Read the Gartner® Market Guide for Consent and Preference Management
Access now
Skip to content

Privacy by Design as an ISO Standard

Posted: January 17, 2023

The International Organization for Standardization (ISO) has published over 24,500 standards covering everything from shoe sizes (ISO 9407) to wine glasses (ISO 3591). 

Next month, the ISO will adopt a new standard: Privacy by Design (ISO 31700).  

This long-established concept has become an integral part of data protection and privacy compliance. Privacy by Design’s adoption as an ISO standard shows how crucially important privacy is for every business. 

 

What is Privacy by Design? 

Privacy by Design started as a set of seven principles espoused by Ann Cavoukian, former Ontario Information and Privacy Commissioner.  

Privacy by Design aims to integrate privacy as the “default mode of operation”. The concept can be applied to systems of all kinds, such as IT systems, apps, business practices and network infrastructure. 

Here are the original Privacy by Design principles: 

  1. Proactive not Reactive: Privacy should be built into a system from the start, rather than added as an afterthought. 
  2. Privacy as the Default: Privacy settings should be set to the highest level by default, with individuals having to opt-out if they want to share more information. 
  3. Privacy Embedded into Design: Privacy should be an integral part of the design and development of a system, rather than tacked on as a separate layer. 
  4. Full Functionality: A system should not have to sacrifice functionality to be private, and individuals should be able to control their own privacy settings. 
  5. End-to-End Security: Data should be secure throughout its entire lifecycle, from collection to erasure. 
  6. Visibility and Transparency: People should be able to easily see and understand what data is being collected about them and how it is being used. 
  7. Respect for User Privacy: Systems should be designed with the understanding that privacy is a fundamental right and should be respected at all times. 

A concept similar to Privacy by Design was adopted in Article 25 of the EU General Data Protection Regulation (GDPR): “Data protection by design and by default”. This provision requires controllers to embed the GDPR’s principles of data processing into their systems and practices. 

 

Privacy by Design as an ISO Standard 

As noted, the ISO publishes standards covering all sorts of technical and organisational practices. 

Important privacy and security standards exist already, including ISO 27701 (Privacy Information Management) and ISO 27001 (Information Security).  

Companies seeking to improve their data protection and privacy posture can implement these ISO standards and (in some cases) certify with a certification body to demonstrate their compliance. 

ISO’s adoption of Privacy by Design is an endorsement of the concept—but perhaps not the most important endorsement that the concept has. As mentioned above, the GDPR’s concept of “Data protection by design and by default” is a legal requirement in the EU and UK. 

But laws outside of Europe are also introducing principles central to Privacy by Design.  

For example, the California Privacy Rights Act (CPRA), which took effect on January 1st 2023, requires that any collection or use of personal information must be “reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed.” 

Organisations seeking to meet and exceed these emerging legal requirements could consider implementing ISO 31700.  

 

What will ISO 31700 look like? 

ISO 31700 is a “consumer protection” standard. A preview of the standard shows that it consists of 32 pages covering over 30 individual requirements, including: 

  • Provision of privacy information 
  • Responding to consumer inquiries and complaints 
  • Conducting privacy risk assessments 
  • Implementing privacy controls 
  • Preparing for breach management 

The ISO intends to adopt Privacy by Design on February 8, 2023. 

 

Why you should be implementing Privacy by Design

Improving privacy enhances customer trust and reduces legal and reputational risks for your brand. Implementing ISO 31700 should be a good step towards improving your organisations data usage. 

A consent and preference management solution like Cassie can support you in developing long-term relationships with your customers, helping you drive loyalty, engagement and sales through a deeper insight into customer preference across all your channels.

Cassie will enable you to operate at speed across your digital estate and personalise customer experiences compliantly and support your Privacy by Design efforts.