Key Privacy Considerations from the Information Commissioner's Office

The Information Commissioner's Office ("ICO") published new guidance in March to assist technology professionals in developing products in such a way that they adequately consider and protect the end-users privacy ("Guidance"). 

Developers and other technology professionals must develop products with privacy at the forefront of their minds.

These considerations ensure compliance with the UK GDPR, which requires data controllers to put in place appropriate measures designed to effectively implement data protection principles. 

The ICO note in its Guidance that considering privacy "is vital to the success of the project and can help save resources, as rectifying negligent data protection practices are costly".

Given the strong focus being placed on this area by the ICO, in this article, we set out a useful summary of the Guidance, which covers considerations that developers should make at each stage of the product design process.

• In this context, where we refer to research, we mean user research, user experience research, or any research carried out to understand the user's needs. 
• The ICO indicates that at the research stage, it is important to consider not only who the target audience for the product will be but also to regard their attitudes towards privacy. By identifying the audience and understanding their expectations, a developer can cultivate trust with their potential customer base, which, in turn, can result in increased uptake of the concept. 
• The ICO also suggests conducting competitor analysis and surveying potential customers to understand their expectations and mitigate the likelihood of contravening privacy rights (ensuring that participants' identities are anonymised where possible).
• In addition, the ICO suggests that developers obtain feedback on work in progress to assess things like the design of privacy information screens and whether people can easily understand the relevant information.

• This stage focuses on embedding privacy planning from previous stages into the finalised product or service. A key privacy consideration at this stage is ensuring that the minimum personal information required is defined in line with the data minimisation principle. This principle states that a data controller should limit the collection of personal information to what is directly relevant and necessary. 
• Further considerations include enhancing privacy and security with technical measures (including hashing, encrypting and other privacy-enhancing measures), ensuring people can exercise their data protection rights, and protecting any personal information obtained during development. 

• In this final stage, the ICO suggests that monitoring of private data should be carried out and issues should be remedied quickly. They reiterate the importance of collaboration and suggest that such data monitoring could include consultations with data protection or legal colleagues in case of privacy issues. 
• The ICO also suggests that developers should ensure continuing transparency in providing regular updates to customers as their product is developed and how the user interacts with it changes.