What Is IoT?

IoT is known as a network of appliances, physical devices, vehicles, and other physical objects that exchange data. The International Telecommunication Union (ITU) defines IoT as:

“a global infrastructure for the information society, enabling advanced services by interconnecting (physical and virtual) things based on existing and evolving interoperable information and communication technologies”

Examples of IoT devices include RFID (radio frequency identification device) technology, smartwatches, and transportation systems. As an emerging global internet-based information architecture, the Internet of Things (IoT) presents many opportunities for society.

Opportunities and Applications

From improvements in efficiency to increased flows of information to educate people, IoT, could transform how easily tasks can be carried out, automating processes through connected devices in different sectors such as:

• Healthcare

• Logistics

• Manufacturing

• Education

Technological advancements have contributed to automation in different sectors, even before IoT. However, IoT offers networks of connectivity and efficiency in unique ways. IoT contributes to industries by reducing costs, enabling data-driven decision making, improving efficiency, and enhancing customer experience.

Cybersecurity Risks

Despite the benefits that could be achieved with IoT, there are challenges which must be addressed to protect the interests of people and organisations that rely on the technology.

Check Point Research flagged a significant increase in cyberattacks against IoT devices. With hundreds of vulnerabilities in the threat landscape for IoT, it is more important than ever to strengthen cyberdefence.

The Legal and Regulatory Landscape

The rapid expansion of IoT has exposed significant gaps in existing legal frameworks. Most data protection and cybersecurity laws were designed before the proliferation of connected devices, and regulators are now playing catch-up with technology that generates, transmits and stores data at an unprecedented scale.

Data Protection and GDPR

Where IoT devices collect personal data from individuals in the EU, the GDPR applies, regardless of where the device manufacturer or data processor is based. Organisations deploying IoT systems must identify the legal basis for data collection, ensure data minimisation principles are followed, and implement appropriate technical and organisational measures to protect that data. The challenge is significant. IoT devices often collect data continuously and autonomously, making meaningful consent and transparency difficult to achieve in practice.

Product Security and Cybersecurity Law

The UK’s Product Security and Telecommunications Infrastructure Act 2022 (PSTI) represents one of the first laws specifically targeting the security of connected devices. It requires manufacturers of smart devices to meet baseline cybersecurity standards including unique default passwords, transparency about security update periods, and vulnerability reporting mechanisms. The EU is moving in a similar direction with the Cyber Resilience Act, which introduces mandatory cybersecurity requirements for products with digital elements sold in the EU market.

What Comes Next

The significant amounts of data generated by IoT devices presents a world of opportunities for business growth and social development but also increases the weight of responsibility for people and organisations to protect their data. Data governance policies will be needed to ensure that the storage, access, sharing, and deletion of data is done in ways that are appropriate.

Improvements in the implementation of encryption and access controls will be needed to protect data. Existing laws and regulations, as well as new laws and regulations tailored to the unique IoT needs in different industries across different industries may be required to ensure that the appropriate guardrails are put in place to promote sustainable use of IoT.

As GDPR applies to the whole data supply chain, organisations that aim to remain GDPR compliant will need to ensure, among other key considerations, that they understand the data being collected and processed, have good understanding of consent and keep records of data processing.

Disclaimer: This publication is for educational and informational purposes only and does not constitute formal legal advice or create an attorney-client relationship.