In November 2018 the Information Commissioners Office (ICO) set up the Regulators' Business Innovation Privacy Hub (the Innovation Hub) to collaborate with other regulators, offering data protection expertise to innovative businesses. On 28 August 2020, the ICO published a Project Report, which includes the ICO's top 10 tips for use by any sector involved in innovation as follows:
1. Data protection is good for business. Building data protection principles into your business is an advantage in the marketplace, encouraging customer confidence and lowering your risk of enforcement action.
2. Data protection will remain relevant, even as technology advances. Placing data subject's rights at the centre of product development makes upholding them easier.
3. Education is key. If you intend to process personal data, you must be aware of your obligations under the legislation. Guidance and information produced by the ICO is a good starting point.
4. Take a 'data protection by design and default' approach. To save yourself headaches further down the line, data protection compliance should be built into your product from the start.
5. Carry out a DPIA. If you are looking to process personal data in innovative ways or use a new technology, a Data Protection Impact Assessment might be obligatory. If you identify a high risk that you cannot mitigate, you'll need to consult with the ICO prior to starting your intended processing. And even if it isn't legally required, a thorough DPIA can be a great way to identify and address risks associated with your product.
6. Decide what you are doing with data. Clearly frame the problem you are trying to solve, work out your lawful basis for processing and only then decide what personal data – if any – you need to collect. Never hold data 'just in case'.
7. Open it up – and lock it down. New technologies open up fantastic opportunities for consumers through data sharing and data portability. But you must tell them where their data is going and why – and use appropriate security measures to stop it going anywhere else.
8. Consider using synthetic data. If you are testing a product, there are anonymisation and pseudonymisation techniques available to protect individuals in large datasets. Synthetic data may help to lower risk if it suitably reflects real-world data. If you really can't do either and need to use live data, document your decision-making so that you can demonstrate that you are taking people's privacy seriously. Limit what you use and put measures in place to minimise the impact of things going wrong.
9. If your product uses AI, know your obligations. These include explaining to individuals how their personal data will be processed, and complying with requirements on automated decision-making and profiling.
10. The ICO can help. If you need advice you can get help and support from the ICO through a range of options, including the Advice Service for Small Organisations.
The ICO's guidance provides a useful and user-friendly summary and serves as a useful reminder that, in the ICO's own words, privacy and innovation are not mutually exclusive.
This article has been produced for general information purposes and further advice should be sought from a professional advisor. Please contact our Data Protection team at Cleaver Fulton Rankin for further advice or information.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
