On 31 January 2023, The International Standards Organization (ISO) published Standards ISO 31700-1:2023 and ISO 31700-2:2023 on consumer protection and Privacy by Design for consumer goods and services. This new Standard was adopted by the ISO on 8 February 2023. The ISO is a voluntary network of 167 national standards bodies, including the National Standards Authority of Ireland (NSAI) in the Republic of Ireland, and the British Standards Institute (BSI) in the UK and Northern Ireland. This article outlines the principles of privacy by design and highlights how the content of the new Standard can help organisations move from data protection principle to practical implementation – a vital set towards regulatory compliance.
ISO 31700 is aimed at those responsible for data protection compliance within organisations, including senior responsible owners and data protection practitioners. It provides a set of requirements and examples for organisations to follow, to ensure that processes, procedures and products have relevant safeguards and structures in place to protect personal data processing.
Since 2009 Privacy by Design has been incorporated into numerous privacy authorities and bodies, including the General Data Protection Regulations (GDPR) in 2018. Article 25 of the GDPR requires data controllers to embed Privacy by Design into their processes from the design stage and throughout the data lifecycle: (Creation / Acquisition > Storage > Processing > Use > Archive / Deletion).
Privacy by Design is an important and topical issue for businesses and public sector bodies alike. Failure to adhere to the principles can result in reputational and financial damage. In late 2022, the Irish Data Protection Commission (DPC) fined Facebook €265 million and instituted a range of corrective measures citing Article 25 of the General Data Protection Regulation (GDPR) 2018.
ISO 31700 is a separate standard to GDPR. The new Standard is intended to help establish a framework for the implementation of Privacy by Design. There are no hard lines or step-by-steps to follow; rather, it presents high-level guidance and use cases to demonstrate best practice in areas such as privacy controls, consumer communication and system design.
Privacy by Design
Privacy by Design is a set of principles first published in 2009 to guide organisations on how to embed privacy in the data management process from the outset and throughout. The seven foundational principles of Privacy by Design are:
- Proactive not Reactive; Preventative not Remedial: Privacy by Design does not deal with the consequences of privacy risks and does not provide treatments. Incorporating Privacy by Design means taking proactive measures and a preventive approach, before a privacy-related incident even materialises.
- Privacy as the Default Setting: Privacy as a default setting means that no action is required of the data subject in order to protect their privacy – this is known as Privacy by Default.
- Privacy Embedded into Design: Privacy embedded into design means that privacy is an essential component of the functionality of the technology, service or product that is being designed. This is achieved by instituting a systematic and principled approach, carrying out privacy assessments and limiting the impact of the technology.
- Full Functionality — Positive-Sum, not Zero-Sum: This refers to privacy embedded at the design stage as much as possible without impairing the functionality. It enables multi-functionality and rejects a zero-sum approach.
- End-to-End Security — Full Lifecycle Protection: This refers to treating Privacy and Security as co-existing and complimentary forces throughout the lifecycle of the data, from the point of collection to archive or deletion.
- Visibility and Transparency — Keep it Open: This means documenting and communicating actions clearly, consistently, and transparently. This should be supported by a democratic complaint submission and resolution process, as well as independent verification.
- Respect for User Privacy — Keep it User-Centric: This means that the interests and needs of individuals should be at the centre of Privacy by Design. Best results are achieved when individuals can have an active role in the management of their own personal data.
What are the new ISO Standards?
31700-1 establishes thirty high-level requirements for Privacy by Design to protect privacy throughout the lifecycle of a consumer product, including general guidance on how to:
- design systems and processes with privacy in mind
- develop privacy knowledge, skill and ability within an organisation
- ensure privacy controls are in place and understood, through design, implementation and management
- respond to inquiries, requests and complaints, including breaches
- assign relevant roles and responsibilities for privacy and data protection
- comply withcustomer rights
- manage data throughout its lifecycle
It does not contain specific requirements for the privacy assurances and commitments that organisations can offer consumers, nor does it specify particular methodologies that an organisation can adopt to design and implement privacy controls, or the technology that can be used to operate such controls.
31700-2 provides illustrative use cases, with associated analysis, chosen to assist readers to understand the requirements of 31700-1.
Existing data protection legislation requires that appropriate technical and organisational measures are in place to ensure the principles of data protection are implemented effectively; however, there is no standardised guidance available for organisations to help them shape what this means in practice. This is where ISO 31700 can help.
Standards 31700-1 (requirements) and 31700-2 (use cases) will help organisations to understand how customer protection and Privacy by Design is implemented and maintained in practice, by setting out and demonstrating how the requirements can by adopted across IT systems, business processes and practices, building security, and network infrastructure.
The Standard provides a greater level of detail than existing legislation, allowing organisations to move more easily from principle to practice. When considering the Standard, organisations can begin by performing a gap analysis on their existing processes, products and services, measuring them against the thirty requirements to identify where improvements may be needed.
Trilateral Research’s Data Protection Advisors can help you with your data protection compliance needs, considering all available standards and best practices. Get in touch with us today to find out how we can help.