Back

Who We Are

Meet The Team

Awards And Certificates

Annual Reports

Responsible Business

Blogs

Why Actionable Threat Intelligence is Key to Defending the UK's Critical National Infrastructure

View All

Case Studies

Supporting BrainDrip LLC's Entry into the Hydrogen Market

View All

Upcoming Events

Hydrogen UK: Annual Conference and Awards

View All

Webinars

Webinar: Using Innovation to Overcome Hydrogen Barriers

View All

Opportunities

View All

Close

Press enter to search

Businesswoman Scanned and Tracked with Technology Walking on Busy Urban City Street. AI Facial Recognition Big Data Analysis Interface Scanning.Businesswoman Scanned and Tracked with Technology Walking on Busy Urban City Street. AI Facial Recognition Big Data Analysis Interface Scanning.

Thoughts

Put Privacy First this Data Privacy Week

28th Jan, 2025

Back to Our Thoughts

Data Privacy Week celebrates the signing of Convention 108 (now updated to Convention 108+) which first set out individuals’ data protection rights. Each year has a different theme, and this year’s theme is ‘Put Privacy First’. We’ve collected our five top tips for incorporating data protection right from the start of a new project.

1) Understand the privacy requirements

The best time to start thinking about the privacy implications for a new project is when the concept is first being developed. It’s important to include privacy specialists with the right skills and experience to support the project in early planning workshops so they can gain understanding and provide input. However, project teams may focus on the most obvious operational use cases for a new processing activity and miss the need to build in capability to comply with the requirements for:

  • the lawful basis for the processing,
  • responding to a data subject rights request, or
  • safeguarding the data as it moves between processors.

These all need to become functional requirements for delivery and will affect the cost and development time requirements for the project.

2) Understand your audience

Understanding what privacy means to the individuals whose data you will process is important. What would they expect to happen with processing like this? What privacy and data protection risks are they concerned about? What might they hope the processing will achieve for them?

The best way to understand your audience is to ask them. The Information Commissioner recommends setting up focus groups that allow organisations to discuss directly with individuals. This can be as simple as asking your customers if they are prepared to receive and respond to occasional surveys, or as complex as running workshops and tests to see how people interact with new ideas and technologies.

3) Train your teams

When a new project is set up, it’s a good idea to carry out a training needs analysis for the delivery team. We recommend a three-pillar approach to data protection and privacy training that includes general training covering key concepts and organisational policies; role-based training ensuring individuals have the specific knowledge they need to manage the risks they control; and decision-maker training that helps those with authority understand how to prioritise data protection and privacy deliverables against operational requirements and how to make data protection and privacy risk decisions.

Training needs might include ensuring that developers have relevant secure development qualifications and training; that planners have the latest information on privacy technologies that might be useful for the project; and that operational teams setting operating requirements for the processing understand the risks and control options when designing how they want the processing to work.

4) Start the DPIA as early as possible

A Data Protection Impact Assessment (DPIA) is a risk assessment that looks at data protection implications for processing. This is a particularly useful tool, as it provides a specific opportunity to look at these issues and to record all the relevant information in one place. It’s very common for project teams to be so focused on the primary operational features and user experience for a processing activity that the data protection and privacy aspects are missed.

DPIAs are mandatory for some processing activities and often a good idea even where they are not required. The best way to approach them is to start working on them right at the beginning of a project and maintain them throughout the project lifetime. This ensures that they stay up to date as requirements change, and that recommendations can be addressed at the most appropriate moment instead of having to be retrofitted later, which is often more expensive and can slow project delivery.

5) Include privacy in communications

Privacy and data protection are essential to instil trust and confidence in a new processing activity. If people don’t trust new products, services or features they are much less likely to use them. Including privacy protective features in marketing communications can address this and improve the reputation of the organisation.

Put Privacy First

Putting Privacy First makes business sense as well as being the right thing to do. We collect more highly sensitive data than ever, and we hope that doing this can help us achieve important goals like addressing climate change. Data protection legislation creates an environment that most people are happy to trust organisations with their data, but this requires organisations to continue to take their obligations seriously and justify that trust.

Contact Us

If you would like to know more about our work, or would like to speak with one of our experts, please complete our contact us form.

Authors

Camilla Winlo

Head of Data Privacy

Read Bio
Previous
Why Actionable Threat Intelligence is Key to Defending the UK's Critical National Infrastructure  
  Next
Non-Electrolytic Hydrogen Production Technology Types