How the Data Protection Act affects IoT

Posted on
Heledd leads the Information Governance team at UK-based law firm, Blake Morgan LLP. She is also the Course Director for the Firm’s British Computer Society accredited training courses in Data Protection and Freedom of Information Law, so we thought there’d be no better person to talk to about some of the data protection issues associated with the growing amount of data being collected by IoT devices…

On the basis of current trends, it is anticipated that by 2020 there will be over 200 billion connected devices globally, generating unprecedented volume of data regarding the devices themselves and their users. This new interconnected world offers enormous potential benefits for businesses, consumers and government but the speed of technological development and the global nature of IoT means that it is emerging in the absence of a comprehensive regulatory framework. Cybersecurity is increasingly seen as a major challenge. Perhaps understandably, the focus of many IoT projects historically has been to get the smart technology right and to extract maximum value from the resultant data via sophisticated analytics. Anecdotally, it appears that in many cases cybersecurity will have been an afterthought because the need to address security risks has not been obvious to developers at the design stage. For example, while the incentives for hacking into bank databases and military defences are self-evident, the motivation for hacking into domestic baby monitoring devices, pacemakers, and refrigerators are not so obvious. However, the risks posed to health, safety, wellbeing and commercial reputation by hacking and programme malfunction where smart devices are used in context of health care provision and energy and transport infrastructure are plainly considerable.

Failure to put in place effective data security mechanisms could result in enforcement action.

To an extent, the development and use of IoT applications in the UK is governed by the Data Protection Act which regulates the collection and use of identifiable personal information and imposes obligations in relation to the security of such data. Failure to put in place effective data security mechanisms could result in enforcement action where such failure compromises the security of such data. Individuals who suffer harm because inadequate safeguards have been applied to their data have the right to seek compensation through the courts under section 13 DPA.

Current levels of protection should be strengthened significantly, in the European context at least, with the introduction of the EU Data Protection Regulation, the current draft of which makes specific provision for “the principle of data protection by design” requiring data protection to be embedded within the entire life cycle of technological devices and programmes, from the very early design stage, right through to deployment, use and final disposal. The Draft Regulation imposes specific obligations to ensure that privacy settings are built into services and products in a manner that, by default, complies with the general principles of data protection, such as data minimisation and purpose limitation. As now, the Regulation will apply only to connected devices and programmes that collect and use identifiable personal information. Its emphasis on privacy by design, coupled with a toughened enforcement regime should incentivise programmers and designers to minimise the collection and use of identifiable personal information and in cases where this is not possible will operate as a welcome driver for investment in cybersecurity across connected devices at European level.

Article first published in Techx.