The ICO exists to empower you through information.


If you’re making a product or service that involves processing personal information, it is important to consider data protection law throughout the design and development process. This includes kick-off, research, design, development, launch, and post-launch phases.

The case for privacy – Your organisation must comply with relevant laws. But there are also pressing reasons beyond legal compliance to prioritise privacy. For example, the risk of harming people and society itself, as well as the business risks to organisations.

Privacy in the kick-off stage – including kick-starting collaboration, mapping your product’s personal information needs, and ideas on weaving privacy into your business case.

Privacy in the research stage – including gathering up-front perspectives on privacy, testing of work in progress, and ways to protect the personal information of research participants.

Privacy in the design stage – including choosing the right moments, obtaining valid consent, and communicating privacy information in ways people understand.

Privacy in the development stage – including defining the appropriate amount of personal information required, exploring technical solutions that enhance privacy, and protecting personal information in development environments.

Privacy in the launch phase – including conducting pre-release checks, factoring privacy into rollout plans, and deciding how best to communicate changes.

Privacy in the post-launch phase – including monitoring and triaging fixes, reappraising expectations and norms, and celebrating privacy successes.


About this guidance

This guidance is written for technology professionals such as product and UX designers, software engineers, QA testers, and product managers. It assumes your organisation acts as a data controller. Companies whose software, products, apps, or websites collect, manage, or share people’s personal information are likely to meet this definition. If your organisation acts as data controller, the organisation is responsible for complying with data protection law. Data protection obligations vary for organisations that fall outside this category, such as those that act as processors for personal information.

This guidance will help you, as technology professionals, understand how to incorporate data protection by default and design in your development of a technology product or service. It is not a substitute for detailed ICO guidance, but is intended to help you understand how to navigate and apply our more detailed guidance throughout the product design lifecycle.

To help you to understand the law and good practice as clearly as possible, this guidance says what organisations must, should, and could do to comply.

Legislative requirements

Must refers to legislative requirements.

Good practice

  • Should does not refer to a legislative requirement, but what we expect you to do to comply effectively with the law. You should do this unless there is a good reason not to. If you choose to take a different approach, you must be able to demonstrate that this approach also complies with the law.
  • Could refers to an option or example that you could consider to help you to comply effectively. There are likely to be various other ways you could comply.

This approach only applies where indicated in our guidance. We will update other guidance in due course.

Next: The case for privacy