ISO 31700 & Privacy By Design: Celebrating Data Privacy Week 2023

Click here to listen to this article via the BreachRx Blogcast

This time of year, we raise awareness about the importance of protecting personal information through the annual event of Data Privacy Day and Data Privacy Week wrapped around it. Data Privacy Day itself is celebrated on January 28th and it serves as a reminder for individuals and organizations to review and improve their data privacy practices. This includes taking steps to protect personal information online and offline, such as through privacy by design, understanding how personal information is collected, used and shared, and learning about the rights and tools that individuals have to control their personal information. 

Data Privacy Day and Data Privacy Week promote a culture of privacy, empower individuals to take control of their personal information, and for businesses to reflect on the approach they’re taking to privacy in their daily operations. It is a time to reflect on our personal and professional practices and consider how we can better protect our privacy and the privacy of those around us.

What better way to celebrate this year than by examining the impending International Standards Organization and International Electrotechnical Commission 31700 (or ISO/IEC 31700) standard for privacy by design for consumer goods and services being adopted on February 8, 2023. The standard provides guidelines for organizations to implement privacy protections throughout the development and lifecycle of their products and services, with the goal of protecting personal data from potential misuse or abuse. It aims to help organizations build privacy into their systems and processes from the start, rather than trying to add it on later.

ISO/IEC 31700 is an international standard that provides a framework for organizations to incorporate privacy considerations into their products and services, throughout the entire lifecycle of the system. It aims to help organizations to:

• Identify and assess privacy risks
• Develop and implement privacy policies and procedures independently and as part of other procedures, including cybersecurity resilience and breach management
• Communicate with stakeholders about privacy issues
• Ensure that third-party service providers also adhere to privacy principles, and
• Continuously monitor and audit systems for compliance

This standard is intended to help organizations build privacy into their systems and processes from the start, rather than trying to add it on later, and it can be certified and audited, which can help organizations demonstrate their commitment to privacy to customers and regulators.

By implementing the guidelines of ISO/IEC 31700 standard, organizations can help ensure that they meet regulatory requirements to protect individuals’ personal information throughout all aspects of a consumer product or service. And as we’ll outline below, this standard will assist in meeting specific privacy regulations, including the European Union’s General Data Protection Regulation (GDPR), Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), and the California Consumer Privacy Act (CCPA). 

What is Privacy By Design?

One of the key principles of privacy by design is “privacy by default” which means that the most privacy-protective options are set as the default setting and that privacy settings should be user-friendly and easy to understand.

The earliest approach by Ann Cavoikian to privacy by design, also known as PdB, dictated seven principles that organizations could follow to incorporate privacy into the design and development of systems and processes from the ground up to greatly enhance the protection of personal information:

1. “Proactive not Reactive; Preventative not Remedial”: Anticipate and prevent privacy events before they occur.
2. “Privacy as the Default Setting”: Protect data to the maximum extent possible even if the user does nothing.
3. “Privacy Embedded into Design”: Rather than attempt to bolt privacy on later, build it in from the ground up.
4. “Full Functionality – Positive-Sum, not Zero-Sum”: Find ways to cover legitimate use of data without making concessions that compromise its protection.
5. “End-to-End Security – Full Lifecycle Protection”: Secure data throughout its entire use and then retaining and removing it as soon as is appropriate.
6. “Visibility and Transparency – Keep it Open”: Build trust by allowing independent verification of data protection practices for both users and data providers.
7. “Respect for User Privacy – Keep it User-Centric”: Focus on the user and their privacy as a top priority, making it easy for users to secure, and protecting it as if it were your own.

Privacy by design targets IT systems, business processes, and physical design and network infrastructure. It is intended to protect data of all kinds, but particularly sensitive data like personal information.  The goal for organizations is to not only better protect data, but to gain a competitive advantage through the approach.

ISO 31700 and Privacy By Design

The adoption of ISO 31700 standard for privacy by design has received positive reaction, with PbD experts like Ann Cavoukian stating that it brings new life to the concept of privacy by design. The standard is intended for use by companies of all sizes, from startups to global enterprises, and aims to proactively incorporate privacy into the design of an organization’s operations. 

The ISO/IEC 31700 stated focus is to better protect consumer data, particularly personal information:

The standard will include about 30 requirements and guidelines for implementing the principle of privacy by design, such as conducting privacy risk assessments, documenting privacy controls and data management, and preparing measures for incident management and response to data breaches. It is important to note that this standard not only serves to better protect personal data, but also provides an opportunity for companies to strengthen their business. As sensitivity towards data privacy continues to increase, it is crucial for organizations to take proactive steps towards compliance and adaptation.

In addition, ISO 31700 will help companies address regulatory requirements, such as Article 25 of GDPR. The section, entitled “Data protection by design and by default,” requires that organizations take a proactive approach to protecting personal data by incorporating data protection principles into their systems and processes from the start. This includes conducting privacy impact assessments to identify potential risks and taking steps to mitigate those risks. Organizations are also required to implement appropriate technical and organizational measures to ensure that data is protected by default, such as using encryption and anonymization techniques. Additionally, organizations are required to ensure that only the personal data that is necessary for the specific purpose is processed, and that the data is not kept for longer than necessary. 

Overall, ISO/IEC 31700 will address the goal of Article 25 and other regulatory requirements from around the world, ensuring that organizations take a proactive approach to protecting personal data and embedding data protection principles into their systems and processes from the ground up.

During Data Privacy Week, it is important to remember the importance of protecting personal information and the role that privacy by design plays in this. By implementing PbD practices, organizations can help ensure that individuals’ personal information is protected, and they can demonstrate their commitment to data protection to customers and regulators. These days, that’s seen as a competitive advantage that we should all increasingly value.