How do we ensure security of personal information in IoT?

In detail

• What measures do we need to consider?
• Can PETs help us with our data protection compliance?

You must process personal information in a way that ensures appropriate security and protection against unauthorised or unlawful processing (among other things). 

This means you must apply appropriate security measures to your IoT products and services when you process personal information. This includes both technical measures for your product and ensuring you have appropriate organisational measures in place.

You should determine what these measures are by carrying out a risk analysis that considers:

• the circumstances of your processing and the likely security threats you may face;
• the harm that may arise if the personal information is compromised; and
• what forms of attack your product and its associated services may be vulnerable to.

What’s ‘appropriate’ is likely to differ depending on the type of IoT product, its functions, and the nature of the personal information you process. 

For example, different measures may be needed for things like:

• special category information (eg biometric and health data);
• information of a highly personal nature to your users (eg home automation products that could build up a detailed picture of their private lives); and
• personal information about children. 

The security risk profile of your IoT product may be affected by whether the processing happens on the device or elsewhere, for example on external servers. Processing on the IoT product may need different security measures in place than when the processing occurs in the cloud.  

You should also consider situations where your users’ safety may depend on the security of your IoT product. For instance, a smart lock with compromised security could be a threat to your users’ physical safety. 

What measures do we need to consider?

Your risk assessment will indicate what measures may be appropriate. Beyond this, industry standards for IoT may help you define appropriate security measures for your IoT product. 

Your IoT product may be subject to other legal requirements specified in separate legislation. One example is the Product and Telecommunications Infrastructure Regulations 2024 (PSTI Regulations). These apply to manufacturers of connectable products like IoT devices, and have specific obligations about:

• passwords;
• vulnerability disclosures; and
• minimum security update periods. 

In such instances, these requirements are additional and separate to the data protection requirements specified in the UK GDPR. While they don’t automatically equate to compliance with the security principle, they nevertheless may comprise appropriate measures that we would expect in the security context. Where the PSTI Regulations do apply, we may take their requirements into account if there is a security incident.

You may consider the following measures, depending on your circumstances.

Passwords

While passwords are a common security measure, you should consider whether they are appropriate for your particular circumstances. 

Passwords carry well-known risks. More complex passwords are known to be more secure – but only if they are unique. However, there is a risk that if you require over-complex passwords, people will bypass the security measure and write them down or repeatedly request to reset their password. 

If you choose to use passwords for your IoT products, you must ensure you have a policy in place to govern how you set them up. You should also enforce an appropriate level of complexity and prevent the use of common, easily guessed passwords. This will help you avoid allowing your users to set weak or already compromised passwords. 

If the PSTI Regulations apply to you, your passwords have to be:

• unique per product; or
• defined by the user.

You could consider alternative ways of authenticating, such as passkeys and biometric verification. These may provide a more seamless experience for users while still providing security. 

Multifactor authentication

You may need to authenticate users of your IoT product to ensure it is protected against unauthorised access. You should implement multifactor authentication wherever it is possible to do so. 

Multifactor authentication provides another layer of security for your IoT products. Using a password only, even a strong one, may not provide sufficient security against more sophisticated attacks. Many IoT products lack interfaces that would allow users to login to them directly and may need other types of evidence to authenticate the user. 

Security updates

You must provide regular security updates for your IoT products. Where possible, you should enable your IoT product to operate during a security update. You should make clear how security updates can be installed – whether this is automatically over-the-air or manually. 

If an IoT product can’t be automatically updated, you must give users the option to update it manually. If it’s not possible to update the product automatically or manually, you should inform users that they should remove the IoT product from the network. 

Remember, you must ensure that the measure you take provide the ongoing security of your IoT product and any associated systems and services throughout its envisaged lifecycle.

You should tell your users how long you will provide security updates. Remember, if the PSTI Regulations apply to you, you have to provide this information. 

Vulnerability disclosure policy

You should have a vulnerability disclosure policy and make it publicly available. You should include contact information in the policy so your users can report issues. You could also include basic information about any timelines for initial acknowledgement of any reports and how you will provide status updates until you resolve the reported issue.

Again, if you have to comply with the PSTI Regulations, having a vulnerability disclosure policy is a legal requirement for you.

Software integrity

You should verify the IoT product’s software using secure boot mechanisms. This is so that if an unauthorised change is detected to the software, the device alerts the user and does not connect to wider networks except those needed to perform the alerting function.

Monitoring

You could also monitor your IoT products and services for any security anomalies or flaws – for example, telemetry information that can allow you to identify unusual circumstances early and deal with them. This minimises security risk and allows you to resolve problems quickly.

If you collect information for this purpose, you must do so fairly, lawfully and transparently. You must also pay particular attention to the principles of purpose limitation and data minimisation. For example, only collect the minimum information you need and only use it for security purposes.

To maintain security of personal information throughout the whole IoT product lifecycle, you should have tools and processes in place to enable the deletion of personal information. 

Encryption 

The UK GDPR includes encryption as an example of an appropriate technical measure. It is a well-established and widely deployed technology that you can implement relatively easily.

So, you should assess the points in your IoT product’s lifecycle where encryption may mitigate any risks your processing poses. 

It’s likely that your product will both store and transfer personal information, and you should implement encryption in both cases.

When evaluating whether encryption can mitigate any risks you identify, you should consider:

• the sensitivity of the information you are processing – if your IoT product processes special category information or things like location data, your risk profile may be higher;
• the harms that may arise if personal information is subject to unlawful or unauthorised access;
• the data flows in your IoT product’s overall ecosystem; and
• where this personal information will be stored (eg on the IoT product or in the cloud). 

You should ensure that your IoT product supports secure firmware updates to patch vulnerabilities and update encryption algorithms as needed. 

For products that you no longer provide updates for, you should ensure that the product’s intended lifetime does not exceed the recommended usage lifetime of the cryptographic algorithms it uses. 

Examples of personal information in IoT products that may benefit from encryption include:

• authentication information (eg passwords, encryption keys);
• device identifiers;
• names, addresses, timestamped location data, phone numbers, and email addresses;
• payment details where present;
• biometric data (eg voice recordings, facial recognition data, and fingerprints);
• data collected from smart health devices like smart scales or fitness trackers;
• recordings and video streams (eg from smart security cameras or voice assistants); and
• content of any communications data.

You should also be aware of any industry or sector-specific guidance or advice that includes content about encryption. While following these may not specifically guarantee UK GDPR compliance, we may take them into account in the event of any incident.

Read our guidance on encryption for more detail.  

Can PETs help us with our data protection compliance?

Yes. You should consider using privacy-enhancing technologies (PETS) in your IoT product, as these can help you demonstrate compliance with the security principle.

But you must still:

• have appropriate organisational measures in place to keep information secure, such as regular testing; and
• review your security measures to ensure they remain effective.

PETs can help you meet other data protection obligations too, like the requirements around data protection by design and by default. For example, PETs that limit the amount of personal information you process can help you demonstrate compliance with the data minimisation principle.

The table below provides a list of PETs, along with the risks they may mitigate for IoT applications. It also shows suitable and unsuitable use cases for IoT.

PET	Description	Suitable IoT processing activities	Unsuitable IoT processing activities
Differential privacy	A statistical technique that ensures the privacy of people in a dataset by adding noise to the data. Useful for allowing databases to be queried without releasing information about people and to comply with the purpose limitation principle.	Statistical data analysis, data sharing. Suitable for applications where aggregate data is used.	Real-time decision-making processes. Use on IoT products with limited processing power, memory, battery life, weak wireless range or similar. Noise addition can reduce the accuracy for real-time decision-making.
Secure multiparty computation	A cryptographic method allowing parties to jointly compute a function over their inputs while keeping those inputs private. Useful for compliance with data minimisation requirements and the security principle.	Collaborative data analysis, cross-organisational computation. Ideal for scenarios requiring collaboration without exposing individual data.	Applications requiring fast processing speeds. Use on IoT products with limited processing power, memory, battery life, weak wireless range or similar. Not suitable for time-sensitive processes due to computational intensity.
Zero knowledge proofs	A cryptographic method by which one party can prove to another that a statement is true, without conveying any additional information apart from the fact that it’s true. Useful for compliance with data minimisation requirements and the security principle.	Identity verification, access control. Best for scenarios where verification without data exposure is critical.	High-volume or low-latency data exchanges. Use on IoT products with limited processing power, memory, battery life, weak wireless range or similar. Not efficient for high-volume data due to computational intensity.
Federated learning	A machine-learning approach where a model is trained across multiple decentralised devices holding local data samples, without exchanging them. Useful for compliance with data minimisation requirements and the security principle (when combined with other PETs).	Predictive modelling, privacy-preserving analytics. Suitable for decentralised data environments.	Scenarios requiring immediate data centralisation. Use on IoT products with limited processing power, memory, battery life, weak wireless range or similar. Not ideal where real-time, centralised data analysis is needed.
Synthetic data	Artificially generated data that mimics the statistical properties of real datasets. Useful for compliance with data minimisation requirements and the purpose limitation principle.	Testing and development, training AI models. Useful for situations where real data is sensitive or not available.	Applications requiring precise, real-world data accuracy. Not suitable where high fidelity to actual data is critical.
Homomorphic encryption	A form of encryption allowing computation on ciphertexts, generating an encrypted result which, when decrypted, matches the result of operations performed on the plain text. Useful for compliance with the principles of accuracy and security.	Secure data processing, encrypted data analysis. Ideal for secure data processing.	Scenarios requiring low computational overhead. Use on IoT products with limited processing power, memory, battery life, weak wireless range or similar. Not practical for use cases with limited computational resources due to its high processing demand.
Trusted execution environment	A secure area of a main processor. It guarantees code and data loaded inside to be protected for confidentiality and integrity. Useful for compliance with the accountability and security principle.	Secure data processing, IoT device security. Excellent for securing sensitive operations on IoT devices.	General-purpose computing environments. Adds considerable cost to lightweight IoT devices. Not suitable for applications not requiring hardware-based security measures.