What is the ‘Internet of Things’?

The Internet ofThings blog feature image

If you’re unfamiliar with the phrase ‘Internet of Things’, you’d be forgiven for having no idea what it could possibly refer to. It does sound incredibly vague, and doesn’t immediately appear to even mean anything at all. But while the name might just sound like a bad guess as to what “IT” stands for, it does actually have a specific meaning related to the Internet, electronic devices, and data sharing.

 

So what does ‘Internet of Things’ mean?

In a nutshell, the Internet of Things (IoT) is the term that is used to describe the connectivity of electronic devices and systems, like how smart devices and systems can communicate with each other and share data. For example, your smart watch is embedded with sensors which allows it to share data with other devices and systems, such as when it syncs with your phone. When your Apple Watch tracks your workout and sends it to an app on your phone? That’s the Internet of Things in action.

Due to countless devices being manufactured at a rapidly growing rate, the scale of the IoT is constantly increasing. More and more smart devices are being built and connected to one another, with a rise from approximately 8.6 billion devices connected in 2019, to a huge 15.4 billion connected in 2023 (worldwide). Considering the huge swathes of data that these devices process, it’s important to be aware of the privacy implications that using them creates.

 

Where does data privacy come in?

So, what part does data protection play in the Internet of Things, or the ‘IoT’?

Well, many of the data processing activities involved in the IoT will fall under the scope of the GDPR. As such, data protection should be built into any IoT solution from the very outset and throughout the development lifecycle, as part of the principle of ‘privacy by design and default’.

Because of all the data that IoT devices collect, a Data Protection Impact Assessment (DPIA) will normally need to be completed. Concepts of transparency, fairness, purpose limitation, data minimisation, data accuracy and the ability to deliver on data subject rights should be built into the design of the IoT product, and all of this should be documented and evidenced as part of the GDPR principle of “Accountability”.

 

Considering the processing of sensitive data

It’s also important to consider that apps in the IoT may collect and process special category data. For instance, smart wearables may indirectly collect information that, over a period of time, may be used to deduce the health or well-being of the individual (i.e. smart watches that have the ability to track heart rates and any abnormalities to an individual’s heart rate).

In some cases, people have claimed devices have saved their life by detecting a dangerous heart condition. Where this is the case, controllers will need to be aware that there will be an extra condition for the processing of special category personal data, and in most instances will need to rely on Article 9(2)(a), which states that you can process special category data if the data subject has given explicit consent to the processing of personal data for one or more specified purposes.

 

Protecting the consumer

The Internet of Things is an expanding world and as a result, the privacy implications of such technology are growing with it. As consumers become more aware of their privacy rights, and the obligations of data processors, it’s more important than ever for developers within the IoT world to consider all aspects of data privacy.

Consumers should also be aware of the data that they are sharing, and check they are happy with the permissions that are set up on their devices.

For support in the world of data privacy, you can always rely on DPAS. Feel free to get in touch with us about any queries you may have, and our dedicated team will do everything we can to help.

related posts

Jack Penaligon

How to Respond to a Data Breach: A Practical Guide

This blog provides an overview of the practical steps organisations can take to reduce the impact of a data breach once it has been identified. It focuses on the actions that should be taken during the early stages of an incident to contain the breach, protect affected individuals, and meet regulatory requirements.

The article discusses a range of mitigation measures, including contacting unintended recipients of personal data, securing the deletion or recovery of exposed information, isolating compromised systems, and maintaining clear records of actions taken. It also explores the challenges posed by both digital and physical data breaches, highlighting the importance of balancing operational needs with data protection obligations.

Finally, the blog emphasises the value of preparation, explaining how established procedures, communication templates, and predefined response plans can help organisations respond more effectively and demonstrate accountability during a regulatory investigation.

Read More »
Noah de Wild

How to Assess a Data Breach: A Practical Guide

This blog explains how to assess a data breach by identifying its cause, determining what information was exposed, and evaluating the potential impact on affected individuals and the organisation. It outlines common causes of breaches, the importance of understanding the type and scale of compromised data, and how assessing the timeline of an incident can help businesses respond effectively, meet legal obligations, and reduce long-term risks.

Read More »
Noah de Wild

Don’t Panic: A Pragmatic Guide to the June 2026 Enforcement of the Data (Use and Access) Act Changes

With the June 19, 2026 enforcement of the Data (Use and Access) Act approaching, ensuring your business is compliant doesn’t have to be complicated or expensive. In our latest guide, we break down exactly what the new data protection complaint rules mean for you. Cut through the noise and discover our simple, free six-step checklist to update your protocols, designate handlers, and keep your business confidently compliant.

Read More »

Get a Free Consultation