In light of the booming market of the Internet of Things (“IoT”) and of the General Data Protection Regulation (“GDPR”), the Information Commissioner’s Office (“ICO”) has published an article focusing on the key factors manufacturers and retailers of IoT devices should be thinking about. This follows the ICO’s draft guidance on data controller and processor liability issued in September last year, which can be found here.
The ICO sets out six key points for businesses to consider when dealing with IoT devices:
- Manufacturers should be aware that many of their IoT devices are likely to be processing personal data (which includes names and addresses but can also include location data, IP addresses etc.) and this means that the GDPR will apply to them. Whilst it can be complex to determine who qualifies as data controller or processor under the GDPR, particularly when it comes to the complex supply chain arrangements associated with IoT, the distinction is fundamental as different obligations and responsibilities will be applicable.
- In addition, the GDPR requires the adoption of a “data protection by design” and “security by design” approach (see further below), meaning that data protection issues need to be addressed throughout the entire lifecycle of a device or service. A data protection impact assessment (“DPIA”), which may at times be obligatory (e.g. when the processing is high risk), may assist in complying with relevant obligations.
- Importantly, there is also an ongoing obligation to have appropriate technical measures and safeguards in place. To this end, cyber security and data protection go hand in hand and the ICO recommends investing both time and money to get it right from the start – it can be more difficult to retrofit security to devices once they are in the field.
- The above ties into the next key step: building consumer trust. Consumers have the right to be informed how their data will be collected, used, disclosed, stored, protected and how they may exercise their rights. A lack of honesty and transparency can quickly result in loss of consumer trust, with potential important repercussions on the overall success of a business. Drafting effective privacy policies, as well as dealing adequately with intellectual property issues around data ownership and licensing, is critical for IoT devices.
- Safety should also be a key factor for retailers when choosing which products to stock and sell. Retailers should carry out appropriate background checks to ensure that they are selling safe and secure products; strong unique (rather than default) credentials and timely software updates can be important indicators.
- Finally, as for manufacturers, unsafe products can negatively impact on retailers’ reputation. As such, retailers should always consider potential reputational damage if it turns out that consumer data was not kept safe.
Secure by Design Report and draft Code of Practice
In parallel to the ICO’s recommendations, the Government’s Department for Digital, Culture, Media and Sport (“DCMS”) has published their Secure by Design Report, which advocates a change in approach to ensure strong cyber security is built into consumer IoT products by design, therefore moving the burden away from consumers having to adjust default settings to secure their devices.
Whilst recognising that the IoT brings enormous opportunities for individual citizens and the UK’s economy alike, the Report emphasises the risks embedded in the rapid proliferation of devices that lack even basic cyber security features. In particular:
- It undermines consumer security, privacy and safety; and
- The wider economy is more vulnerable to large scale cyber attacks.
The DCMS calls for urgent joint government and industry action. An important step towards this is represented by the draft Code of Practice, aimed primarily at manufacturers of IoT products and services. The Code sets out thirteen practical steps to improve cyber security:
- Not using default passwords;
- Implementation of a vulnerability disclosure policy;
- Keeping software updated;
- Securely storing credentials and security-sensitive data;
- Communicating securely;
- Minimising exposed attack surfaces;
- Ensuring software integrity;
- Ensuring that personal data is protected;
- Making systems resilient to outages;
- Monitoring system telemetry data;
- Making it easy for consumers to delete personal data;
- Making installation and maintenance of devices easy; and
- Validating input data.
The draft Code of Practice is still a work-in-progress and the government is encouraging further engagement and feedback from industry bodies. While the government is also calling for a voluntary industry adoption of the draft Code of Practice, it has been suggested that the guidelines will be made compulsory if need be. The full government report can be accessed here.