If you’re unfamiliar with the phrase ‘Internet of Things’, you’d be forgiven for having no idea what it could possibly refer to. It does sound incredibly vague, and doesn’t immediately appear to even mean anything at all. But while the name might just sound like a bad guess as to what “IT” stands for, it does actually have a specific meaning related to the Internet, electronic devices, and data sharing.
So what does ‘Internet of Things’ mean?
In a nutshell, the Internet of Things (IoT) is the term that is used to describe the connectivity of electronic devices and systems, like how smart devices and systems can communicate with each other and share data. For example, your smart watch is embedded with sensors which allows it to share data with other devices and systems, such as when it syncs with your phone. When your Apple Watch tracks your workout and sends it to an app on your phone? That’s the Internet of Things in action.
Due to countless devices being manufactured at a rapidly growing rate, the scale of the IoT is constantly increasing. More and more smart devices are being built and connected to one another, with a rise from approximately 8.6 billion devices connected in 2019, to a huge 15.4 billion connected in 2023 (worldwide). Considering the huge swathes of data that these devices process, it’s important to be aware of the privacy implications that using them creates.
Where does data privacy come in?
So, what part does data protection play in the Internet of Things, or the ‘IoT’?
Well, many of the data processing activities involved in the IoT will fall under the scope of the GDPR. As such, data protection should be built into any IoT solution from the very outset and throughout the development lifecycle, as part of the principle of ‘privacy by design and default’.
Because of all the data that IoT devices collect, a Data Protection Impact Assessment (DPIA) will normally need to be completed. Concepts of transparency, fairness, purpose limitation, data minimisation, data accuracy and the ability to deliver on data subject rights should be built into the design of the IoT product, and all of this should be documented and evidenced as part of the GDPR principle of “Accountability”.
Considering the processing of sensitive data
It’s also important to consider that apps in the IoT may collect and process special category data. For instance, smart wearables may indirectly collect information that, over a period of time, may be used to deduce the health or well-being of the individual (i.e. smart watches that have the ability to track heart rates and any abnormalities to an individual’s heart rate).
In some cases, people have claimed devices have saved their life by detecting a dangerous heart condition. Where this is the case, controllers will need to be aware that there will be an extra condition for the processing of special category personal data, and in most instances will need to rely on Article 9(2)(a), which states that you can process special category data if the data subject has given explicit consent to the processing of personal data for one or more specified purposes.
Protecting the consumer
The Internet of Things is an expanding world and as a result, the privacy implications of such technology are growing with it. As consumers become more aware of their privacy rights, and the obligations of data processors, it’s more important than ever for developers within the IoT world to consider all aspects of data privacy.
Consumers should also be aware of the data that they are sharing, and check they are happy with the permissions that are set up on their devices.
For support in the world of data privacy, you can always rely on DPAS. Feel free to get in touch with us about any queries you may have, and our dedicated team will do everything we can to help.
