Contact Our Commercial Team
Myerson's expert Technology and Commercial Teams have experience handling complex data protection matters. If you need legal advice please contact our team on:
The Information Commissioner's Office ("ICO") published new guidance in March to assist technology professionals in developing products in such a way that they adequately consider and protect the end-users privacy ("Guidance").
Developers and other technology professionals must develop products with privacy at the forefront of their minds.
These considerations ensure compliance with the UK GDPR, which requires data controllers to put in place appropriate measures designed to effectively implement data protection principles.
The ICO note in its Guidance that considering privacy "is vital to the success of the project and can help save resources, as rectifying negligent data protection practices are costly".
Given the strong focus being placed on this area by the ICO, in this article, we set out a useful summary of the Guidance, which covers considerations that developers should make at each stage of the product design process.
Preliminary privacy considerations at the "Kick-Off" stage
- It is paramount that privacy is considered at an early stage, as this can set the tone and mindset for privacy and GDPR-compliant development.
- A developer must identify the lawful basis for processing personal information, the potential risks and accompanying mitigating measures which can be implemented. It is then important to map out exactly what personal data may be collected and establish the purpose for which it is to be used. To help facilitate this, the ICO suggests including legal teams at the kick-off stage to foster ongoing collaboration with the development team and ensure that sufficient forethought is given to privacy.
1. Privacy considerations in the "Research" stage
- In this context, where we refer to research, we mean user research, user experience research, or any research carried out to understand the user's needs.
- The ICO indicates that at the research stage, it is important to consider not only who the target audience for the product will be but also to regard their attitudes towards privacy. By identifying the audience and understanding their expectations, a developer can cultivate trust with their potential customer base, which, in turn, can result in increased uptake of the concept.
- The ICO also suggests conducting competitor analysis and surveying potential customers to understand their expectations and mitigate the likelihood of contravening privacy rights (ensuring that participants' identities are anonymised where possible).
- In addition, the ICO suggests that developers obtain feedback on work in progress to assess things like the design of privacy information screens and whether people can easily understand the relevant information.
2. Privacy considerations in the "Design" stage
- To ensure compliance with GDPR, data protection must be integrated into the design of products and services. With this in mind, the ICO reiterates the importance of transparent and accessible communications. This means that designers should ensure that privacy information is communicated in ways people understand.
- In communicating privacy information, designers should also carefully consider timing, choose the right time for individuals to make reasonable/informed choices when using the product or service and ensure that a user's consent is valid.
- The ICO suggest that designers should implement designs to empower users to exercise their rights in the interface. This might include displaying what privacy information the product will collect when the user signs up and requiring that the user agrees to this to use the product.
3. Privacy considerations in the "Development" stage
- This stage focuses on embedding privacy planning from previous stages into the finalised product or service. A key privacy consideration at this stage is ensuring that the minimum personal information required is defined in line with the data minimisation principle. This principle states that a data controller should limit the collection of personal information to what is directly relevant and necessary.
- Further considerations include enhancing privacy and security with technical measures (including hashing, encrypting and other privacy-enhancing measures), ensuring people can exercise their data protection rights, and protecting any personal information obtained during development.
4. Privacy considerations in the "Launch" stage
- In this stage, the ICO emphasises the importance of carefully checking the product before release, including checking that all previously identified privacy risks have been addressed and any test data has been removed.
- The ICO also suggests that developers follow a detailed checklist or launch plan, which accounts for contingencies if things go wrong.
5. Privacy considerations in the "Post-Launch" stage
- In this final stage, the ICO suggests that monitoring of private data should be carried out and issues should be remedied quickly. They reiterate the importance of collaboration and suggest that such data monitoring could include consultations with data protection or legal colleagues in case of privacy issues.
- The ICO also suggests that developers should ensure continuing transparency in providing regular updates to customers as their product is developed and how the user interacts with it changes.
Comments
Overall, the ICO's guidance on privacy in the product design life cycle is an important step in the development of privacy-focused products.
By embedding privacy into the design process from the beginning, organisations can help ensure that the products they create are both effective and privacy-law compliant.
This can help build trust with customers and regulators while reducing the risk of data breaches and other privacy-related issues.