Information Commissioner's Office
Blog: Ten top tips for innovators
We are always looking for new and innovative ways to offer advice and support to any businesses involved in data protection because it is imperative that consumers who share their personal data with your organisation are confident that this data will be treated fairly, lawfully and transparently.
One of the key aims of our Regulators’ Business Innovation Privacy Hub (or to give it its much snappier shorter title, the Innovation Hub), is to collaborate with other regulators to improve the data protection knowledge within innovative businesses in different sectors.
You can read about our work with several different bodies including the Financial Conduct Authority, the Solicitors Regulatory Authority and the Medicines and Healthcare products Regulatory Agency in the recently published report.
Within that report, we have included a series of data protection tips that anybody involved in any sector can utilise when innovating to ensure that they are building in the right data protection compliance from the outset.
So here we present our ten top tips for innovators.
- Data protection is good for business. Building the data protection principles and information rights into your product is an advantage in the marketplace, encouraging customer confidence and lowering your risk of enforcement action.
- Data protection will remain relevant, even as technology advances. Placing individual rights at the centre of your product development makes upholding them easier.
- Education is key. If you intend to process personal data, you must be aware of your obligations under the legislation. Why not start with the wealth of information and guidance materials produced by the ICO? You could also seek additional training or expert guidance to ensure your understanding of the legislation.
- Take a ‘data protection by design and default’ approach. To save yourself headaches further down the line, data protection compliance should be built into your product from the start. Data protection by design and default is a legal requirement of the GDPR – putting in place the appropriate technical and organisational measures to implement the data protection principles, and safeguarding individual rights.
- Carry out a DPIA. If you are looking to process personal data in innovative ways or use a new technology, a Data Protection Impact Assessment might be obligatory. If you identify a high risk that you cannot mitigate, you’ll need to consult with the ICO prior to starting your intended processing. And even if it isn’t legally required, a thorough DPIA can be a great way to identify and address risks associated with your product.
- Decide what you are doing with data. Clearly frame the problem you are trying to solve, work out your lawful basis, and only then decide what personal data – if any – you need to collect. Never hold data ‘just in case’.
- Open it up – and lock it down. New technologies open up fantastic opportunities for consumers through data sharing and data portability. But you must tell them where their data is going and why – and use appropriate security measures to stop it going anywhere else.
- Consider using synthetic data. If you are testing a product, there are anonymisation and pseudonymisation techniques available to protect individuals in large datasets. Synthetic data may help to lower risk if it suitably reflects real-world data. If you really can’t do either and need to use live data, document your decision-making so that you can demonstrate that you are taking people’s privacy seriously. Limit what you use and put measures in place to minimise the impact of things going wrong.
- If your product uses AI, know your obligations. These include explaining to individuals how their personal data will be processed, and complying with requirements on automated decision-making and profiling.
- The ICO can help. If you need advice you can get help and support from the ICO through a range of options, including the Advice Service for Small Organisations. Look out for the ICO Sandbox accepting applications from organisations seeking hands-on support. And if you are already working with another regulator in your sector, the Innovation Hub may be able to assist.
Latest News from
Information Commissioner's Office
Blog: Simplifying subject access requests – new detailed SARs guidance22/10/2020 12:25:00
The right of access is a fundamental right under data protection law. And it has never been more necessary. In a world where personal data is used almost everywhere – by everyone – it’s vital that people have the right to be able to find out what’s happening to their information.
ICO fines British Airways £20m for data breach affecting more than 400,000 customers19/10/2020 12:25:00
The Information Commissioner’s Office (ICO) has fined British Airways (BA) £20m for failing to protect the personal and financial details of more than 400,000 of its customers.
Blog: Engagement key in protecting people’s privacy across the UK during the pandemic14/10/2020 12:25:00
Information Commissioner Elizabeth Denham highlights the positive results of the ICO’s engagement with the UK devolved administrations on the use of data in the fight against COVID-19.
ICO takes action against company for sending spam emails selling face masks during pandemic09/10/2020 12:25:00
A company that sent spam emails selling face masks during the pandemic has been fined £40,000 by the ICO and issued with an enforcement notice.
Statement on the outcome of the ICO’s compulsory audit of the Department for Education08/10/2020 09:10:00
The Information Commissioner’s Office (ICO) has published the outcome of a compulsory audit of the Department for Education DFE carried out in February 2020.
Blog: Elizabeth Denham on the conclusion of the ICO’s investigation into the use of personal data in political campaigning07/10/2020 09:10:00
There can be few cases that better illustrate how mainstream data protection has become than the ICO’s investigation into the use of personal data in political campaigning, including by the now defunct Cambridge Analytica.
ICO launches consultation on draft Statutory guidance02/10/2020 12:25:00
The Information Commissioner's Office (ICO) has launched a public consultation on its draft Statutory guidance, which details how it will regulate and enforce data protection legislation in the UK.
ICO fines company flouting the law in order to profiteer from the coronavirus pandemic25/09/2020 12:25:00
The Information Commissioner’s Office (ICO) has fined Digital Growth Experts Limited (DGEL) £60,000 for sending thousands of nuisance marketing texts at the height of the pandemic.