Thursday, December 26, 2024
Home > ICO > Blog: Ten top tips for innovators

Blog: Ten top tips for innovators

8 September 2020

We are always looking for new and innovative ways to offer advice and support to any businesses involved in data protection because it is imperative that consumers who share their personal data with your organisation are confident that this data will be treated fairly, lawfully and transparently. 

One of the key aims of our Regulators’ Business Innovation Privacy Hub (or to give it its much snappier shorter title, the Innovation Hub), is to  collaborate with other regulators to improve the data protection knowledge within innovative businesses in different sectors. 

You can read about our work with several different bodies including the Financial Conduct Authority, the Solicitors Regulatory Authority and the Medicines and Healthcare products Regulatory Agency in the recently published report.

Within that report, we have included a series of data protection tips that anybody involved in any sector can utilise when innovating to ensure that they are building in the right data protection compliance from the outset.

So here we present our ten top tips for innovators.

  1. Data protection is good for business. Building the data protection principles and information rights into your product is an advantage in the marketplace, encouraging customer confidence and lowering your risk of enforcement action.
  2. Data protection will remain relevant, even as technology advances. Placing individual rights at the centre of your product development makes upholding them easier.
  3. Education is key. If you intend to process personal data, you must be aware of your obligations under the legislation. Why not start with the wealth of information and guidance materials produced by the ICO? You could also seek additional training or expert guidance to ensure your understanding of the legislation.
  4. Take a ‘data protection by design and default’ approach. To save yourself headaches further down the line, data protection compliance should be built into your product from the start. Data protection by design and default is a legal requirement of the GDPR – putting in place the appropriate technical and organisational measures to implement the data protection principles, and safeguarding individual rights.
  5. Carry out a DPIA. If you are looking to process personal data in innovative ways or use a new technology, a Data Protection Impact Assessment might be obligatory. If you identify a high risk that you cannot mitigate, you’ll need to consult with the ICO prior to starting your intended processing. And even if it isn’t legally required, a thorough DPIA can be a great way to identify and address risks associated with your product.
  6. Decide what you are doing with data. Clearly frame the problem you are trying to solve, work out your lawful basis, and only then decide what personal data – if any – you need to collect. Never hold data ‘just in case’.
  7. Open it up – and lock it down. New technologies open up fantastic opportunities for consumers through data sharing and data portability. But you must tell them where their data is going and why – and use appropriate security measures to stop it going anywhere else.
  8. Consider using synthetic data. If you are testing a product, there are anonymisation and pseudonymisation techniques available to protect individuals in large datasets. Synthetic data may help to lower risk if it suitably reflects real-world data. If you really can’t do either and need to use live data, document your decision-making so that you can demonstrate that you are taking people’s privacy seriously. Limit what you use and put measures in place to minimise the impact of things going wrong.
  9. If your product uses AI, know your obligations. These include explaining to individuals how their personal data will be processed, and complying with requirements on automated decision-making and profiling.
  1. The ICO can help. If you need advice you can get help and support from the ICO through a range of options, including the Advice Service for Small Organisations. Look out for the ICO Sandbox accepting applications from organisations seeking hands-on support. And if you are already working with another regulator in your sector, the Innovation Hub may be able to assist.

Original Source