The concept of Privacy by Design (PbD) has been around since the mid-90s when it was first introduced by the then Information and Privacy Commissioner of Ontario, Ann Cavoukian. For nearly three decades PbD’s seven principles have laid the foundations for building privacy into the product lifecycle and have become a requirement in a growing number of jurisdictions, for example, under the EU’s General Data Protection Regulation (GDPR). And as global privacy legislation continues to expand the likelihood of farther-reaching PbD requirements is likely to be seen.

In February 2023, the UK Information Commissioner’s Office (ICO) release its guidance on “Privacy in the product design lifecycle” to give technology professionals information on how to implement privacy in the development of new products and services. The guidance breaks down how UX designers, software engineers, QA testers, and product managers can think about privacy across six different stages of the product design lifecycle and why privacy matters.

Let’s take a closer look at the ICO’s guidance, how your business can adopt PbD into its product development lifecycle, and what tools you can use to help.

What does the ICO say about Privacy in product design?

From a project’s conception to ongoing monitoring, privacy has a part to play throughout the design lifecycle. The ICO’s guidance on “Privacy in product design lifecycle” lays out critical considerations for putting privacy into the center of product development, giving data controllers recommendations for implementing PbD. While it is not intended to replace detailed guidance, the guidance outlines several important steps that data controllers can take to navigate privacy in the design lifecycle.

One of the key themes of the ICO guidance is going beyond regulatory compliance and ensuring that new products address the risks to the rights and freedoms of individuals, to society, and to make privacy a best practice across product development.

The case for privacy

Product managers, UX designers, and other technology professionals may question the importance of privacy, especially within the context of product development. The ICO highlights the significance of considering privacy at the beginning of the product design lifecycle through several lenses.

The ICO says, “Privacy also has real-world impacts on people’s rights and freedoms. Privacy-minded design will also benefit your organization, reducing risks, saving time and expense, and ultimately helping you build better digital products.”

• Legal requirements – Ensure you can demonstrate that the seven principles of the UK GDPR have been considered in product development and that appropriate methods are available for data subjects to exercise their rights. You must also consider the Privacy and Electronic Communications Regulations (PECR) if your product uses cookies or electronic marketing.
• Privacy harms to people – Understanding the impact on individuals and ensure that potential risks to individuals are considered and addressed.
• Privacy harms to society – Consider the wider social impact that can occur from decision-making within the design process.
• Business impacts – Explore the potential impact privacy failings would have on your business. Loss of business, customer churn, and reputational damage are all factors to be considered.

Privacy in the kick-off stage

Considering privacy best practices at the start of any new product or service is the core tenet of PbD. The individual steps that you should take when beginning this process is outlined in the ICO guidance and incorporate cross-functional collaboration and data mapping.

The ICO says, “You must consider privacy from the earliest design stage when planning new features or products. Start too late and you may have to make fixes later on that can prove expensive and delay your project.”

• Plan ongoing collaboration – Identify and involve other relevant stakeholders, ensure a lawful basis for processing, and conduct a data protection impact assessment (DPIA) where necessary.
• Map what personal information the product needs – Understanding what data your product will need as well as its sensitivity and build a visual map of how it is used throughout the use of the product.
• Identify changes and risks – Analyze the risks your product might pose, the relationship you have with your users, and consider how bad actors could use the personal data needed for your product.
• Agree responsibilities – Define roles and responsibilities for decision-making throughout the product lifecycle. In many cases this will be the Data Protection Officer (DPO).
• Weave privacy into your business case – Discuss and promote the advantages of robust privacy practices and why they matter to your business.

Privacy in the research stage

Understanding your user base can help you to build the protections that address specific concerns as well as giving you end-user perspectives on where trust can be built within your product offerings.

The ICO says, “User research helps you learn about people’s privacy needs and concerns so you can create products that people trust.”

• Survey the landscape – Keep track of the ever-evolving technology landscape by conducting competitor analysis, exploring emerging technologies, and reviewing customer trends.
• Gather audience perspectives on privacy – Conduct research such as focus groups or case studies to understand different attitudes toward privacy and develop products that align with these expectations.
• Get feedback on privacy work in progress – Test any works-in-progress to put your proposed user-experience to the test and understand whether end-users find the product to be transparent and developed with a privacy-first approach.
• Protect the privacy of your research participants – It is also important to consider the privacy of participants in any product research. Consider anonymization and data minimization.

Privacy in the design stage

A proactive approach to privacy in the design stage of a new product reduces the need for remediation further down the line where rectifying missed privacy opportunities can be costly in terms of time, money, and impact to the business.

The ICO says, “Whether sketching initial design concepts, planning out user journeys, or prototyping high-fidelity interactions, you must consider privacy throughout your design process. It is easier to resolve issues in a design phase than if you discover them later on.”

• Consider privacy throughout your design activities – Try exercises that explore how your product would operate without the need for personal data. Use mock data in any prototypes and ensure that discussions about privacy have taken place before developing the product any further.
• Communicate privacy information in ways people understand – To meet transparency obligations, make sure you communicate how personal data is used in clear, easily accessible formats that take the user into account.
• Choose the right moments – Map appropriate moments in the user’s journey to deliver privacy notices and information about the use of personal data.
• Ensure consent is valid – Understand conditions for valid consent under the UK GDPR and ensure any consent that you have obtained meets these conditions.
• Empower people to exercise their information rights in the interface – Ensure users are aware of their privacy rights under the UK GDPR, how they can exercise them, and how to make complaints.

Privacy in the development stage

Building privacy into the development stage requires all the information gathered throughout the previous stages to be documented and brought into the psychical development of the product taking into account data minimizations and technical measures for security.

The ICO says, “You must carry forward your privacy planning from previous stages all the way into the finished product or feature. Careful privacy engineering makes systems more reliable and protects people.”

• Define the minimum personal information you require – More data equals more risk, ensure that only the minimum volumes of personal data are collected for the product to function correctly.
• Enhance privacy and security with technical measures – Implement the proper technical measures for securing stored personal information such encryption and never store passwords in plain text.
• Ensure people can exercise their data rights – Consider implementing methods for exercising privacy rights that are built into the product or service.
• Protect personal information during development – Apply appropriate access controls, document all interactions with data, and ensure retention policies are up to date

Privacy in the launch phase

Before going live, a final review of the privacy-first processes and measures that you’ve baked into the product will be critical for highlighting any issues that may have previously been overlooked. There is also case for ensuring privacy is built into the product roll out which includes notifying individuals about how their personal data is being used.

The ICO says, “You’re almost ready to share your work with the world. Before you do, check you’ve addressed any lingering privacy issues.”

• Check carefully before release – Consult stakeholders from the legal team, the DPO, and other relevant senior stakeholders and confirm the product is ready to be launched
• Factor privacy into rollout plans – Develop a launch checklist and include rollback strategies, how to respond to feedback, and how you will utilize analytics for ongoing privacy
• Tell people what to expect – Address individuals’ right to be informed and ensure a clear and accessible privacy notice is available

Privacy in the post-launch phase

Monitor, respond, repeat. Once the product has launched it shouldn’t be pushed to one side, it must be monitored to make sure no privacy issues arise and when they do they are handled swiftly and effectively. This will involve a periodic review of product performance, dividual feedback, and implementing improvements.

The ICO says, “The launch is not the end of the journey. It’s now time to review how people are using your work, and to consider whether you need to make fixes to protect people and their information.”

• Monitor and fix as required – Monitor analytics and feedback to ensure the product is working as it should and privacy is being upheld correctly. Consult colleagues form the data protection and privacy teams in the event of a privacy issue.
• Reappraise expectations and norms – New features and unexpected behaviors could impact the level of privacy that the product offers, and this must be addressed as soon as possible.
• Reflect, celebrate, and improve – Review the product design process and highlight challenges and successes to inform future product development.

How can you implement the principles of PbD?

“You look at whatever challenges or threats that may exist and how you respond to them. How do you address those issues and those principles? How do you comply with transparency, data minimization, and data security? And how do you deal with that as part of the design process? It is by carrying out that exercise that you achieve Privacy by Design.” Eduardo Ustaran, Partner at Hogan Lovells said, in an interview with OneTrust DataGuidance. The OneTrust Privacy & Data Governance Cloud hosts a range of tools that can help you to achieve PbD and build it into your product design lifecycle in line with ICO guidance.

Data mapping is a logical place to start. It can help you to make a case for privacy by building your understanding of your legal requirements and act as a record for demonstrating compliance with the principles of the UK GDPR. Mapping your data can also assist when building visualizations of data flows throughout the product and help you to identify areas where risks may present themselves. Data Mapping Automation helps you to develop a central view of your organization’s personal data and to build visualization of data flows across a product’s lifecycle. Automated data mapping can also help you to capture context early and throughout the product or project lifecycle including how data is collected, the purpose for which its being used, the location where the data is stored, and the potential risks and protections in place. Additionally, users can deploy OneTrut’s PbD template into business tools like Jira allowing stakeholders to contribute technical information when its most relevant, while dynamic reporting empowers you to assess, track and report on privacy risk across assets, vendors, processing activities for projects or product.

Another central piece to the ICO’s guidance is to ensure that data subjects are informed of how their personal data will be used, aware of their rights, and how to exercise them. Digital Policy Management lets you design and create policies leveraging the template gallery, rich editing, and responsive designs that best fit your product design. User can manage the complexity of disclosures and privacy notices by letting you automatically publish them to the right destination within specific time periods to adhere to the range of global privacy regulations. This will help to ensure data subjects are informed about personal data processing as well as their privacy rights.

When data subjects are aware of their rights it is vital you are able to handle their requests. OneTrust Privacy Rights Automation  lets you embed appropriate intake methods for data subject rights requests throughout the product. And, having received a subject request enables you to automatically fulfill the request using with accurate data discovery and automatic downstream notification.

Request a demo today to learn more about how the OneTrust Privacy & Data Governance Cloud can help you start implementing Privacy by Design in your product development lifecycle.