HomeInsightsInformation Commissioner’s Office publishes blog on making or selling IoT devices and data protection issues

Article by

The blog piece sets out six points manufacturers and retailers of IoT devices should consider as a starting point.

The blog explains that if you are a manufacturer or service provider involved in the IoT industry then you are very likely to be processing personal data. As well as names and email addresses etc, devices may also be processing location data, or online identifiers such as IP addresses.

There can be complex layers of data processors and data controllers in the IoT world, including manufacturers, app developers, social media platforms and aggregation platforms, the blog says, recommending that those involved should examine carefully whether they are a controller or processor under the GDPR.

As for privacy, the blog explains that GDPR requires a “data protection by design” approach to any product or service manufacturers are developing. The advice is to consider data protection issues at the start of product development, and ensure that these are addressed through the lifecycle of any device or service. Manufacturers also need to put appropriate technical measures in place to safeguard any personal data that the devices process.

Undertaking a data protection impact assessment (DPIA) can help manufacturers comply with data protection obligations when designing a device, product or service that processes personal data, the blog suggests. It will allow manufacturers to identify and fix any data protection issues at an early stage of any new project or development and help meet customers’ expectations around privacy.

Manufacturers should also be aware that in certain cases a DPIA is mandatory, such as when the processing is high risk.

The blog also reminds manufacturers that they must remember that cyber security and data protection are inextricably linked.

As for building trust with customers, the blog reminds manufacturers that under current and future law they need to be aware of obligations to inform customers how their personal information will be collected, used, disclosed and stored, and how they may exercise their rights over that data.

As for retailers, the blog explains that it is important to take the safety of IoT devices into account when choosing which products to sell, as innovation in the digital economy relies on consumer trust.

Retailers should check that the manufacturer has produced a safe product that is not going to put consumers’ personal information at risk. They should look at how the device deals with personal information, and whether the manufacturer or service provider is transparent about how data is being used.

As for the future, the ICO says it is working closely with the Department for Digital, Culture, Media and Sport on their Secure by Design project. The project is focusing on improving the security of consumer internet connected devices and associated services (see item under Technology heading). To access the ICO blog, click here.