Privacy in the product design lifecycle

In the whirlwind that was the last fortnight, I never properly shared the big project I shipped at the ICO. Designers, PMs, and engineers: this is for you.

Under GDPR (article 25), a data controller has to consider privacy through their entire product development process – this is called Data Protection by Design and Default. Through kickoff, research, design, development, and launch, you need to be able to prove you’ve done this work. You can’t ignore it and leave your legal or privacy team to make excuses later; companies are now being fined heavily for failing to live up to this requirement. (€265 million in Meta’s case, for example.)

The ICO only wants to fine companies as a last resort. It’s better for everyone if companies comply with the law properly.

So, in collaboration with a ton of ICO colleagues, I wrote and published guidance on Privacy in the product design lifecycle. It’s written directly for designers, PMs, and engineers, stepping through each stage of product development and clarifying what you must, should, and could do at each stage to protect users and help you comply with GDPR. There’s also info about the case for privacy, so you can convince your teammates this isn’t just about legal compliance, but building trust and keeping people and societies safe.

I might share more about writing regulatory guidance later on: it’s rather more complex than you might expect. But if you’re building products and services that handle personal data, I strongly recommend you check the guidance out: Privacy in the product design lifecycle.