Embedding data protection in IoT products: Four essential steps from the UK regulator

The UK’s data protection and privacy regulator, the Information Commissioner’s Office (ICO), has published comprehensive new guidance for consumer Internet of Things (IoT) and “smart home” products and services. 

 Here are four ways IoT businesses can meet the ICO’s expectations. 

1. Embed accountability and data protection by design
2. Ensure lawfulness, fairness, and transparency
3. Apply strong security and data management
4. Operationalize user rights

1. Embed accountability and data protection by design

The ICO cites accountability as a foundational data protection principle throughout its guidance. IoT providers must both comply with data protection law and be able to demonstrate their compliance. 

• Data Protection Impact Assessments (DPIAs) are framed as mandatory for providers of IoT products. A DPIA is required under the UK GDPR wherever data processing is “likely to result in a high risk” to individuals. The ICO says that the sensitive data processed by IoT products meets this threshold. 
• Clarify your role within the IoT ecosystem. A baseline for legal compliance is determining your company’s status as a controller, joint controller, or processor, in relation to other actors within the IoT supply chain. This is a fact-based assessment that cannot be determined by contracts alone. 
• Embed privacy into the IoT lifecycle. The UK GDPR requires “data protection by design and by default,” which means applying strong data protection standards at every stage: From design and research to post-launch updates. Don’t process personal data unless needed for a specific purpose.

2. Ensure lawfulness, fairness, and transparency

The ICO insists on lawful, user-centric IoT devices, with close scrutiny of data collection practices. 

• Identify and document your lawful basis for processing personal data, such as “contract”, “consent”, or “legitimate interests”, before commencing with a given activity. 
• If relying on consent, as is often required for IoT under the Privacy and Electronic Communications Regulations 2003 (PECR), ensure it meets the UK GDPR standard: Freely given, specific, informed, unambiguous, and easy to withdraw. 
• Ensure you’re using AI in a fair and lawful way, including by mitigating bias and ensuring statistical accuracy.

3. Apply strong security and data management

Security is both a legal duty and a strong design feature. The ICO suggests aligning your product’s security controls with a technical standard, such as the Product and Telecommunications Infrastructure Regulations 2024 (PSTI Regulations). 

The following security measures are among the ICO’s recommendations: 

• Strong passwords and authentication methods 
• Regular security updates 
• Vulnerability disclosure policy 
• Encryption at rest and in transit 
• Enforced data retention limits 
• Privacy-Enhancing Technologies (PETs) (such as federated learning, differential privacy, and homomorphic encryption)

4. Operationalize user rights

Your product and services must enable users to exercise their UK GDPR data subject rights easily. 

• Include tools for exercising the rights of access, erasure, rectification, and portability, allowing users to delete, correct, or receive a copy of their personal data via a centralized portal. 
• Be absolutely clear on the “right to erasure”: Tell users about the implications of deleting their personal data, including the option of deleting data from backup systems if desired. 

The ICO’s message to IoT providers 

The ICO’s IoT guidance sends a clear message to actors all across the IoT ecosystem: Strong data protection standards are mandatory, not a “nice to have”. 

You must ensure your products and services meet the requirements of all relevant laws, and putting data protection and privacy at the forefront of your products can help build trusting, sustainable relationships with your users.