Skip to main content

On-demand webinar coming soon...

Blog

How to approach the ICO’s “Privacy in the product design lifecycle”

Privacy by Design is a concept that has been around for decades, however the rise and speed of technological developments makes it vital for your organization to implement privacy from the start

Robb Hiscock
Content Marketing Specialist | CIPP/E, CIPM
March 1, 2023

Overhead photo of three business people walking up a set of office stairs.

The concept of Privacy by Design (PbD) has been around since the mid-90s when it was first introduced by the then Information and Privacy Commissioner of Ontario, Ann Cavoukian. For nearly three decades PbD’s seven principles have laid the foundations for building privacy into the product lifecycle and have become a requirement in a growing number of jurisdictions, for example, under the EU’s General Data Protection Regulation (GDPR). And as global privacy legislation continues to expand the likelihood of farther-reaching PbD requirements is likely to be seen.

In February 2023, the UK Information Commissioner’s Office (ICO) release its guidance on “Privacy in the product design lifecycle” to give technology professionals information on how to implement privacy in the development of new products and services. The guidance breaks down how UX designers, software engineers, QA testers, and product managers can think about privacy across six different stages of the product design lifecycle and why privacy matters.

Let’s take a closer look at the ICO’s guidance, how your business can adopt PbD into its product development lifecycle, and what tools you can use to help.

What does the ICO say about Privacy in product design?

From a project’s conception to ongoing monitoring, privacy has a part to play throughout the design lifecycle. The ICO’s guidance on “Privacy in product design lifecycle” lays out critical considerations for putting privacy into the center of product development, giving data controllers recommendations for implementing PbD. While it is not intended to replace detailed guidance, the guidance outlines several important steps that data controllers can take to navigate privacy in the design lifecycle.

One of the key themes of the ICO guidance is going beyond regulatory compliance and ensuring that new products address the risks to the rights and freedoms of individuals, to society, and to make privacy a best practice across product development.

The case for privacy

Product managers, UX designers, and other technology professionals may question the importance of privacy, especially within the context of product development. The ICO highlights the significance of considering privacy at the beginning of the product design lifecycle through several lenses.

The ICO says, “Privacy also has real-world impacts on people’s rights and freedoms. Privacy-minded design will also benefit your organization, reducing risks, saving time and expense, and ultimately helping you build better digital products.”

  • Legal requirements – Ensure you can demonstrate that the seven principles of the UK GDPR have been considered in product development and that appropriate methods are available for data subjects to exercise their rights. You must also consider the Privacy and Electronic Communications Regulations (PECR) if your product uses cookies or electronic marketing.
  • Privacy harms to people – Understanding the impact on individuals and ensure that potential risks to individuals are considered and addressed.
  • Privacy harms to society – Consider the wider social impact that can occur from decision-making within the design process.
  • Business impacts – Explore the potential impact privacy failings would have on your business. Loss of business, customer churn, and reputational damage are all factors to be considered.

Privacy in the kick-off stage

Considering privacy best practices at the start of any new product or service is the core tenet of PbD. The individual steps that you should take when beginning this process is outlined in the ICO guidance and incorporate cross-functional collaboration and data mapping.

The ICO says, “You must consider privacy from the earliest design stage when planning new features or products. Start too late and you may have to make fixes later on that can prove expensive and delay your project.”

  • Plan ongoing collaboration – Identify and involve other relevant stakeholders, ensure a lawful basis for processing, and conduct a data protection impact assessment (DPIA) where necessary.
  • Map what personal information the product needs – Understanding what data your product will need as well as its sensitivity and build a visual map of how it is used throughout the use of the product.
  • Identify changes and risks – Analyze the risks your product might pose, the relationship you have with your users, and consider how bad actors could use the personal data needed for your product.
  • Agree responsibilities – Define roles and responsibilities for decision-making throughout the product lifecycle. In many cases this will be the Data Protection Officer (DPO).
  • Weave privacy into your business case – Discuss and promote the advantages of robust privacy practices and why they matter to your business.

Privacy in the research stage

Understanding your user base can help you to build the protections that address specific concerns as well as giving you end-user perspectives on where trust can be built within your product offerings.

The ICO says, “User research helps you learn about people’s privacy needs and concerns so you can create products that people trust.”

  • Survey the landscape – Keep track of the ever-evolving technology landscape by conducting competitor analysis, exploring emerging technologies, and reviewing customer trends.
  • Gather audience perspectives on privacy – Conduct research such as focus groups or case studies to understand different attitudes toward privacy and develop products that align with these expectations.
  • Get feedback on privacy work in progress – Test any works-in-progress to put your proposed user-experience to the test and understand whether end-users find the product to be transparent and developed with a privacy-first approach.
  • Protect the privacy of your research participants – It is also important to consider the privacy of participants in any product research. Consider anonymization and data minimization.

Privacy in the design stage

A proactive approach to privacy in the design stage of a new product reduces the need for remediation further down the line where rectifying missed privacy opportunities can be costly in terms of time, money, and impact to the business.

The ICO says, “Whether sketching initial design concepts, planning out user journeys, or prototyping high-fidelity interactions, you must consider privacy throughout your design process. It is easier to resolve issues in a design phase than if you discover them later on.”

  • Consider privacy throughout your design activities – Try exercises that explore how your product would operate without the need for personal data. Use mock data in any prototypes and ensure that discussions about privacy have taken place before developing the product any further.
  • Communicate privacy information in ways people understand – To meet transparency obligations, make sure you communicate how personal data is used in clear, easily accessible formats that take the user into account.
  • Choose the right moments – Map appropriate moments in the user’s journey to deliver privacy notices and information about the use of personal data.
  • Ensure consent is valid – Understand conditions for valid consent under the UK GDPR and ensure any consent that you have obtained meets these conditions.
  • Empower people to exercise their information rights in the interface – Ensure users are aware of their privacy rights under the UK GDPR, how they can exercise them, and how to make complaints.

Privacy in the development stage

Building privacy into the development stage requires all the information gathered throughout the previous stages to be documented and brought into the psychical development of the product taking into account data minimizations and technical measures for security.

The ICO says, “You must carry forward your privacy planning from previous stages all the way into the finished product or feature. Careful privacy engineering makes systems more reliable and protects people.”

  • Define the minimum personal information you require – More data equals more risk, ensure that only the minimum volumes of personal data are collected for the product to function correctly.
  • Enhance privacy and security with technical measures – Implement the proper technical measures for securing stored personal information such encryption and never store passwords in plain text.
  • Ensure people can exercise their data rights – Consider implementing methods for exercising privacy rights that are built into the product or service.
  • Protect personal information during development – Apply appropriate access controls, document all interactions with data, and ensure retention policies are up to date

Privacy in the launch phase

Before going live, a final review of the privacy-first processes and measures that you’ve baked into the product will be critical for highlighting any issues that may have previously been overlooked. There is also case for ensuring privacy is built into the product roll out which includes notifying individuals about how their personal data is being used.

The ICO says, “You’re almost ready to share your work with the world. Before you do, check you’ve addressed any lingering privacy issues.”

  • Check carefully before release – Consult stakeholders from the legal team, the DPO, and other relevant senior stakeholders and confirm the product is ready to be launched
  • Factor privacy into rollout plans – Develop a launch checklist and include rollback strategies, how to respond to feedback, and how you will utilize analytics for ongoing privacy
  • Tell people what to expect – Address individuals’ right to be informed and ensure a clear and accessible privacy notice is available

Privacy in the post-launch phase

Monitor, respond, repeat. Once the product has launched it shouldn’t be pushed to one side, it must be monitored to make sure no privacy issues arise and when they do they are handled swiftly and effectively. This will involve a periodic review of product performance, dividual feedback, and implementing improvements.

The ICO says, “The launch is not the end of the journey. It’s now time to review how people are using your work, and to consider whether you need to make fixes to protect people and their information.”

  • Monitor and fix as required – Monitor analytics and feedback to ensure the product is working as it should and privacy is being upheld correctly. Consult colleagues form the data protection and privacy teams in the event of a privacy issue.
  • Reappraise expectations and norms – New features and unexpected behaviors could impact the level of privacy that the product offers, and this must be addressed as soon as possible.
  • Reflect, celebrate, and improve – Review the product design process and highlight challenges and successes to inform future product development.

How can you implement the principles of PbD?

“You look at whatever challenges or threats that may exist and how you respond to them. How do you address those issues and those principles? How do you comply with transparency, data minimization, and data security? And how do you deal with that as part of the design process? It is by carrying out that exercise that you achieve Privacy by Design.” Eduardo Ustaran, Partner at Hogan Lovells said, in an interview with OneTrust DataGuidance. The OneTrust Privacy & Data Governance Cloud hosts a range of tools that can help you to achieve PbD and build it into your product design lifecycle in line with ICO guidance.

Data mapping is a logical place to start. It can help you to make a case for privacy by building your understanding of your legal requirements and act as a record for demonstrating compliance with the principles of the UK GDPR. Mapping your data can also assist when building visualizations of data flows throughout the product and help you to identify areas where risks may present themselves. Data Mapping Automation helps you to develop a central view of your organization’s personal data and to build visualization of data flows across a product’s lifecycle. Automated data mapping can also help you to capture context early and throughout the product or project lifecycle including how data is collected, the purpose for which its being used, the location where the data is stored, and the potential risks and protections in place. Additionally, users can deploy OneTrut’s PbD template into business tools like Jira allowing stakeholders to contribute technical information when its most relevant, while dynamic reporting empowers you to assess, track and report on privacy risk across assets, vendors, processing activities for projects or product.

Another central piece to the ICO’s guidance is to ensure that data subjects are informed of how their personal data will be used, aware of their rights, and how to exercise them. Digital Policy Management lets you design and create policies leveraging the template gallery, rich editing, and responsive designs that best fit your product design. User can manage the complexity of disclosures and privacy notices by letting you automatically publish them to the right destination within specific time periods to adhere to the range of global privacy regulations. This will help to ensure data subjects are informed about personal data processing as well as their privacy rights.

When data subjects are aware of their rights it is vital you are able to handle their requests. OneTrust Privacy Rights Automation  lets you embed appropriate intake methods for data subject rights requests throughout the product. And, having received a subject request enables you to automatically fulfill the request using with accurate data discovery and automatic downstream notification.

Request a demo today to learn more about how the OneTrust Privacy & Data Governance Cloud can help you start implementing Privacy by Design in your product development lifecycle.


You may also like

Webinar

Privacy Management

Data Privacy Day 2025

Join this webinar to hear from a panel of expert privacy professionals as they dissect the key happenings in 2024 and how privacy professionals can approach what may occur in 2025.

January 21, 2025

Learn more

Webinar

Privacy Management

Revisiting IAPP DPC 2024: Top trends on the latest data protection developments

Join OneTrust and PA Consulting as we dive deeper into the key takeaways from the IAPP Europe Data Protection Congress 2024. Our speakers will provide actionable insights from the event on the latest developments in data protection, privacy, and AI. 

December 12, 2024

Learn more

Infographic

Privacy Automation

GDPR: Dos and don'ts

Navigating GDPR compliance can feel daunting, especially for businesses with limited resources. This quick infographic guide of actionable “dos” and “don’ts” will help you develop the foundation of a broader privacy-first approach that keeps you aligned with your GDPR compliance goals.

December 10, 2024

Learn more

eBook

Consent & Preferences

Mastering GDPR consent: A marketer's guide to simplifying compliance

Learn how to simplify GDPR consent management, stay compliant, and build trust with your audience. Download this practical guide for marketers.

October 17, 2024

Learn more

eBook

Privacy Management

Maturing your GDPR compliance program

This comprehensive eBook explores the key elements of a GDPR compliance program.

September 11, 2024

Learn more

eBook

Privacy Management

Understanding data transfers under the GDPR ebook

In the ebook, we delve into the fallout from Schrems II and explore how organizations based in Europe can best navigate international data transfers under the GDPR.

June 05, 2024

Learn more

Webinar

Privacy Management

Preparing for a new regulation: Lesson learned from the GDPR businesses can apply to the EU AI act?

Join our panel of experts as we celebrate GDPR Anniversary and take a closer look at the relationship between the GDPR and AI Act.

May 23, 2024

Learn more

Webinar

Privacy Management

Navigating data privacy in 2024: Global regulatory updates & compliance strategies

Join our webinar for a comprehensive overview of the latest global data privacy regulations and updates impacting businesses in 2024 and how to prepare.

March 20, 2024

Learn more

Infographic

Privacy Management

OneTrust announces partnership with Europrivacy

Learn how OneTrust and Europrivacy's partnership can help your organization achieve GDPR compliance and build trust with your customers.

December 06, 2023

Learn more

Webinar

Technology Risk & Compliance

Demonstrating GDPR compliance with Europrivacy criteria: The European Data Protection Seal

Join our webinar to learn more about the European Data Protection Seal and to find out what the key advantages of getting certified.

November 30, 2023

Learn more

Webinar

Privacy Management

Revisiting the ICO Data Protection Practitioner's Conference: Addressing your top challenges

Join OneTrust and KPMG UK to discuss the challenges of employee SARs, managing your breach response with third parties, and incident management.

October 25, 2023

Learn more

Infographic

Privacy & Data Governance

Understanding the EU Data Boundary

Download our free infographic and get the information you need to understand the EU Data Boundary and how to properly handle data in the European Union.

September 22, 2023

Learn more

Webinar

Privacy Management

Privacy in practice: PIA & DPIA with PA Consulting

Join OneTrust and PA Consulting as we discuss what makes an effective PIA, best practices, and the benefits of automation.

September 21, 2023

Learn more

Webinar

Privacy & Data Governance

Privacy in practice for data mapping: With PA Consulting and Syngenta

Join OneTrust and panelists from PA Consulting and Syngenta as we explore practical ways to build an effective data mapping program, best practices, and the need for automation.

September 14, 2023

Learn more

Webinar

Governance & Policy Management

EU-US DPF: What next for UK businesses?

Join our expert webinar as we discuss the upcoming UK-US DPF Extension and what UK businesses need to prepare to become DPF-certified.

September 06, 2023

Learn more

Webinar

Privacy Management

Unpacking the EU-US DPF

In this webinar, we cover the new EU-US Data Privacy Framework (EU-US DPF) and what privacy program managers need to know for post-Schrems II data transfers.

June 28, 2023

Learn more

Infographic

Privacy & Data Governance

The 3 priorities of the French DPO: Gain visibility, take action, automate

Download our infographic and learn about the 3 priorities of the French DPO.

May 30, 2023

Learn more

Webinar

Privacy Management

GDPR turns 5: Celebrating data protection

Northern Europe panel - Join our panel of experts as they recap the GDPR, its key concepts, and what it means for organizations and compliance. 

May 25, 2023

Learn more

Webinar

Privacy Management

Global Panel — GDPR & Tech: Key considerations of Privacy by Design and AI in tech

Join our panel of experts as we discuss the impact GDPR had on the tech industry during the past five years, the importance of privacy by design, and what to expect with AI and regulation.

May 25, 2023

Learn more

Webinar

Privacy Management

5 years of GDPR: Milestones, challenges, and opportunities

Eastern European panel - Watch our webinar as we look back on 5 years of the GDPR, AI, and their impact on Europe, the world, and your organization.

May 24, 2023

Learn more

Webinar

Privacy & Data Governance

Global Panel — GDPR & Healthcare: current regulatory guidance and enforcement

In this live webinar, our expert panel examines the first five years of the GDPR, how it changed the healthcare industry, and the changing global regulatory landscape.

May 24, 2023

Learn more

Webinar

Privacy Management

Global Panel — GDPR & Retail: building customer loyalty and trust with consent and privacy

Join us for a live panel as we discuss GDPR's impact on the retail and eCommerce industry and how companies evolved to meet the global regulatory landscape.

May 23, 2023

Learn more

eBook

Privacy Management

Getting started with GDPR compliance

This eBook covers the fundamental information you need to know in order to get your GDPR compliance program started and how OneTrust helps. 

May 23, 2023

Learn more

Infographic

Privacy Management

Comparing the FADP, Revised FADP, and the GDPR

Download our infographic to see how the Revised FADP compares with its original version and the GDPR.

May 23, 2023

Learn more

Webinar

Privacy Management

Global Panel — GDPR & Finance: Staying ahead of the regulatory and cyber landscape

How has the GDPR affected the financial industry? Join our live panel as we examine how it companies evolved to meet the regulatory challenges and what can be done to stay ahead of the curve.

May 22, 2023

Learn more

Webinar

Privacy Automation

OneTrust and Deloitte UK - Data transfers: Assessments & safeguards

OneTrust's Center of Excellence and Deloitte UK will discuss data transfers and GDPR compliance, covering the UK stance, ICO/EDBP guidance, and more.

April 04, 2023 1 min read

Learn more

eBook

Privacy Management

The 3 Priorities for DPOs in France: Gain Visibility, Take Action, Automate eBook | Resources | OneTrust

French DPOs should take three priorities into account when building their data protection and compliance programs and processes in 2023.

February 21, 2023

Learn more

Webinar

Privacy & Data Governance

Data Protection in Financial Services Week: Government keynote and international transfers

This session will examine some key issues and recent developments on international data transfers with contributions from key EU, UK, and US regulators.

February 07, 2023

Learn more

Webinar

Consent & Preferences

Belgian DPA approves TCF action plan: Where we go from here

Belgian DPA approves IAB Europe’s action plan to correct its Transparency & Consent Framework (TCF) violations of the GDPR.

January 12, 2023

Learn more

Webinar

Privacy & Data Governance

Keeping pace with the changing regulatory landscape: UK And EU updates webinar

Learn more about the privacy updates for the UK and the EU, what to expect in the coming year, and how to manage regulatory change.

August 15, 2022

Learn more

Webinar

Ethics & Compliance

GDPR and the EU Whistleblower Protection Directive webinar

Join this webinar to learn how to review your whistleblowing processes to comply with the EU Whistleblower Protection Directive, the GDPR and others.

July 06, 2022

Learn more

Webinar

Privacy & Data Governance

4 years of GDPR

Watch our webinar on the last 4 years of GDPR compliance and trends for the future.

May 05, 2022

Learn more

Webinar

Privacy Management

Privacy rights poland: Enhance Your DSAR process with automation, discovery & redaction

As part of our Privacy Automation webinar series, we discuss why it's important to automate DSAR fulfillment and the latest regulatory trends. 

April 03, 2022

Learn more

Webinar

Privacy & Data Governance

Know your laws: Comparing CCPA & CPRA vs. GDPR

Watch this free webinar and see how the CCPA and CPRA compare with the GDPR.

January 04, 2022

Learn more

Checklist

Privacy & Data Governance

Transfer Impact Assessment (TIA) checklist

This Transfer Impact Assessment checklist provides an overview of the key steps you can take as you perform a TIA.

December 01, 2021

Learn more

Infographic

GDPR's 8 fundamental data subject rights

Download our GDPR's 8 Fundamental Data Subject Rights infographic and learn more about the individual rights guaranteed under the EU's major privacy law. 

August 27, 2021

Learn more

eBook

Privacy & Data Governance

The ultimate guide to GDPR compliance

Download this eBook to get an ultimate guide to understanding the GDPR and implementing steps towards compliance.

August 26, 2021

Learn more

eBook

Privacy & Data Governance

10 steps to meeting the GDPR Article 30 requirement

Download this eBook and learn how to leverage data mapping for your GDPR Article 30 compliance program. 

July 22, 2021

Learn more

White Paper

Privacy Automation

Mastering PIAs & DPIAs: A complete handbook for privacy experts

Unlock the full potential of your privacy program with our complete handbook designed to equip privacy professionals with the essential tools and knowledge for establishing robust PIA and DPIA processes.

July 22, 2021

Learn more

Checklist

Privacy & Data Governance

GDPR compliance checklist

Download our GDPR compliance checklist for recommendations on improving your organization's privacy program. 

June 11, 2021

Learn more

Webinar

Privacy Automation

PIA and DPIA demo webinar with Data Privacy Group

Join our webinar to learn the benefits of automating your PIAs and DPIAs using the OneTrust platform

Learn more