The concept of Privacy by Design (PbD) has been around since the mid-90s when it was first introduced by the then Information and Privacy Commissioner of Ontario, Ann Cavoukian. For nearly three decades PbD’s seven principles have laid the foundations for building privacy into the product lifecycle and have become a requirement in a growing number of jurisdictions, for example, under the EU’s General Data Protection Regulation (GDPR). And as global privacy legislation continues to expand the likelihood of farther-reaching PbD requirements is likely to be seen.
In February 2023, the UK Information Commissioner’s Office (ICO) release its guidance on “Privacy in the product design lifecycle” to give technology professionals information on how to implement privacy in the development of new products and services. The guidance breaks down how UX designers, software engineers, QA testers, and product managers can think about privacy across six different stages of the product design lifecycle and why privacy matters.
Let’s take a closer look at the ICO’s guidance, how your business can adopt PbD into its product development lifecycle, and what tools you can use to help.
What does the ICO say about Privacy in product design?
From a project’s conception to ongoing monitoring, privacy has a part to play throughout the design lifecycle. The ICO’s guidance on “Privacy in product design lifecycle” lays out critical considerations for putting privacy into the center of product development, giving data controllers recommendations for implementing PbD. While it is not intended to replace detailed guidance, the guidance outlines several important steps that data controllers can take to navigate privacy in the design lifecycle.
One of the key themes of the ICO guidance is going beyond regulatory compliance and ensuring that new products address the risks to the rights and freedoms of individuals, to society, and to make privacy a best practice across product development.
The case for privacy
Product managers, UX designers, and other technology professionals may question the importance of privacy, especially within the context of product development. The ICO highlights the significance of considering privacy at the beginning of the product design lifecycle through several lenses.
The ICO says, “Privacy also has real-world impacts on people’s rights and freedoms. Privacy-minded design will also benefit your organization, reducing risks, saving time and expense, and ultimately helping you build better digital products.”
Privacy in the kick-off stage
Considering privacy best practices at the start of any new product or service is the core tenet of PbD. The individual steps that you should take when beginning this process is outlined in the ICO guidance and incorporate cross-functional collaboration and data mapping.
The ICO says, “You must consider privacy from the earliest design stage when planning new features or products. Start too late and you may have to make fixes later on that can prove expensive and delay your project.”
Privacy in the research stage
Understanding your user base can help you to build the protections that address specific concerns as well as giving you end-user perspectives on where trust can be built within your product offerings.
The ICO says, “User research helps you learn about people’s privacy needs and concerns so you can create products that people trust.”
Privacy in the design stage
A proactive approach to privacy in the design stage of a new product reduces the need for remediation further down the line where rectifying missed privacy opportunities can be costly in terms of time, money, and impact to the business.
The ICO says, “Whether sketching initial design concepts, planning out user journeys, or prototyping high-fidelity interactions, you must consider privacy throughout your design process. It is easier to resolve issues in a design phase than if you discover them later on.”
Privacy in the development stage
Building privacy into the development stage requires all the information gathered throughout the previous stages to be documented and brought into the psychical development of the product taking into account data minimizations and technical measures for security.
The ICO says, “You must carry forward your privacy planning from previous stages all the way into the finished product or feature. Careful privacy engineering makes systems more reliable and protects people.”
Privacy in the launch phase
Before going live, a final review of the privacy-first processes and measures that you’ve baked into the product will be critical for highlighting any issues that may have previously been overlooked. There is also case for ensuring privacy is built into the product roll out which includes notifying individuals about how their personal data is being used.
The ICO says, “You’re almost ready to share your work with the world. Before you do, check you’ve addressed any lingering privacy issues.”
Privacy in the post-launch phase
Monitor, respond, repeat. Once the product has launched it shouldn’t be pushed to one side, it must be monitored to make sure no privacy issues arise and when they do they are handled swiftly and effectively. This will involve a periodic review of product performance, dividual feedback, and implementing improvements.
The ICO says, “The launch is not the end of the journey. It’s now time to review how people are using your work, and to consider whether you need to make fixes to protect people and their information.”
How can you implement the principles of PbD?
“You look at whatever challenges or threats that may exist and how you respond to them. How do you address those issues and those principles? How do you comply with transparency, data minimization, and data security? And how do you deal with that as part of the design process? It is by carrying out that exercise that you achieve Privacy by Design.” Eduardo Ustaran, Partner at Hogan Lovells said, in an interview with OneTrust DataGuidance. The OneTrust Privacy & Data Governance Cloud hosts a range of tools that can help you to achieve PbD and build it into your product design lifecycle in line with ICO guidance.
Data mapping is a logical place to start. It can help you to make a case for privacy by building your understanding of your legal requirements and act as a record for demonstrating compliance with the principles of the UK GDPR. Mapping your data can also assist when building visualizations of data flows throughout the product and help you to identify areas where risks may present themselves. Data Mapping Automation helps you to develop a central view of your organization’s personal data and to build visualization of data flows across a product’s lifecycle. Automated data mapping can also help you to capture context early and throughout the product or project lifecycle including how data is collected, the purpose for which its being used, the location where the data is stored, and the potential risks and protections in place. Additionally, users can deploy OneTrut’s PbD template into business tools like Jira allowing stakeholders to contribute technical information when its most relevant, while dynamic reporting empowers you to assess, track and report on privacy risk across assets, vendors, processing activities for projects or product.
Another central piece to the ICO’s guidance is to ensure that data subjects are informed of how their personal data will be used, aware of their rights, and how to exercise them. Digital Policy Management lets you design and create policies leveraging the template gallery, rich editing, and responsive designs that best fit your product design. User can manage the complexity of disclosures and privacy notices by letting you automatically publish them to the right destination within specific time periods to adhere to the range of global privacy regulations. This will help to ensure data subjects are informed about personal data processing as well as their privacy rights.
When data subjects are aware of their rights it is vital you are able to handle their requests. OneTrust Privacy Rights Automation lets you embed appropriate intake methods for data subject rights requests throughout the product. And, having received a subject request enables you to automatically fulfill the request using with accurate data discovery and automatic downstream notification.
Request a demo today to learn more about how the OneTrust Privacy & Data Governance Cloud can help you start implementing Privacy by Design in your product development lifecycle.