Such devices frequently collect personal data, comprising anything from names and email addresses (if a sign-up process is required) to information such as location data, sleep patterns and behavioural data in numerous forms, much of which can easily be subject to abuse by malicious actors if not protected.
This collection and processing of personal data places a series of responsibilities on the provider of the IoT device, such as for example the clear communication to the data subject about the processing and about the rights connected to this. However, compliance can pose challenges as mechanisms need to be created to obtain consent, by the data subject accepting the applicable privacy terms. This can be complicated, unless the use of the device requires prior registration on a website or through a mobile application. And the provider’s efforts to guarantee compliance starts much earlier than when the device is placed in its packaging along with a privacy statement: under the GDPR principle of “privacy by design”, producers need to build data protection into the IoT solution from the very outset, and remain ready to document this under the principle of accountability.
So it is clear that technology can cause serious privacy concerns. At the same time, technology can not only be part of the problem but often also part of the solution. Technology can play an important part in helping organizations approach data protection in a systematic, predictable and coherent manner, for example through categorization of data for GDPR purposes, and in the implementation of appropriate policies for each type of data, such as rules for retention of data for a defined period which does not exceed what is necessary for the purposes of its processing.