Edition #20 - Data Security: The Product Risk You Can’t Afford to Ignore in 2026

When most business leaders think about product risk, they think about physical safety, performance failures, or market acceptance. But there’s another risk that’s quickly climbing to the top of the priority list: data security.
Whether you manufacture smart devices, children’s safety monitors, wearable tech, or even seemingly simple connected tools, your product may be collecting, transmitting, or storing personal data. That means you’re now also in the data protection business.

Many countries and regions around the world are introducing regulations related to data protection. For example, in the EU, the GDPR (General Data Protection Regulation) applies to all businesses that collect data from EU residents. In 2023 alone, breaches of the GDPR resulted in over €1 billion in fines.

Under GDPR, your business is responsible for:

• Notifying authorities within 72 hours of a personal data breach
• Providing full transparency to users about how their data is used
• Deleting data when no longer needed, or if a user revokes consent
• Obtaining clear, freely given consent, especially from users under 16
• Documenting risk assessments and ensuring data is processed lawfully
  

Failure to comply can cost you up to 2% of your global annual turnover.

On the 1 August 2025, the new EU cybersecurity standards (EN 18031 series) became mandatory under the Radio Equipment Directive (RED). These regulations apply to any connected product that can transmit data via the internet. This includes mobile phones, smartwatches, tablets, children’s toys, safety equipment, and baby monitors. Non-compliance could mean:

• Blocked access to EU markets
• Delays in product certification
• Costly redesigns and reputational damage
• Legal exposure if user data is compromised
  

The EN 18031 series of standards introduces security requirements for:

• Internet-connected products
• Products processing sensitive personal data (e.g. children’s devices, toys, wearables)
• Devices used for monetary transactions (e.g. virtual wallets)
  

Their goals are threefold:

• Prevent harm to communication networks
• Protect personal data and user privacy
• Reduce fraud risk, particularly for devices that handle payments
  

To comply, developers must test for network security, data integrity, and resilience to unauthorised access.
As a business leader, you don’t need to know the technical details of encryption or communication protocols, but you do need to know what questions to ask your team, your suppliers, and your technology partners. Start with these:

• Are we building products that comply with EN 18031 and GDPR and other regulations relevant to our markets of sale?
• Have we documented a data security risk assessment?
• How are we managing data consent and withdrawal?
• What happens if our product is hacked?
• Do we have a breach response plan?
• Who in our business is accountable for data protection?
  

As we step into the new year, now is the perfect time to take stock of how your products handle personal data. Thinking proactively about data protection is not just about avoiding fines. It is about building trust with your customers, strengthening your brand, and setting your business up for smoother product launches. Even small actions, like reviewing your consent processes, checking your breach response plan, or confirming your data risk assessments are up to date, can make a big difference. Make 2026 the year you use data security to strengthen customer trust and confidence.