The Information Commissioner’s Office (ICO) are always looking for new and innovative ways to offer advice and support to any businesses involved in data protection because it is imperative that consumers who share their personal data with your organisation are confident that this data will be treated fairly, lawfully and transparently.
One of the key aims of our Regulators’ Business Innovation Privacy Hub (or to give it its much snappier shorter title, the Innovation Hub), is to collaborate with other regulators to improve the data protection knowledge within innovative businesses in different sectors.
You can read about the ICO work with several different bodies including the Financial Conduct Authority, the Solicitors Regulatory Authority and the Medicines and Healthcare products Regulatory Agency in the recently published report.
Within that report, the ICO have included a series of data protection tips that anybody involved in any sector can utilise when innovating to ensure that they are building in the right data protection compliance from the outset.
So here are ten top tips for innovators:
- Data protection is good for business. Building the data protection principles and information rights into your product is an advantage in the marketplace, encouraging customer confidence and lowering your risk of enforcement action.
- Data protection will remain relevant, even as technology advances. Placing individual rights at the centre of your product development makes upholding them easier.
- Education is key. If you intend to process personal data, you must be aware of your obligations under the legislation. Why not start with the wealth of information and guidance materials produced by the ICO? You could also seek additional training or expert guidance to ensure your understanding of the legislation.
- Take a ‘data protection by design and default’ approach. To save yourself headaches further down the line, data protection compliance should be built into your product from the start. Data protection by design and default is a legal requirement of the GDPR – putting in place the appropriate technical and organisational measures to implement the data protection principles, and safeguarding individual rights.
- Carry out a DPIA. If you are looking to process personal data in innovative ways or use a new technology, a Data Protection Impact Assessment might be obligatory. If you identify a high risk that you cannot mitigate, you’ll need to consult with the ICO prior to starting your intended processing. And even if it isn’t legally required, a thorough DPIA can be a great way to identify and address risks associated with your product.
- Decide what you are doing with data. Clearly frame the problem you are trying to solve, work out your lawful basis, and only then decide what personal data – if any – you need to collect. Never hold data ‘just in case’.
- Open it up – and lock it down. New technologies open up fantastic opportunities for consumers through data sharing and data portability. But you must tell them where their data is going and why – and use appropriate security measures to stop it going anywhere else.
- Consider using synthetic data. If you are testing a product, there are anonymisation and pseudonymisation techniques available to protect individuals in large datasets. Synthetic data may help to lower risk if it suitably reflects real-world data. If you really can’t do either and need to use live data, document your decision-making so that you can demonstrate that you are taking people’s privacy seriously. Limit what you use and put measures in place to minimise the impact of things going wrong.
- If your product uses AI, know your obligations. These include explaining to individuals how their personal data will be processed, and complying with requirements on automated decision-making and profiling.
- The ICO can help. If you need advice you can get help and support from the ICO through a range of options, including the Advice Service for Small Organisations. Look out for the ICO Sandbox accepting applications from organisations seeking hands-on support. And if you are already working with another regulator in your sector, the Innovation Hub may be able to assist.
- The Information Commissioner’s Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
- The ICO has specific responsibilities set out in the Data Protection Act 2018, the General Data Protection Regulation (GDPR), the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.
We provide small businesses with a managed approach to General Data Protection Regulation (GDPR) compliance. We will work with you to achieve and maintain compliance.