ISO 31700: New ISO Standard for Privacy by Design

ISO is set to launch a new privacy standard in February: ISO 31700 Privacy by design for consumer goods and services. The new standards are designed to not only facilitate compliance with regulations, but generate greater consumer trust at a time when it is needed most.

But how useful will it be?

What is included in ISO 31700?

The ISO 31700 series presents the first set of high-level requirements for ensuring consumer privacy is embedded into the design of a product or service, offering protection throughout the whole life cycle.  Along with the standard, a separate document will outline possible use cases.

The new standard ISO  31700 – Consumer protection: privacy by design for consumer goods and services is made up of two parts:

  • ISO 31700-1 Consumer protection — Privacy by design for consumer goods and services — Part 1: High-level requirements ( to be released on February 8, 2023) and
  • ISO TR 31700-2 Consumer protection — Privacy by design for consumer goods and services — Part 2: Use cases which was scheduled for publication on January 31, 2023…

The standards are not designed to be certified against – so won’t be useful as a way of providing third party assurance of the implementation of a privacy by design approach.

 

What is Privacy by Design?

Most privacy practitioners are familiar with the concept of Privacy by Design.  PbD is a requirement under the GDPR and recommended by almost every privacy regulator in the world.

We’ve covered Privacy by Design extensively in previous posts including:

As originally conceived, PbD is made up of seven principles, including that privacy should be an organization’s default setting (no action is required by an individual to protect their privacy), it should be embedded into the design of IT systems and business practices, and it should be part of the entire data lifecycle.

When applied to consumer products and services, these PbD principles mean that the privacy of a consumer should be taken into account throughout the design and development of a product, considering the entire product lifecycle – from before it is placed on the market, through purchase and use by consumers, to the expected time when all instances of that product finally stop being used.

PbD also means that a product should have default consumer-oriented privacy controls and settings that provide appropriate levels of privacy, without placing undue burden on the consumer.

The Privacy 108 team has worked with many organisations on embedding PdB into everything they do.  Read more about how we can help here.

Who is the audience?

The primary audiences for the new standard are those staff of organizations and third parties, who are responsible for the concept, design, manufacturing, management, testing, operation, service, maintenance and disposal of consumer goods and services.  So, pretty much everyone.

 

Cropped image of an iphone with the definition of design on the screen, denoting privacy by design

Photo by Edho Pratama on Unsplash

What’s in the new standard ISO 31700 for Privacy by Design

The final ISO 31700 standard is more detailed than the seven principles traditionally referred to as Privacy by Design.

Privacy by Design Principles

The introduction to the new standard provides that the benefits of privacy by design can be viewed through three guiding principles:

  • Empowerment and transparency;
  • Institutionalization and responsibility; and
  • Ecosystem and lifestyle.
Empowerment and transparency

There is growing demand for accurate privacy assertions, systematic methods of privacy due diligence, and greater transparency and accountability in the design and operation of consumer products that process PII. The goal is to promote wider adoption of privacy-aware design, earn consumer trust and satisfy consumer needs for robust privacy and data protection. In addition, the intent is to create and promote innovative solutions that protect and manage consumer’s consumers’ privacy:

  • by analysing and implementing privacy controls based on the consumer’s perspective, context, and needs; and
  • by succinctly documenting and communicating to consumers directly how privacy considerations were approached.

 

Institutionalisation and responsibility

The standard notes that it is increasingly important to delineate and distinguish the responsibilities and perspectives of the consumer of the products that process PII from those of product design, business and other stakeholders in the ecosystems in which the product operates. Privacy by design focuses on the consumer perspective when institutionalizing robust privacy norms throughout the ecosystem including privacy protection and data handling practices.

With privacy by design, the consumer’s behavioural engagement with the product(s) and their privacy needs are considered early and throughout the product lifecycle process. This way decisions concerning consumer privacy needs will be more consistent and systematic and become a functional requirement alongside the interests of product design, business and other stakeholders.

Privacy by design also focuses on accountability, responsibility, and leadership. These aspects are essential to successfully operationalizing and institutionalizing the privacy by design process. A demonstrated leadership commitment to privacy by design is essential to operationalize and institutionalize privacy in the product design process of an organization.

Ecosystem and lifecycle

A privacy by design approach can be applied to the broader information ecosystems in which both technologies and organizations operate and function. Privacy and consumer protection benefit from  taking a holistic, integrative approach that considers as many contextual factors as possible (e.g. the type of consumer, their goal and intent in using a product, and the data the product will process for that consumer) – even (or especially) when these factors lie outside the direct control of any particular actor, organization, or component in the system).

Privacy by design applies to all products that use PII, whether physical goods, or intangible services such as software as a service, or a mixture of both. It is intended to be scalable to the needs of all types of organizations in different countries and different sectors, regardless of organization size or maturity.

It is possible that additional privacy issues and a need for related controls are identified at any point in the product lifecycle, including during development or after use by consumers.

Privacy by design methodologies support iterative approaches to product development, with supplementary privacy enhancements designed and deployed long after the initial design phase.

Privacy by Design – requirements

Building on the three over-arching principles, the Standard does contain more specific guidance by way of requirements.

The standard includes 30 high-level requirements for privacy by design.

A draft of the standard shows it will be 32 pages long which suggests there will be some level of detail included as part of the description of the 30 requirements … but not a lot.

We know that it will include general guidance on:

  • designing capabilities to enable consumers to enforce their privacy rights,
  • assigning relevant roles and authorities,
  • providing privacy information to consumers,
  • conducting privacy risk assessments,
  • establishing and documenting requirements for privacy controls,
  • how to design privacy controls,
  • lifecycle data management, and
  • preparing for and managing a data breach.

Looking at this list, there is clearly overlap with existing ISO standards such as ISO 27002, newly extended to include data protection controls.  The connection between ISO 31700 and other standards is confirmed by the proposed bibliography that comes with the document which refers to other standards with more detailed requirements on identifying personal information, access controls, consumer consent, corporate governance, and other topics.

This document does not contain specific requirements for the privacy assurances and commitments that organizations can offer consumers nor does it specify particular methodologies that an organization can adopt to design and-implement privacy controls, nor the technology that can be used to operate such control … So it’s not aimed towards providing third party assurance around the types or level of controls implemented.

Conclusion

Building a privacy by design capability in organisations is one of today’s key challenges. There’s a lot of information out there but it’s hard to pull it all together into a coherent roadmap to build and maintain privacy by design across organisations.

Let’s hope that this new standard offers practical assistance to help us along that path. It remains to be seen.

Privacy 108 can help!

The Privacy 108 team has worked with many organisations on developing and implementing PbD strategies, and embedding PdB into everything they do.

Read more about how we can help here.

Check out some of our previous blog posts:

Privacy, security and training. Jodie is one of Australia’s leading privacy and security experts and the Founder of Privacy 108 Consulting.