Skip to main content
Hafan

How do we ensure accountability in IoT products?

Contents

In detail

What is accountability?

Accountability is a principle of data protection law. It means you are responsible for complying with the data protection principles, and that you are able to demonstrate that compliance.

Getting accountability right when you start developing your IoT product or service will help you take an approach that includes data protection issues from the beginning. 

You should think about some things at the earliest stages. These include:

  • correctly allocating roles and responsibilities regarding any organisation(s) you work with;
  • identifying and assessing the risks in your processing;
  • considering any specific needs or requirements if your IoT products and services are likely to be accessed by children; and
  • adopting a data protection by design approach. 

How should we understand controller/processor relationships in IoT?

It is common for multiple organisations to be involved in the processing activities of IoT products and services. In these cases, a crucial aspect of accountability is properly allocating data protection roles and responsibilities for each processing activity involved in developing and deploying IoT products and services. These may differ for each one. 

Any one organisation may be:

  • a controller – if it has overall control over the purposes and means of the processing activity;
  • a joint controller – if it makes decisions about the purposes and means together with another party or parties (ie common decisions) or in ways that complement each other (ie converging decisions) so the processing could not take place without the influence of all the parties; or
  • a processor – if it acts only on another organisation’s behalf under its instructions. 

For each processing activity, the role an organisation plays depends on: 

  • the specific processing of personal information taking place;
  • the circumstances in which this happens; and
  • who has genuine, real-life influence and control over the purposes and means of the processing.

A first step to working out your role is to identify the distinct sets of processing operations and their purposes. Whoever makes the decisions about the ‘how’ and the ‘why’ of that processing activity is a controller for that activity.

As IoT products process personal information for several purposes, you may be a controller or joint controller for some phases of the processing and a processor for others.

What types of decision do controllers take?

Controllers make decisions about:

  • whether to collect personal information in the first place;
  • what types of personal information to collect;
  • the purpose or purposes for which the personal information is to be used;
  • which people to collect the personal information about;
  • how long to retain the personal information; and
  • how to respond to requests from people about their rights.

Organisations that, as a matter of fact, determine the purposes and means of processing are controllers regardless of any description of their role in a contract or other agreement made between the parties.

An organisation determines the purposes and the means of the processing if it exerts sufficient influence so that it has a tangible impact on decisions made about the purposes and the means of the processing. A tangible impact means that the processing would not happen in the same way without the organisation’s involvement.

When could we be a joint controller?

Joint controllership is when two or more organisations make decisions about the purposes and means of the processing. Organisations are not joint controllers if they are processing the same information for different purposes.

If your processing involves multiple organisations, you should take the time to assess and document the status of each organisation you work with covering all your personal information processing activities.

If you and another organisation process for the same or for shared purposes, you are joint controllers. Joint controllership does not necessarily mean each controller has equal responsibility, or that each is responsible for all of the processing. But you must clearly set out your respective roles and responsibilities for each processing activity and make appropriate arrangements between you. 

What types of decision do processors take?

If you don’t have any purpose of your own for processing the personal information and you only act on a client’s instructions, you are likely to be a processor – even if you make some technical decisions about how you process the personal information.

For example, where allowed in the contract, processors can make decisions about:

  • the IT systems and methods to process personal information;
  • how to store the personal information;
  • the security measures that will protect it; and
  • how to retrieve, transfer, delete or dispose of it.

How do these roles apply to IoT?

There are likely to be multiple parties who process personal information in the IoT ecosystem contributing to the creation and functioning of IoT products:

  • Device manufacturers who design and develop the IoT product’s hardware or software. They may play a role in determining its overall functionality along with collecting personal information from the product.
  • Application developers who build mobile apps or other software and services to allow people to interact with the IoT product. They may have made decisions about how an app works, what information it collects and how it’s stored or accessed.
  • Software development kit providers whose tools help developers create applications.
  • Operating system providers, whose system software controls the basic functions of a device’s hardware or software and enables applications to run on it.
  • App stores who provide digital marketplaces that allow users to download apps created by developers.
  • IoT platform and cloud providers whose infrastructure helps connect, manage, and integrate IoT devices, data, and applications.
  • Organisations that produce or provide other IoT products and online services.

In some instances, one organisation may be responsible for the decisions about the design and delivery of an IoT product or service (eg if the same organisation manufactures the devices and the related apps that go with them). If so, only that organisation is the controller for the personal information that the product or service processes. 

However, in practice, the IoT ecosystem can be complex. Many processing activities in IoT products and services are likely to involve more than one organisation. A manufacturer might build the product and then engage a specialist developer to design the associated mobile app. An app developer might outsource some of the processing to another organisation or enable data access by other organisations (eg ad networks or other third parties via an SDK).

So if your IoT processing involves different types of commercial and technical arrangement with different entities, you must establish the respective responsibilities of each, taking into account:

  • the specific circumstances of the processing involved; and
  • the processing activities for which each party determines the purposes and means (whether alone or in combination).

In practice, this requires a case-by-case assessment depending on the processing activities. We’ve provided some examples below that show which roles may apply in practice.

A controller is any party that exerts sufficient influence to have a tangible impact on the decisions about purposes and means. This can range from high-level oversight of the processing activities through to detailed design.

Example

An organisation builds a proprietary network where its IoT devices, software and platforms are designed to work only with each other. 

The organisation controls everything, from the design of the IoT product through to what information it collects and restricts access by third parties to its ecosystem.    

This means the organisation makes decisions about how and why the processing activities, such as collecting personal information directly from their users or through products’ sensors take place. The organisation is a controller for that processing.

Joint controllers make common decisions when all organisations jointly determine the purposes and means of processing activities.

Example 

To make their IoT products connect and interact with each other, Entity A and Entity B decide to share the personal information of their users and other information. Both entities decide together what categories of information will flow between their products, such as user account information, IP addresses, device identifiers and metadata. 

Both entities agree on the exact scope of shared information and on the purpose of sharing it to make their products interoperable.

Together, Entity A and Entity B jointly determine the purposes and means of this processing. The decision about what information to use and why is a common decision, meaning both Entity A and Entity B are joint controllers. 

Joint controllers make converging decisions when two or more organisations make decisions about different aspects of the processing in ways that complement each other. The processing couldn’t take place without the involvement of each one.  

Example

Entity A and Entity B each develop, manufacture and sell IoT products. Information is processed about user interactions with both products for device control and automation. Each product provides event notifications to users and transmits information about their behavioural patterns and status updates to the manufacturers.  

Entity A determines which categories of user interaction data its product collects (such as automation triggers or motion events).

Entity B determines how the interaction data from Entity A’s product is subsequently processed, stored and used to operate cross-device features.

Entity A and Entity B make different decisions. Each one influences the use of personal information for the purpose of delivering cross-device automation. The processing for this purpose could not take place without the influence of both entities. 

Entity A and Entity B make different but converging decisions. And as both parties jointly determine the purpose and means of the processing activities, Entity A and Entity B are joint controllers.

Where two or more organisations process the same personal information for their own purposes, they aren’t joint controllers. 

Example

Entities A and B sell their own IoT products. Each device collects personal information about the users of the product for different purposes.

As Entity A determines the purposes and means of the processing its product carries out, it is the controller for those activities. Similarly, as Entity B makes these decisions about the processing its product carries out, it is the controller for those activities.

Entity A wants to use the personal information for advertising purposes. This includes mixing, matching or combining this information with that from other sources, including Entity B.

In exchange for a licencing fee (based on parameters specified by Entity A), Entity B agrees to make its users personal information available to Entity A to use for advertising purposes.

Entity A has made an independent decision to use personal information of its own users and those of Entity B for advertising purposes.

Entity B has made an independent decision to share its users personal information with Entity A for this purpose.

Entity A and Entity B have independently determined the purpose and means of the processing of personal information for the separate purposes of advertising (by Entity A) and data sharing (by Entity B).

This means Entities A and B are not joint controllers for these separate processing activities.

Some organisations design and develop products, services and applications that others use in their IoT devices and related systems. These may include things like technical protocols or APIs that either involve or enable the use of personal information.  

This doesn’t automatically mean the producer of the product, service or application makes decisions about the purposes and means of the processing. Whether this is the case in practice depends on the specific circumstances. 

Example

Entity A wants to carry out error checking and reporting for their IoT product to make sure they can deal with any issues or vulnerabilities over time. This involves collecting personal information from the IoT product as well as through its accompanying mobile app. 

To achieve this, Entity A decides to incorporate a third-party telemetry and diagnostics API into the design. Entity B creates the API and makes it available to organisations like Entity A to include in their products.

While Entity B created and designed the API, organisations like Entity A have the most tangible influence on the purposes and means of the processing. This means Entity A is the controller.

However, in instances where organisations cannot configure the API to suit their own preferences, Entity B could be a joint controller. This is the case where they have a tangible impact on decisions made about the purposes and means of the processing by designing the processing operations of the API. 

However, it’s possible for the producer to play a role in the actual processing in other ways.

Example

In addition to the telemetry and diagnostic API, Entity B also offers cloud hosting and analytics services. Organisations who implement the API can use Entity B’s technical expertise to store information in the cloud and carry out analysis for them.

These processing activities involve Entity B using the personal information of Entity A’s users. Provided that Entity B only does this on behalf of Entity A in accordance with their instructions, Entity B is a processor.

In circumstances where Entity B processes personal information of Entity A for its own purposes (eg to create statistics about how well their products are performing), Entity B may be a controller.

Further reading

What do we need to do if children are likely to use our IoT products or services?

Children merit specific protection because they may be less aware of their rights and the risks involved in  processing their personal information. You should think about the need to protect them from the outset and design your systems and processes with this in mind.

Many IoT products and services involve the provision of ‘information society services’ (ISS). An ISS is any service that is normally provided for remuneration, at a distance, by electronic means, at the individual request of a recipient of services. For IoT, examples include products or services:

  • specifically aimed at children (eg a smart toy, a children’s fitness tracker, a children’s virtual reality headset or a children’s smart speaker); and
  • not specifically aimed at children but likely to be accessed by them (eg smart home hub, smart speaker (aimed at the general population) or a smart doorbell). 

If you provide an ISS that children are likely to access, you must take into account the “children’s higher protection matters” duty in article 25 of the UK GDPR. This duty applies when you assess what measures are appropriate for data protection by design. The children’s higher protection matters are:

  • how you can best protect and support children that use your service;
  • the fact that children merit specific protection because they may be less aware of the risks and consequences when you use their personal information, as well as what their rights are; and
  • the fact that children have different needs at different ages and stages of their development. 

This is about incorporating child-friendly design into your products, systems and services from the start. 

The duty applies to the same online services that are in scope of our Children’s code. The code helps you to comply with the data protection principles by setting out specific standards for the design of online services that children are likely to access. If you already conform to the Children’s code, you are likely to comply with the children’s higher protection matters duty. 

Conforming to the code also shows you take children’s privacy seriously and that your services are appropriate for them to use. 

If you provide electronic toys or products that do not connect to the internet, and only store personal information within the product itself, you may not need to conform to the code – for example, if any personal information they process is only stored on the product itself. However, even in cases where you don’t collect information from the devices, you must still follow a data protection by design approach when you make them.

Refer to the Children's code for the complete list of its standards and assess how they apply to your processing. 

Example – Children’s higher protection matters

As part of the provision of its ISS, an organisation offers an augmented reality headset and accompanying mobile app aimed at children over 13 years old. Because children are likely to access the ISS, the ‘children’s higher protection matters’ duty applies. The organisation seeks to comply with this duty by conforming to the Children’s code.

The organisation recognises that its child users have different needs depending on their age. Taking into account the code’s age appropriate application standard, the organisation develops age-based categories for its child users. It tailors the privacy information it provides so it’s suitable for each category.

In line with the code’s default settings standard, the organisation designs the headset, app and related user account feature with age appropriate safeguards and defaults as well as parental supervision tools. It makes account information private by default. The device setup guides the user through setting permissions (eg microphone use, hand tracking), providing clear, child-friendly explanations of what each one does through a mixture of just-in-time prompts, icons, privacy settings and the user interface.

The organisation does not use any of the personal information from user interactions for profiling or targeted advertising.

The parental supervision tools allow parents to set time limits, content filters and report, mute or block social VR. The teen user receives information about what parents can see which supports their autonomy.

 

Providing age-appropriate privacy information

A graphic shows a screen seen by a child over 13 years old on a VR headset. The screen displays in headset onboarding which guides the user through permissions for microphone use with child friendly explanations of what the microphone sensor does and when they are on and off. The user can enable the microphone feature only by opting in. The screen also shows privacy controls being visible and easy to access at all times.

 

Parental control options""

A graphic shows a mobile screen displaying transcripts of conversations on an accompanying app for an AI-enabled plush toy. The app lists all the child user’s interactions with a timestamp, including queries and responses it received from the toy. There are options for parents to either delete interactions and queries individually; all from that day; or older recordings. The app shows a reminder that recordings are stored for 30 days and a link to a setting where they can choose how long they want to store the recordings.

 

Providing options to enable or disable features""

A graphic shows an AI-enabled plush teddy bear. The teddy bear has a round button acting as a physical trigger on its ear that the user needs to press for the toy to start listening to a query. The activity state of the teddy bear is indicated by a colour on the trigger button (grey means that the toy is inactive; purple means the toy is active and listening; and green means the toy is active and talking).

The graphic also shows that the teddy bear has a physical off-switch on the back to manually disable AI-enabled features.

The graphic includes an accompanying mobile app screen showing the current activity state of the toy being set to "On and listening". On the same screen, there are options to stop the toy listening or to turn the toy off completely, in the same way the physical switch on the back of the toy would.

 

Interacting in child-friendly ways""

A graphic shows an interaction between a child and an AI-enabled teddy bear. The child is asking a privacy-related question and the toy communicates privacy information in a child-friendly way through voice interface. The child asks "What do you know about me?" and the toy responds via voice interface, saying "I know your name, I know you're four years old and that you like Batman". The toy further explains in an appropriate way why it knows this information "I know this because I remember what you've asked me and I also know some things from when I was set-up".

 

Autonomy and meaningful control

A graphic shows an interaction between a child and an AI-enabled teddy bear. The child is making a request that would result in them exercising control over their personal information by asking the toy "Don't tell anyone I said that last thing". Because of their age (eg six years old) this level of control and ability to delete queries is not available to them. The toy responds via voice interface in a child-friendly way explaining what happens with the information from their interactions "Don't forget, anything you say to me is put onto the TeddyTalk app. But I won't tell anyone else apart from that". It reminds the child that “Only an adult can make me forget what you said through the TeddyTalk app”.

 

Further reading – ICO guidance

What risks do we need to manage?

Consumer IoT products are often designed for use in the home, where people have the biggest expectation of privacy. For example, they can be used to monitor people’s activities and behaviours, as well as those of their households, friends and family. So, IoT products can reveal information about people continuously and at a large scale. 

You should assess whether you need to process personal information from your IoT product. You must also decide how long it is necessary to keep people’s personal information. If you decide to collect and store it, you must ensure you protect it with appropriate measures.

This is not meant to be a comprehensive guide to all the risks to people’s rights and freedoms associated with the processing of personal information by IoT products and services. However, potential risks may arise from:

  • extensive and intrusive tracking and profiling, eg of people’s locations and behaviours;
  • lack of control and information asymmetry;
  • use of IoT products by multiple users with limited controls available for all of them;
  • inadequate security and the possibility of personal data breaches; and
  • unclear roles in the IoT supply chain, meaning different organisations don’t assign responsibilities correctly.  

Many IoT products process special category health and biometric data as well as data about users’ location. They may also be designed to create personalised experiences for their users, giving them many benefits. However, if you don’t follow a data protection by design and by default approach, your processing can lead to harms. 

The harm can include people feeling they’ve lost control over their personal information. In some cases, this can lead to psychological distress (such as anxiety, anger, shame, fear and sadness). The knock-on effect of psychological distress often results in physical as well as financial harm. Children may be especially susceptible to psychological harm from information revealing details about their preferences and personalities. People may lose trust in how their IoT products process personal information. This can lead to a chilling effect when people don’t turn on the smart features. 

The feeling of losing control may be accentuated when multiple users use an IoT product but they don’t have the same level of control over how it processes their personal information. Users who don’t have an account for the IoT product or are not the main user may find it difficult to get the relevant privacy information about the processing of their information, or to make choices or exercise their rights. In some cases, the lack of appropriate controls and transparency can enable misuse of IoT products for domestic abuse and stalking.

If people don’t know how to exercise their rights, products may be sold on the secondary market or passed to others with the original owner’s personal information. This, in turn, can lead to more harm.

Personal data breaches relating to IoT products can often lead to financial or even physical harms. For example, people may become victims of fraud if their IoT product is hacked, or their home may be burgled if their smart lock’s security is breached. 

Personal information from IoT products is shared with many third parties because of the complex supply chain that is involved in creating and running IoT products. This complexity increases the risk that people will lose control over their personal information and experience unwarranted intrusion into their lives. 

Do we need to do a data protection impact assessment (DPIA)?

A DPIA is a tool you can use to identify and reduce the data protection risks of your processing activities. It can also help you design more efficient and effective processes for handling personal information.

DPIAs can determine the type of technical and organisational measures you need to ensure your processing complies with the data protection principles.

You must do a DPIA before you begin any type of processing that is “likely to result in a high risk”. You must screen for factors that point to the potential for widespread or serious effects on people.

Three types of processing always require a DPIA:

  • systematic and extensive profiling on which significant decisions are based;
  • large-scale use of special category data; and
  • large-scale monitoring of publicly accessible areas. 

We have published a list of processing operations where we have assessed there is likely to be a high risk and you must do a DPIA. You can find the full list in the DPIA guidance.

Most processing involving IoT products is likely to result in a high risk. This is because IoT products are often part of people’s private lives, processing information of a highly personal nature – for example, about their households, location, health, physiology, daily habits and relationships. This means that in most cases you must do a DPIA.  

Also, if you offer your IoT product or service to children, you must do a DPIA. Processing children’s information in this context is likely to result in a high risk, so is included on our list of processing operations that require a DPIA. If children are likely to access the product or service, you should refer to the Children’s code for information about conducting a DPIA. 

Read our guidance on DPIAs for more detail on when and how you should write one. 

The severity of harms that may arise may be greater than in other processing contexts. This is because of the volume and sensitivity of the personal information IoT products can process. 

Further reading

How do we apply a data protection by design and default approach?

You must adopt a data protection by design and default approach. This means you must consider data protection and privacy issues upfront at the design stage and throughout the lifecycle of your IoT product and any associated service.

Data protection by design means you must put appropriate technical and organisational measures in place to implement the data protection principles effectively and safeguard people’s rights.

To do this, you should address each stage of your product’s lifecycle and, where relevant, ask yourself the following questions.

Planning, research and design of an IoT product

  • Do you need to use personal information?
  • What is the minimum personal information you need for your product to function?
  • What permissions do you need to request for your product to function? Are you requesting only the minimum permissions you need?
  • Have you identified the most appropriate lawful basis for your processing?
  • Do you need to use special category data? What alternatives have you considered? Can you achieve your purpose in a less intrusive way?
  • Do you need to use profiling or automated decision-making?
  • Are you deploying generative AI models? If you are reusing personal information from your IoT product for training generative AI, have you considered whether your original purpose for collecting it is still compatible with the purpose of training the model? Do you need to find a new lawful basis to process personal information for a new purpose?
  • Have you considered if children are likely to use your product? Have you considered what is in the best interest of a child? Have you made arrangements to process only the minimum personal information about children? Are you able to comply with the Children’s code?
  • Are multiple users likely to use your product? How will you give them choices about their personal information?
  • If you don’t intend for multiple users to use your product, how are you going to prevent or minimise processing their personal information?
  • Have you considered what controls you may need in place if your product is sold on the secondary market or passed on?
  • Will your product involve working with any partner organisations? Have you established their roles (eg controllers, joint controllers or processors)? What do you know about their own compliance and what due-diligence checks will you make?
  • Are there any privacy-enhancing technologies (PETs) that could help you comply with your data protection by design obligations?
  • What risks could your users face from using your IoT product? What steps will you take to prevent your product harming people?
  • How will you embed data protection into your business model?
  • What security measures will provide appropriate protection for the information your product processes?
  • How will you enable people to exercise their rights? How can you do this for multiple users?
  • Have you consulted all relevant internal stakeholders, such as your legal team, designers, cybersecurity specialists, software developers and your DPO before launching the product? 

Launch of an IoT product 

  • Does your product offer strong privacy defaults, user-friendly options and controls, and respect user preferences?
  • Do you give people tools so they have meaningful control over how you use their personal information?
  • Do your communications use clear and plain language so your users can understand what you intend to do with their personal information?
  • Have you planned what to do if the launch leads to the processing of personal information you didn’t intend?
  • Is your customer support team able to respond to customer feedback after the launch? 

Post-launch of an IoT product

  • Are you monitoring for any potential privacy issues? Do you have policies in place for remedial action, and sufficient resources to carry it out?
  • Are you regularly updating your product with security patches to respond to new threats and vulnerabilities?
  • Are you aware of people using your product after launch in ways you didn’t expect? Have you planned how you’ll manage any emerging privacy implications?
  • Are you planning to release any updates for the product that may change how people’s information is used? Have you assessed if people’s expectations for privacy would change because of the update before doing so? Do you need to reconsider your lawful basis?

Our guidance on privacy in the product design lifecycle includes more detail on considerations for each phase of a product lifecycle. 

If your product is aimed at children or likely to be accessed by them, your IoT product’s settings must be set to ‘high privacy’ by default. You should collect and retain only the minimum personal information you need to provide the elements of your IoT product. You should refer to the Children’s code for a full list of what to consider. 

Further reading – ICO guidance

Data protection by design and by default