3 April 2018
Forbes.com describes the “Internet of Things” as “the concept of basically connecting any device with an on and off switch to the Internet (and/or to each other)”. Examples of this include:
According to popular belief, the use Internet of Things devices is expected to become only more pervasive with time, with the concept of smart cities and smart homes rising in popularity.
From a data protection and security perspective, some risks may be present when using Internet of Things devices, such as the following:
Due to the fact that sensitive information is often shared by Internet of Things devices, it is important to consider whether the convenience brought about by their use justifies the risks inherent therein.
It is also important for Internet of Things devices to comply with the law. The Protection of Personal Information Act No. 4 of 2013 (“POPI”) has been signed into law and will be effective soon. POPI regulates the processing of personal information in a manner that gives effect to the right to privacy.
POPI requires that businesses making Internet of Things devices take appropriate, reasonable, technical and organisational measures to prevent loss of, damage to, or unauthorised destruction of, personal information as well as unlawful access to, or collection, retention, dissemination or use of personal information of personal information. In doing so, businesses must:
Businesses manufacturing Internet of Things devices have a duty to have due regard to generally accepted information security practices and procedures which may apply to them generally or which are required in terms of specific industry or professional rules and regulations which may be applicable to them.
Additionally, where there has been a known data breach or if there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person, the business must notify the Information Regulator and any party whose information was so accessed or acquired.
It is clear that the law requires security to be built in to Internet of Things devices as well as into software applications and network connections that link to the devices. To overlook this could result in severe penalties being imposed on the business in terms of POPI.