On 13 March 2023, the Information Commissioner’s Office (‘ICO’) published new guidance, ‘Privacy in the product design lifecycle’, to help technology professionals, such as UX designers, product managers and software engineers, keep data protection considerations at the forefront of their products and services. The guidance describes how to tackle privacy issues arising at each stage of the design and development process, as summarised below.
The ICO notes that considering privacy from the outset is vital to the success of the project and can help save resources, as rectifying negligent data protection practices can be costly.
First step is to identify the lawful basis/bases for processing personal information when starting the product development process, including by mapping out what personal data may be collected and for which purposes it may be used. This can best be done by including data protection or legal teams at the kick-off stage to foster ongoing collaboration and the ability of the data protection or legal team to assist with conducting data protection impact assessments (where necessary).
The guidelines focus on the importance of not only identifying the target audience for the product but also their attitudes towards privacy, in other words their ‘resonable expectations’. Identifying the audience and understanding that audience’s expectations could lead to enhanced trust and data protection as a competitive advantage. One way of testing expectations and the accesibility of the information would be through case studies or focus groups.
The ICO reiterates the importance of transparent and accessible communications, by consider methods or techniques and the timing for communicating data handling policies, including consideration of ‘just in time’ notices that explain how information will be used at the point the individual provides the information, which could assist with obtaining valid consent (where required) from users. Design should also empower users to exercise their rights within the product design and offer ways to reopen consent interfaces.
The key considerations for this stage include defining the minimum personal information required by the product and enhancing privacy security with technical measures, i.e. adequate and secure data storage, encryption, decentralisation or two-factor authentication.
Companies should make sure to carefully check the product before release. This includes checking that all previously identified privacy risks have been remediated and removing any test data before ‘go live’. The ICO recommends including data protection considerations into a launch checklist as well as planning for rollback in case of errors.
Finally, product teams should conduct ongoing monitoring of a product post release and review how the product is used, so that any unexpected data protection issues can be addressed and to assess how users interact with the product’s data protection tools, notices and mechanisms.
The newest ICO’s guidance combines commercial and regulatory considerations that can help businesses navigate complex product design processes to incorporate data protection by default. The key takeaways include carrying out mapping exercises, continually reviewing potential data protection risks at each stage and implementing solutions that allow users to exercise their rights.