Government to strengthen security of internet-connected products

Government to strengthen security of internet-connected products

New legislation to improve security standards of internet-connected household devices

new law will protect millions of users of internet-connected household items from the threat of cyber hacks, Digital Minister Matt Warman announced today.

The plans, drawn up by the Department for Digital, Culture, Media and Sport (DCMS), will make sure all consumer smart devices sold in the UK adhere to the three rigorous security requirements for the Internet of Things (IoT).

These are:

  • All consumer internet-connected device passwords must be unique and not resettable to any universal factory setting
  • Manufacturers of consumer IoT devices must provide a public point of contact so anyone can report a vulnerability and it will be acted on in a timely manner
  • Manufacturers of consumer IoT devices must explicitly state the minimum length of time for which the device will receive security updates at the point of sale, either in store or online

The sale of connected devices is on the rise. Research suggests there will be 75 billion internet connected devices, such as televisions, cameras, home assistants and their associated services, in homes around the world by the end of 2025.

Digital Minister Matt Warman said:

We want to make the UK the safest place to be online with pro-innovation regulation that breeds confidence in modern technology.

Our new law will hold firms manufacturing and selling internet-connected devices to account and stop hackers threatening people’s privacy and safety.

It will mean robust security standards are built in from the design stage and not bolted on as an afterthought.

The measures were developed in conjunction with the business industry and the National Cyber Security Centre and set a new standard for best practice requirements for companies that manufacture and sell consumer smart devices or products.

Following on from the consultation, Government’s ambition is to further develop legislation that effectively protects consumers, is implementable by industry and supports the long term growth of the IoT. Government aims to deliver this legislation as soon as possible.

Nicola Hudson, Policy and Communications Director at the NCSC, said:

Smart technology is increasingly central to the way we live our lives, so the development of this legislation to ensure that we are better protected is hugely welcomed.

It will give shoppers increased peace of mind that the technology they are bringing into their homes is safe, and that issues such as pre-set passwords and sudden discontinuation of security updates are a thing of the past.

This follows the government’s voluntary Secure by Design Code of Practice for consumer IoT security launched in 2018. The Code advocates for stronger cyber security measures to be built into smart products at the design stage, and has already been backed by Centrica Hive, HP Inc Geo and more recently Panasonic.

The Government is working with international partners to ensure that the guidelines drive a consistent, global approach to IoT security. This includes a partnership with standards bodies. In February 2019 the European Standards organisation published the first globally-applicable industry standard on consumer IoT security, which is based on the UK Government’s Code of Practice.

Matthew Evans, director of markets, techUK said:

Consumer IoT devices can deliver real benefits to individuals and society but techUK’s research shows that concerns over poor security practices act as a significant barrier to their take-up. techUK is therefore supportive of the Government’s commitment to legislate for cyber security to be built into consumer IoT products from the design stage.

techUK has been working on these three principles for the past four years. We support the work to ensure that they are consistent and are influencing international standards.

We look forward to working closely with Government and industry to ensure the implementation of the legislation provides protection for consumers whilst continuing to promote innovation within the IoT sector.

John Moor, Managing Director, IoT Security Foundation said:

Over the past five years, there has been a great deal of concern expressed toward vulnerable consumers and inadequate cybersecurity protection. Understanding the complex nature of IoT security and determining the minimum requirements has been a challenge, yet, after a thorough and robust consultation, those baseline requirements have now been universally agreed.

Published 27 January 2020


Department for Digital, Culture, Media & SportNational Cyber Security Centre, and Matt Warman MP

What are Special Categories of Personal Data under the GDPR?

The GDPR identifies certain types of personal data as ‘special categories’ of personal data meriting specific protections, as the nature of these categories means their processing could create significant risks to individuals’ fundamental rights and freedoms. These are ‘personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation’.

Genetic data is defined as ‘personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question’.

Additional guidance is also given on the meaning of data that relates to health, a phrase clearly meant to be given a broad interpretation. It means personal data ‘related to the physical or mental health of a natural person, including the provision of healthcare services, which reveal information about his or her health status’ and includes ‘all data pertaining to the health status of a data subject which reveal information relating to the past, current or future physical or mental health status of the data subject’, including:

Continue reading


What are the actual Obligations of Data Processors?

If you’ve been following the latest data protection news, you might have heard that under the GDPR, you can be either a data controller or a data processor.

A “Controller’ is defined in the Regulation as: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

On the other hand the Regulation defines a processor as ‘a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller’.

But the GDPR puts almost all the emphasis of enforcement on data controllers. So; what does a data processor have to do in terms of their obligations? They clearly have a very important role, even if it might not seem that way in purely legal terms.

Well, don’t fear; the info you crave is here.

Continue reading

gdpr how it applies to the cloud London Cyber Major

GDPR - How does it apply to the cloud?

The cloud. It’s all the rage with technology companies nowadays, and for good reason.

‘Cloud computing’ refers to the provision of information technology services over the Internet.

These services may be provided by a company for its users in a ‘private cloud’ or by third-party suppliers. The services can include software, infrastructure (i.e., servers), hosting and platforms (i.e., operating systems). Cloud computing has numerous applications, from personal webmail to corporate data storage.

Continue reading

Data_Processor_Data_Controller_GPDR_Cyber Major_London

Data Controller? Data Processor? What’s the difference?

The concepts of the “data controller” and “data processor” were established by the 1995 EU Data Protection Directive and remain fundamentally similar under the GDPR. This does not mean they are straightforward or mutually exclusive.

In practice, the application of these concepts has become increasingly complex due to the evolving nature of the business environment, the increased sophistication of outsourcing, and the growing tendency of organisations to centralise IT systems. However, they remain key for determining the allocation of legal obligations under the GDPR, which is essential for protecting the rights and freedoms of data subjects.

A data controller is the natural or legal person or any other body which alone or jointly with others determines the purposes and means of the processing of personal data. In other words, the data controller is the key decision maker with regards to personal data.

Continue reading

Get in Touch

  • Phone
    0207 458 4088
  • Email
    This email address is being protected from spambots. You need JavaScript enabled to view it.
  • Address
    40 Bank Street, Canary Wharf
    London, E14 5NR