In January 2023, the International Standards Organization (ISO) published ISO 31700-1:2023 and ISO/TR 31700-2:2023 standards on consumer protection and Privacy by Design for consumer goods and services. Privacy by design is an approach to data privacy that emphasizes the need to consider privacy from the outset of any project or initiative that involves the collection, use, or disclosure of personal information.
The term was first coined in a report by Ontario Information and Privacy Commissioner in 2010 and has since been endorsed by data privacy regulators around the world.
In January 2023, The International Organization for Standardization (ISO) adopted PbD as ISO 31700!
The key principle of privacy by design is that privacy should be built into all aspects of a project or initiative, rather than being tacked on as an afterthought. This means considering privacy at every stage of development, from planning and design to implementation and operation.
There are a number of ways to operationalize privacy by design, but some common elements include:
- Incorporating privacy into decision-making processes;
- Building Privacy into products and services from the ground up;
- Conducting risk assessments that consider potential impacts on privacy;
- Minimizing the collection and use of personal information;
ISO sets over 24,000 standards, including ISO 27001 for information security management systems, some of which organizations can be certified for compliance with after passing a review by auditing firms like our Solution Partner Prox.
Unveiled in 2009, Privacy by Design is a set of principles that calls for privacy to be taken into account throughout an organization’s data management process.
Since then it has been adopted by the International Assembly of Privacy Commissioners and Data Protection Authorities and incorporated in the European General Data Protection Regulation (GDPR). However, only organizations that hold data of European residents are obliged to follow the GDPR. In 2018, the ISO formed a group to start planning for the inclusion of PbD in its standards.
Adoption by the ISO “gives life to operationalizing the concept of Privacy by Design,” said Ann Cavoukian, “helping organizations figure out how to do it. The standard is designed to be utilized by a whole range of companies — startups, multinational enterprises, and organizations of all sizes. With any product, you can make this standard work because it’s easy to adopt. We’re hoping privacy will be pro-actively embedded in the design of [an organization’s] operations and it will complement data protection laws.”
As a guideline, Privacy by Design applies to IT systems, accountable business practices, and physical design and networked infrastructure.
As originally written, PbD has seven principles, including those stating that privacy should be an organization’s default setting (no action is required by an individual to protect their privacy), it is embedded into the design of IT systems and business practices, and it is part of the entire data lifecycle.
In January 2023, the International Standards Organization (ISO) published ISO 31700-1:2023 and ISO/TR 31700-2:2023 standards on consumer protection and PbD for consumer goods and services. It includes general guidance on designing capabilities to enable consumers to enforce their privacy rights, assigning relevant roles and authorities, providing privacy information to consumers, conducting privacy risk assessments, establishing and documenting requirements for privacy controls, how to design privacy controls, lifecycle data management, and preparing for and managing a data breach.