The ICO exists to empower you through information.

We are responsible for regulating the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA), and the Privacy and Electronic Communications Regulations (PECR). Throughout this guidance, you should take references to privacy law as referring to these three laws.

Your organisation must comply with these laws. But there are also pressing reasons beyond legal compliance to prioritise privacy. Privacy also has real-world impacts on people’s rights and freedoms. Privacy-minded design will also benefit your organisation, reducing risks, saving time and expense, and ultimately helping you build better digital products.

Legal requirements

Under the UK GDPR and DPA 2018, your organisation must consider data protection and privacy issues upfront in everything it does. You must bake in privacy considerations from the design stage throughout the product development lifecycle. We may ask you to demonstrate how you have done this, if appropriate.
UK GPDR sets out seven key principles:

  • lawfulness, fairness, transparency;
  • purpose limitation;
  • data minimisation;
  • accuracy;
  • storage limitation;
  • integrity and confidentiality (security); and
  • accountability.

These principles lie at the heart of UK GDPR, informing everything that follows, and are key to your compliance with the regulation’s detailed provisions. The principles should therefore underpin your design approach.

UK GDPR also gives everyone rights over how their personal information is used. These individual rights include a right to:

  • be informed;
  • access and receive a copy of their personal data;
  • have inaccurate data rectified;
  • not be subject to automated decision-making and profiling; and
  • have personal data erased.

Organisations which act as controllers must ensure people can exercise these rights. Thoughtful design helps people have a good experience while doing this.

PECR sits alongside UK GPDR. If you send electronic marketing or use cookies or similar technologies, you must comply with this, alongside the UK GDPR.



Privacy harms to people

Penalties and fines for violating data protection law can be severe. However, privacy is not just about legal compliance; failing to protect privacy can also have a significant impact on people. Overlooking privacy in the design process can lead to real harm and distress.

Information leaks can cause people stress and anxiety, as people worry about who might end up with access to their personal information. If data does end up in the wrong hands, it may lead to intrusions such as nuisance calls or, in some cases, even more serious harms such as extortion or fraud.

Vulnerable people can be particularly at risk. For example, people facing domestic abuse can be particularly endangered if their privacy is compromised. Evidence shows abusers commonly misuse sensitive personal information to harass and control their partners.

Privacy harms to society

Privacy issues also have social dimensions. For example, if people’s votes were not secure and private, or if sensitive information such as political affiliation became public knowledge, there could be a serious impact on democracy and ‘chilling effects’ on freedom of belief. Violations of this sort can also exacerbate discrimination, furthering inequality against marginalised people. Privacy issues could also damage the role of law and justice if, for example, victims or witnesses felt unable to report crimes safely. A society that overlooks privacy is likely to be a less just society.

As designers become increasingly aware of their duties to society, not just people, it is important to consider the wider social impacts that could arise from your design decision-making.




Business impacts

There are also important business reasons to prioritise privacy within the design process.

People are increasingly keen to choose providers that match their privacy expectations. Investing in privacy can help your product or service stand out and can build customer trust that leads to loyalty and positive word of mouth. Competitors hit by privacy problems, however, may suffer reputational harm, creating customer churn and brand damage.

Talented technologists are also becoming more selective about the companies they work with. Attention to privacy shows you foster a culture of doing things right, and of protecting people rather than cutting corners. Strong candidates motivated by positive impact are often drawn to these cultures, meaning a stronger candidate pool and enhancing your company’s future competitiveness.

As you work through this design guidance, encourage your organisation to see privacy and data protection as investments, not costs. Privacy is a core product and UX issue. Organisations that embrace this have an opportunity to outshine their competitors by showing they truly care.

Previous: Summary | Next: Kick-off