Privacy by Design (PbD) is a set of principles that require organizations to consider privacy in their data management process. PbD has become an international privacy standard for the protection of consumer products and services, and is considered to be an important privacy milestone. The International Organization for Standardization (ISO) has developed ISO/DIS 31700 Consumer protection — Privacy by design for consumer goods and services, as a standard for privacy by design, which provides high-level requirements for protecting privacy throughout the lifecycle of a consumer product, including consumer-processed data. ISO 31700-1 does not contain specific requirements for privacy assurances and commitments that organizations can provide to consumers, but ISO 31700-2 provides illustrative use cases to help understand the requirements of ISO 31700-1.
What is ISO 31700?
In particular, ISO 31700-1 provides high-level requirements for Privacy by Design to protect privacy throughout the lifecycle of a consumer product, including consumer-processed data.
ISO 31700 is useful for companies involved in the development, implementation or operation of digitally enabled consumer goods and services, as it provides guidance on conducting privacy risk assessments, establishing and documenting requirements for privacy controls, designing privacy controls, lifecycle data management, and mitigating a data breach. The final ISO 31700 standard includes 30 requirements, assigning relevant roles and powers to consumers for enforcing their privacy rights.
The concept of privacy by design was developed in response to the increasing amount of personal information collected, stored and shared by organizations and companies, as well as the growing number of data breaches and privacy breaches. It was originally introduced in the late 1990s by Ann Cavoukian, Ontario Information and Privacy Commissioner, Canada, with the aim of ensuring that privacy is considered throughout the development process of new technologies and products, rather than being an afterthought. This was in response to the growing amount of personal information being collected, stored and shared by organizations and companies, as well as the increasing number of data breaches and privacy breaches.
The three guiding principles of privacy by design are as follows:
- Empowerment and transparency: With people becoming increasingly concerned about protecting their personal information in the digital age, companies need to be transparent and accountable when it comes to designing and operating software systems that handle personal information. This includes providing clear privacy claims, using systematic methods to assess privacy, and being clear about how consumer privacy is taken into account. By doing so, companies can gain consumer trust, achieve market success, comply with legal and regulatory requirements, and foster innovation by adopting a consumer-centered approach to privacy issues.
- Institutionalization and responsibility: Privacy by design focuses on the consumer perspective while institutionalizing strong privacy norms across the ecosystem. This means taking into account the consumer’s behavioral interaction with the product and privacy needs early on and throughout its lifecycle. By doing so, decisions regarding consumer privacy needs will not only be more consistent and systematic, but will also become a functional necessity alongside the interests of other stakeholders.
- Ecosystem and lifecycle: This approach benefits both privacy and consumer protection by considering all relevant factors, including those beyond the control of a particular organization or component. It can be applied to any product or service that uses personal information, whether physical products or intangible services such as software as a service. The framework is intended to be adaptable to the needs of organizations of any size and industry, regardless of their location or maturity level.
The Privacy by Design standard is designed for use by a wide variety of companies, startups, multinationals, and organizations of all sizes. It is easy to adopt and can be applied to IT systems, responsible business practices, and physical design and networked infrastructure. It is hoped that privacy will be proactively incorporated into the design of an organization’s operations and will complement data protection laws.
ISO, a network of 167 national standards bodies, sets more than 24,000 standards for information security management systems, including ISO 27001. Some of these standards may be certified for compliance after passing an audit by accredited certification bodies such as CFECERT.
Businesses that adopt privacy as a competitive advantage can benefit from updated privacy and business models and implement the principle of Confidentiality in Design in their operations. For more information on this subject, feel free to contact us.