New legal developments affecting consumer IoT in the UK.
Secure consumer IoT in 2020
Internet of things (IoT) is continuing to have a transformative impact in both industry (e.g. farming and manufacturing) and the consumer space (e.g. smart homes and voice assistants). In each device, sensors are collecting data about users and their environment and sharing this over ever-expanding cloud platforms – some now utilising 5G and edge computing technology. Government consultations and media scrutiny have targeted the cyber security risk posed by consumer devices and raised concerns over the vast amounts of data being collected.
IoT, edge computing and 5G explained
Edge computing is the practice of processing data closer to the end user – the ‘edge’ of the network – instead of being transferred to the cloud. The technology relies upon the compute power within IoT devices and servers themselves and allows workload to be distributed across networks, reducing data transfers between devices, servers and the cloud. 5G's faster speed and lower latency will open possibilities for devices on the 'edge' to instantly stay up to date through fast real-time processing. Some tech commentators see edge computing as a reversing trend away from cloud migration.
Throughout 2020, UK businesses should expect increased regulatory scrutiny under existing legislation (particularly GDPR) and potentially new requirements under consumer IoT regulation.
Who should be considering an IoT regulatory strategy in 2020?
- Manufacturers of consumer IoT devices or sensors.
- Businesses implementing IoT technology.
- Cloud platforms and IoT service providers.
- Retailers and e-commerce sites selling consumer IoT devices.
- 5G and mobile network providers.
What regulatory changes can we expect to see in the UK?
New consumer IoT regulation
There are currently two key voluntary codes of practice for UK businesses that specifically target consumer IoT [DCMS Code of Practice for Consumer IoT Security and ETSI Technical Specification 103 645]. These codes focus on improving basic security protections of IoT consumer devices (e.g. by using unique device passwords and requiring frequent security updates).
In January 2020, the UK government announced new legislation which will require:
- All consumer IoT device passwords to be unique and not resettable to any universal factory setting;
- Manufacturers of consumer IoT devices to provide a public point of contact so consumers can report a vulnerability; and
- Manufacturers of consumer IoT devices to explicitly state the minimum length of time for which the device will receive security updates at the point of sale, either in store or online.
The new legislation is in line with global developments. Last year, the states of California and Oregon passed new laws requiring manufacturers to implement ‘reasonable’ security features in consumer IoT devices from 1 January 2020.
Increased regulatory scrutiny
As IoT businesses utilise 5G and edge computing, IoT businesses should be prepared to demonstrate to regulators that they are implementing data protection by design and by default. See our article on further discussion of IoT and GDPR.
Large IoT networks also pose new privacy risks such as systematic monitoring and cross device tracking of individuals. IoT businesses should expect scrutiny of how they manage these risks and protect users’ privacy, particularly where sensitive data (e.g. health data) is concerned.
Throughout 2020, we are also likely to see greater cooperation between data protection and competition regulators, looking to identify potential harm to consumers and effects on market competition of big data collected by IoT networks.
How can UK businesses prepare?
- Stay up to date with the latest regulatory developments.
- Develop a comprehensive cybersecurity profile - identify key cyber weaknesses and conduct a gap analysis to ensure you are reaching minimum requirements on cyber laws and regulations.
- Engage with regulators – public consultations and policy papers play an essential role in the process of regulating in new and rapidly developing areas and they provide vital opportunities for organisations to provide input into the policy process.
- Processing personal data? – review your processes (e.g. staff training, audit) to ensure your business is compliant with the latest standards under data protection laws.
This article was written by Adam Hunter, Trainee, London.