid apps28/04/2023 12:25:00
The ICO’s work is often in the headlines, and our recent enforcement action against TikTok for allowing over a million UK children to use its platform without parental consent brought international media attention.