Many manufacturers and retailers of IoT devices don’t realise that these devices fall under the purview of data privacy regulations. As data regulators turn their attention to IoT devices, manufacturers and retailers must take steps to stay ahead of developing global data privacy regulations.
In 2010, Facebook founder Mark Zuckerberg declared that privacy was no longer a social norm. Ten years on, the proliferation of global data privacy regulations like GDPR, PDPA, and LGPD highlights that privacy is still an expectation within society.
Data Privacy as a social norm seems at odds with the recent explosion in the popularity of Internet of Things (IoT) devices. After all, these devices rely on personal data to provide the best experience for the device owner.
These days, anything that can connect to the internet is an IoT device. IoT devices overlap with smart devices and include:
- Smartphones, laptops and tablets
- Fitness watches
- Virtual assistants
- Connected appliances and smart home devices
- Cybersecurity scanners
- Autonomous equipment used in farming and manufacturing
These devices collect large volumes of personal data, necessitating the implementation of appropriate privacy controls.
Data regulation bodies including the ICO and ENISA recommend that IoT developers and manufacturers utilise secure Software Development Life Cycle (SDLC) principles, otherwise known as security by design.
Security by design obligates software engineers and IoT manufacturers to consider cybersecurity, and by extension data security, “from requirements and design to development and maintenance, as well as disposal” (ENISA’s Executive Director, Juhan Lepassaar).
Like GDPR’s privacy by design and by default principle, security by design focuses on the processes in place to secure personal data at every stage of an IoT device’s life cycle.
In addition, all manufacturers and IoT service providers within the UK must comply with the following principles, which are outlined in the code of practice for consumer IoT security.
- IoT devices must not be sold with universal default usernames
- Implement a vulnerability disclosure policy
- Keep IoT software updated
- Securely store credentials and security-sensitive data
- All communication, including remote management and control, must be encrypted
- Minimise exposed attack surfaces including unused ports and superfluous code
- Ensure software integrity
- Apply GDPR to any personal data processed by IoT devices
While the above only applies in the UK, we believe these recommendations are applicable globally and will help you stay ahead of developing IoT privacy regulations.
In September 2020, the ICO introduced the Age Appropriate Design Code, which sets standards and provides specific guidance on how GDPR applies to children.
The introduction of the Age Appropriate Design Code in the UK reflects the larger global trend of increased data privacy awareness and demand for stricter regulation.
While IoT manufacturers and providers are the primary focus of new IoT data privacy regulations, retailers of IoT devices should expect these regulations to be expanded in upcoming years.
Our recommendation for retailers selling IoT devices is to stay proactive regarding data privacy and cybersecurity. By applying data privacy and cybersecurity principles to every aspect of your business, including the type of devices your stock, you will stay on the right side of regulation and customer opinion.
Since ratifying the EU’s General Data Protection Regulations (GDPR) in 2016, a wave of similar laws has been introduced in other markets. Maintaining compliance across different markets takes diligence, but may take valuable resources away from your core business operations.
Formiti delivers affordable data compliance solutions across 6 regions and 15 countries. We take care of your data privacy compliance so you can focus on your business.