The ICO's new guidance on privacy in the product design lifecycle

The ICO's new guidance on privacy in the product design lifecycle

Overview

The ICO has recently published guidance on 'Privacy in the product design lifecycle', which is aimed at helping technology professionals to understand how to embed the principles of data protection by design and default when developing a product or service. For context, Article 25 of UK GDPR requires data controllers to put in place appropriate technical and organisational measures that are designed to implement data protection principles effectively and integrate necessary safeguards into the processing (‘data protection by design’). These measures must also ensure that only personal data which are necessary for each specific purpose of the processing are processed (‘data protection by default’). For more information, read the ICO’s guidance on 'Data protection by design and default'.

Under the new guidance, organisations must consider data protection and privacy issues upfront and ensure it is woven into the fabric of their business activities. Below we briefly outline the key phases set out in the ICO guidance:
 

1. PRIVACY IN THE KICK-OFF STAGE
 

It is crucial to consider privacy from the earliest design stage aligning the project to the applicable privacy laws and regulations. This stage will involve, amongst others:

  • Planning ongoing collaboration - which includes identifying the relevant stakeholders and determining the lawful basis for processing. Organisations should also need to consider the need to carry out a Data Protection Impact Assessment (DPIA) to identify and assess potential risks and how the organisation will apply mitigating measures for the planned product and/or project.
  • Mapping personal data - The creation of a data map that outlines what personal information the product and/or project requires (including any special category data), and how it will be collected and processed. This part also asks organisations to consider whether the product/service is likely to be accessed by children, in which case the requirements of the Children's Code must also be considered.
  • Identifying changes and risks - Which includes reviewing whether proposed uses of personal data give rise to new risks to individuals' rights and freedoms.
  • Agreeing responsibilities - For taking privacy and data protection decisions.
     

Consideration at the kick-off stage helps to weave data privacy into the early stages of product and/or project design. This allows for a timely resolution of data privacy questions and avoids later changes to key design decisions which could result in time, resource and budget costs.
 

2. PRIVACY IN THE RESEARCH STAGE
 

For these purposes, the ICO defines 'research' as 'user research, user experience (UX) research, or design research that technology teams run to understand user needs and evaluate product choices'. This term therefore refers specifically to user research as opposed to 'research' purposes as provided for in the UK Data Protection Act 2018. The research case could involve a number of actions, including:

  • Surveying the landscape - e.g., conducting competitor analyses or exploring emerging technologies to find novel ways of tackling privacy challenges;
  • Gathering audience perspectives on privacy to understand their expectations and in so doing seek to mitigate the likelihood of violating them. The findings of this exercise could also feed into any DPIA process.
  • Getting feedback on privacy work-in-progress by conducting summative research.
     

The ICO highlights the need for organisations to conduct research 'ethically and properly' by taking participants' privacy seriously. This includes minimising information collected about the participants, providing clear explanations of how their data will be processed, and obtaining consent where appropriate.

In conclusion, there are a range of ways organisations can learn about people’s privacy needs and concerns; however, in so doing, they need to ensure that the data protection rights of their research participants continue to be protected in this process.
 

3. PRIVACY IN THE DESIGN STAGE
 

One of the key principles of the GDPR is that data protection must be integrated into the design of products and services. The ICO highlights that it’s easier to resolve any data protection issues early on in the design phase. In this regard, the ICO expects the following from organisations:

  • Considering privacy throughout design activities (including UK sketching, information architecture, prototyping and content design);
  • Communicating privacy information in ways people understand, which aims meaningfully to give effect to the transparency principle and information rights under the UK GDPR;
  • Choosing the right moments, which essentially means identifying the right timing for individuals to make reasonable and informed choices when using the product/service;
  • Ensuring consent is valid (where it is relied on as a lawful basis); and
  • Empowering people to exercise their information rights in the interface.
     

4. PRIVACY IN THE DEVELOPMENT STAGE
 

During this stage, organisations need to embed privacy planning from previous stages into the finished product or service. Under the guidance, this involves:

  • Defining the minimum personal information required in line with the data minimisation principle;
  • Enhancing privacy and security with technical measures;
  • Ensuring people can exercise their data protection rights; and
  • Protecting personal information during development, which means that the organisations must process personal data in a secure manner by putting in place ‘appropriate technical and organisational measures’ as required by the UK GDPR.
     

5. PRIVACY IN THE LAUNCH PHASE
 

This is where the product is introduced to the market and made available to customers. The key activities at this stage include:

  • Checking privacy risks carefully before a product/service is launched;
  • Factoring privacy into rollout plans, including having a plan in place in case something goes wrong; and
  • Communicating privacy in a clear and understandable manner.
     

6. PRIVACY IN THE POST-LAUNCH STAGE
 

The final stage of the product life cycle is product post launch. In this regard, the ICO’s guidance suggests the following:

  • Monitoring and fixing issues, which could include consultations with data protection or legal colleagues in case of a serious privacy problem;
  • Reappraising expectations and norms given that each new release can affect how people interact with the product and their privacy expectations; and
  • Reflecting, celebrating and improving, which involves retrospectives or project reviews to learn how privacy topics were handled.
     

Why is this significant and what does it mean for me?

The UK GDPR requires controllers to embed data protection by design and default considerations throughout a product lifecycle, forming a basis for wider compliance with other data protection obligations. It also assists organisations in identifying potential privacy risks and supports in developing appropriate strategies to mitigate any risks identified. In addition, this can also help organisations to prepare for potential data breaches and other privacy issues.

As highlighted above, the ICO's guidance will be of particular relevance for technology professionals responsible for developing a product or service. It provides clarity on what organisations must, should or could do in the product life cycle, emphasising the fundamental importance of privacy in new products and services.

However, it is important to note that this guidance supplements rather than supplants other sources published on the ICO’s website. Indeed, the ICO is clear that the new guidance is not a substitute for the detailed ICO guidance, but rather serves as a resource intended to assist technology professionals in navigating and applying the detailed ICO guidance throughout the product design lifecycle. In this light, organisations must ensure that data protection expertise is provided in the development of a product or a service as required.

If you have any queries or would like further information, please visit our data protection services section or contact Christopher Beveridge.
 

SUBSCRIBE: DATA PRIVACY UPDATES

Related resources
See All

Subscribe: Data Privacy Updates