Making or selling Internet of Things (IoT) devices? Six reasons you need to be thinking about data protection
By Peter Brown, Technology Group Manager.
With the demand for connected toys, smart watches and smart home accessories growing rapidly it’s safe to say the IoT market is booming.
At the same time, barely a week goes by without hearing of a connected device that has serious yet basic security flaws, leaving personal data potentially exposed to malicious third parties.
Most manufacturers and retailers pride themselves on their health and safety compliance when developing and selling products. But as internet-enabled devices process increasing amounts of personal data, as a manufacturer or retailer how much do you really know about the rules around IoT and the way your products use personal information?
Here are six points to consider as a starting point for manufacturers and retailers of IoT devices:
- Your devices will probably be processing personal data
If you’re a manufacturer or service provider involved in the IoT industry then you’re very likely to be processing personal data. Remember, personal data doesn’t just involve things like names and email addresses—your devices may also be processing location data, or online identifiers like IP addresses.
This means that current data protection law applies to you – and you also need to be aware of the General Data Protection Regulation (GDPR), a change to legislation taking effect from May.
There can be complex layers of data processors and data controllers in the IoT world, including manufacturers, app developers, social media platforms and aggregation platforms. Those involved should examine carefully whether they would be a controller or processor under the GDPR.
- Privacy should be built in from the beginning if a device uses personal data
The GDPR requires you to adopt a ‘data protection by design’ approach to any product or service you’re developing. You need to consider data protection issues at the start of product development, and ensure that these are addressed through the lifecycle of any device or service. You also need to put appropriate technical measures in place to safeguard any personal data that your devices process.
A data protection impact assessment (DPIA) is a tool which can help you comply with data protection obligations when designing a device, product or service that processes personal data. It will allow you to identify and fix any data protection issues at an early stage of any new project or development and help you meet your customers’ expectations around privacy.
You should also be aware that in certain cases a DPIA is mandatory, such as when the processing is high risk.
- Data protection and cyber security go hand in hand
IoT manufacturers must remember cyber security and data protection are inextricably linked. Those IoT organisations that invest time and money in designing secure products will show a respect for their customers that will stand them in good stead for the long term.
Gone are the days when cyber security was for the IT team and data protection was a back room issue. Both are linked and both need to be high on the boardroom agenda.
- You want to build trust with your customers
The ICO was involved in an international study last year that found six in ten IoT devices don’t properly tell customers how their personal information is being used. Under the current and future law you need to be aware that you have obligations to inform customers how their personal information will be collected, used, disclosed and stored, and how they may exercise their rights over that data.
Trust is integral to innovation and can be easily lost when consumers discover you haven’t been completely honest about how you are using their information.
- You have a duty to your customers
It’s also important that retailers take the safety of IoT devices into account when choosing which products to sell. Innovation in the digital economy relies on consumer trust.
Check the manufacturer has produced a safe product that is not going to put consumers’ personal information at risk. Look at how the device deals with personal information, and whether the manufacturer or service provider is transparent about how data is being used.
Consider the practical measures that manufacturers offer such as strong credentials and timely software updates.
- Shoddy products can ruin your reputation
IoT products might fly off the shelves when they’re new and exciting, or during certain times of year like the Christmas season, but consider the possible reputational damage to your business if they later turn out to be so badly designed that they put people’s data at risk.
Selling products that are secure and respect the public’s personal data will reap rewards in the long term.
What’s happening next?
Looking to the future of IoT, we’re working closely with the Department for Digital, Culture, Media and Sport (DCMS) on their Secure by Design project. The project is focusing on improving the security of consumer internet connected devices and associated services. DCMS will be publishing a report today which advocates a fundamental shift in approach to moving the burden away from consumers having to secure their devices and instead ensuring that strong cyber security is built into consumer IoT products by design. Going forward, we are keen to support DCMS’s work with developing their recommendations and encourage stakeholders to provide feedback on DCMS’s draft proposals during their informal consultation.
|Peter Brown is Technology Group Manager, providing technical expertise to all ICO departments in order to support the broad range of activities undertaken by the ICO.|