sommai - Fotolia

Venture capital will drive IoT security and privacy, says data protection lawyer

Privacy is a prominent issue in developing applications for the internet of things (IoT) – but investors will insist on safeguards, says data law firm Kemp Little

Venture capitalists will help drive better security and privacy in developing applications for the internet of things (IoT), according to Nicola Fulford, head of data privacy and protection at law firm Kemp Little.

Despite the desire of business developers to push products to market as quickly as possible – and the temptation to sell the data collected – she believes investors will insist on safeguards and restrictions.

“They will want to protect their investment and will insist on best, or at least good-enough, security and privacy to minimise risk to brand reputation,” Fulford told Computer Weekly.

“We are seeing investors pay more attention to these issues as part of their due diligence processes,” she said, adding that companies are also paying more attention to risks to reputation.

Clarity over data management

Privacy is typically one of the biggest issues companies developing IoT-related products need to manage, to ensure that there is no interference with users’ lives; that users are not put in a vulnerable position; and that no privacy laws are contravened.  

“During the planning stages, companies or developers need to be very clear on what data they need to collect, how they plan to use it and how they will communicate those things to users,” said Fulford.

Read more about the internet of things (IoT) and security

Issues that need to be considered include mechanisms for obtaining consent from users about what data can be collected and how it can be used or shared; where data will be stored and whether that complies with EU data protection legislation; and how securely the data is stored and how access to that data is controlled.

Startups and smaller companies might focus more on speed to market than privacy and security, she said, but the more they grow, the more attention they are likely to pay to protecting the brand.

EU data protection law

Fulford expects the forthcoming European General Data Protection Regulation (GDPR) to drive better security and privacy in the IoT – either directly or indirectly, through investors and users.

The GDPR is likely to affect most IoT-related devices and services, because it will widen the scope of private data to include things such as internet protocol (IP) addresses. It will also increase obligations and responsibilities on data processors, to make it more difficult to transfer the risk.

“At the very least, fines for breaching the coming data protection laws will attract of 2% of annual global turnover, which will make most companies stop and think,” Fulford said.

While agreeing that the “cool factor” could sway consumers into overlooking security and privacy risk – despite the rising level of awareness of these issues driven, in part, by the GDPR – she said consumer watchdogs will keep an eye on IoT-related privacy issues.

Organisations' risk awareness

Like investors, company boards are increasingly concerned about leaking personal data, said Fulford – especially in the wake of the substantial data breach at Sony Pictures, in late 2014.

“Security is crucial with IoT-related devices and services, because the data collected could be gold dust to criminals, if they were able to get their hands on it,” she said.

While individual entrepreneurs seeking to tap into the IoT market will lack the legal support large, established firms have, they still need to be aware of the risks.

“A simple test they can and should apply is to ask themselves whether they would be happy for the people closest to them to use the product or service they are developing,” said Fulford.

“Developers should keep adding security and privacy safeguards until their new product or service passes this simple test of keeping the end user safe,” she said. 


Read more on Privacy and data protection