ICO publishes new guidance on privacy in the product design lifecycle

The question

What are the key privacy considerations that the Information Commissioner’s Office (ICO) expects organisations to implement in the design and development of their new products and services?

The background

Previously, the ICO’s “data protection by design and default” guidance provided controllers with a general framework for the safeguards they should consider when integrating data protection in their processing activities, and business practices. While this guidance was helpful, it did not provide organisations with any specific steps they could take to achieve data protection compliance. Instead, organisations were advised to implement “appropriate technical and organisational measures”, adhere to fundamental data protection principles, and to remember that “what you need to do depends on the circumstances of your processing and the risks posed to individuals”.

This new guidance fulfils the need for a more specific roadmap for achieving data protection compliance. It sets out the key privacy considerations across six distinct phases in the product development lifecycle. These are: (i) kick-off, (ii) research, (iii) design, (iv) development, (v) launch, and (vi) post-launch.

The development

Below is a summary of the key privacy considerations which the ICO states organisations must, and should, consider during each of these phases:

Kick-Off Phase

During this phase, the ICO stresses the importance of considering privacy, as early as possible, when scoping a new product or feature. This requires product designers and developers to consider:

• Ongoing collaboration – project teams should introduce their projects to their colleagues, with expertise in data protection, as early as possible. This enables a lawful basis for the processing of any personal data to be identified. Further, once a lawful basis is identified, the ICO stresses the importance of recording this by preparing (i) a data protection impact assessment (DPIA), and (ii) a plan which contains milestones for raising any privacy issues which crop up with senior stakeholders. According to the ICO, these actions will assist organisations in demonstrating the data protection compliance of their products or services.
  
• Data mapping – project teams should consider the personal data, especially special category data, which their products or services might use across the product or service’s entire range of features. They should also ensure that any processing meets the conditions set out under UK GDPR. Here, the ICO stresses that, where children are likely to access a service (even if they are not the target audience/user), the implications of the Children’s code are key considerations (see our analysis of the ICO’s guidance on  compliance of game design with the Children’s code). 
  
• Any changes and risks – the relationship between the organisation and the user should be reviewed to determine whether the data is provided directly by the user, or if it is inferred, or derived, another way. This will ensure that project teams are live to the risk that their new product or service could create “knock-on” privacy risks for existing features, potentially assisting bad actors, or cyber-attackers.
  
• Responsibilities – project teams should assign and agree responsibilities for privacy decisions with internal stakeholders. This ensures that anyone with final accountability for these decisions is aware of this. Further, all team members should be kept informed about key decisions and privacy risks/threats eg via an alert system, or audit trail.

Research phase:

In this phase, the ICO points out that “research” means user research, UX research, or design research, which designers and developers may use to understand users’ needs, or to evaluate product choices. Project teams are expected to:

• Protect the privacy of research participants – all research undertaken as part of a project (eg competitor, consumer, or market research), must be conducted ethically. This means ensuring that only the minimum amount of data about research participants is collected, any data collection is clearly explained, consent is sought (where appropriate) for collection, and any results are anonymised (where possible).

Design phase

The new guidance states that designers and developers “must consider privacy throughout the design process”. This can be demonstrated by:

• Considering privacy throughout design activities – this means designers should avoid using real user data when prototyping or mocking up interfaces.
• Communicating about privacy in an understandable way – all privacy information should be communicated in a concise, transparent, intelligible, easily accessible manner (ie using clear and plain language), and across a variety of mediums (ie not just through privacy notices).
• Being targeted – while privacy information must be provided at the time the personal data is collected, project teams should consider providing such information when users might expect to receive it so that they are assisted in making reasonable, informed choices.
• Ensuring consent is valid – where consent is required, it must be (i) freely given, (ii) specific, (iii) informed and (iv) just as easily withdrawn. Here, the ICO reiterates that pre-ticked opt-in boxes are specifically banned, and unnecessary consent popups should be avoided.
• Empowering people – organisations must allow people to exercise their rights (eg access, rectification, and data portability), and consider how to assist people in exercising their rights directly through the new product or service

Development Phase

During this phase, project teams are encouraged to bring forward all the privacy planning they have performed in the previous phases to engineer the finished product or service. This should involve:

• Collecting the minimum amount of personal data – organisations should only collect the data they really need. This should be analysed by (i) reviewing the data maps from the kick-off phase, (ii) clarifying what the new product or service is trying to achieve, and (iii) ensuring that users can access as much functionality as possible before providing personal data.
• Enhancing privacy and security measures – this means that appropriate encryption, anonymisation, and other privacy-enhancing measures should be utilised.
• Ensuring users can exercise their rights – as in the design phase, this requires project teams to ensure that users can enter their personal data accurately and request its amendment.
• Protecting personal data during development – organisations must implement appropriate technical and organisational measures such as, setting up proper access controls, logging data interactions, and establishing retention policies

Launch Phase

Here, the ICO stresses the importance of reviewing any final privacy issues before launching a new product or service. This requires project teams to:

• Mitigate privacy risks found in earlier phases – project teams should run regression tests to determine if a new product feature could break old code. Further, they should remove, or replace, test data, before going live. The New Guidance also provides that there should be agreement from legal, and senior stakeholders, that a new product, or service, is ready for launch.
• Factor privacy into rollout plans – this requires project teams to have a rollback strategy, or contingency plan, where something goes wrong. The ICO specifically states that such plans are crucial because, if user access to the product, or service, is affected, it must be restored in a timely manner. Further, where an organisation stores, or accesses information on a user’s device to assess novel privacy issues, user consent must be obtained.
• Tell users what to expect – this states that, if a change to the new product, or service, will affect the processing of personal data, this must be communicated to users in a clear and understandable manner.

Post-launch Phase

During this phase, the ICO reminds organisations that the launch phase is not the end of data protection compliance. Instead, organisations must review how users are interacting with the new product, or service, and consider any fixes which may be required. This means:

• Monitoring and fixing issues, as required – organisations should examine whether any unexpected privacy issues have arisen and run regression tests to determine if the new product feature has broken any old code.
• Reappraising users’ expectations and norms – organisations should be live to how any changes to the features of the new product, or service, may significantly affect people’s privacy expectations, or introduce new privacy risks. Further, organisations should assess any emerging privacy implications where they see significant new user behaviour.

Why is this important?

The new guidance is the latest move by the ICO to demonstrate its commitment to pragmatism and regulatory certainty. It provides designers, developers, product managers, and engineers with a new template for how they can embed data protection into their products and services. The guidance can now be used by organisations as an invaluable future-proofing tool, enabling them to review their policies, plans, internal Wikis, and playbooks, to ensure that they align with the key privacy considerations that the ICO has outlined.

Any practical tips?

While the guidance is instructive, it should be viewed as a supplement to, not a substitute for, the ICO’s previous guidance on “data protection by design and default”. As such, when reviewing any internal policies, plans, Wikis and playbooks, organisations should review both pieces of ICO guidance, together. Further, when designing and developing new products, and services, designers and developers can now supplement the new guidance with the ICO’s new “Innovation Advice Service”. While this service is currently in Beta, it provides a forum for organisations which are doing new or innovative things with personal data, to ask the ICO specific questions with a view to solving any data protection issues that are holding up their product’s, or service’s, development.