New guidance published by the ICO - Internet of Things (IoT)
The Information Commissioner’s Office (ICO) has just published new guidance explaining how data protection law applies to the processing of personal data by consumer Internet of Things (IoT) devices, more commonly known as smart or connected products.
There are a whole range of consumer smart products on the market now (including speakers, watches, TVs, toys, domestic appliances and medical devices) which are managed via apps and software on phones, tablets and computers. These products can collect large amounts of personal data, including special category personal data. They can also be used by, and collect personal data relating to, children (the protection of whom is a key focus for the ICO currently).
As well as the UK General Data Protection Regulation, the Privacy and Electronic Communications Regulations (PECR) also become relevant to smart products if they are connected to the internet and use storage and access technologies (what we more commonly know as cookies), which many do. This introduces the requirement for, and challenges around, consent unless the cookies are strictly necessary to provide the service requested by the user.
Some key messages from the guidance:
1. Manufacturers and developers must prioritise data protection and manage risks presented by smart products. The ICO believe most processing involving smart products is likely to result in a high risk to individuals meaning a Data Protection Impact Assessment (DPIA) is required. This is because these products are often part of people’s private lives, processing personal data of a highly personal nature (including about user’s households, location, health, physiology, daily habits and relationships).
2. Privacy by design and default is key.
3. Data collection and processing must be transparent. Users must be provided with appropriate information about the processing and have control over their personal data.
4. Data collection and processing must be limited to what is necessary.
5. Products must be subject to appropriate security and this is an ongoing obligation, including after sale. The ICO says this requires regular software updates, encryption and multifactor authentication throughout the product’s lifetime.
The ICO is also raising awareness amongst consumers about the risks of smart products and services so we can expect data subjects to be more aware of their rights.
Read the guidance here.
