On February 8th, the International Organization for Standardization (ISO) will officially adopt Privacy by Design (PbD) as an international privacy standard. The standard, known as ISO 31700, was introduced by a Canadian privacy commissioner 14 years ago and aimed to protect consumer products and services.
The ISO is a network of 167 national standards bodies that sets over 24,000 standards, including ISO 27001 for information security management systems. Organisations can be certified for compliance with these standards after passing a review by auditing firms like Deloitte, KPMG, and PwC. However, I would like to point out that initially, ISO 31700 will not be a conformance standard.
PbD creator Ann Cavoukian, now executive director of the Toronto-based Global Privacy and Security by Design Centre, is excited about adopting PbD by ISO. Cavoukian states it’s “huge” and “a major milestone in privacy.”
Unveiled in 2009, Privacy by Design is a set of principles that calls for privacy to be taken into account throughout an organisation’s data management process. Since then, it has been adopted by the International Assembly of Privacy Commissioners and Data Protection Authorities and incorporated in the European General Data Protection Regulation (GDPR). However, only organisations that hold data of European residents are obliged to follow the GDPR. In 2018, the ISO formed a group to start planning for the inclusion of PbD in its standards.
Adoption by the ISO “gives life to operationalising the concept of Privacy by Design,” said Cavoukian, “helping organisations figure out how to do it. The standard is designed to be utilised by a whole range of companies – startups, multinational enterprises, and organisations of all sizes. You can make this standard work with any product because it’s easy to adopt. We’re hoping privacy will be pro-actively embedded in the design of [an organisation’s] operations, and it will complement data protection laws.”
As a guideline, Privacy by Design applies to IT systems, accountable business practices, and physical design and networked infrastructure. It has 7 principles, including that privacy should be an organisation’s default setting, embedded into the design of IT systems and business practices, and part of the entire data lifecycle. The final ISO 31700 standard is more detailed, with 30 requirements and 32 pages long; it includes general guidance on designing capabilities to enable consumers to enforce their privacy rights, assigning relevant roles and authorities, providing privacy information to consumers, conducting privacy risk assessments, establishing and documenting requirements for privacy controls, how to design privacy controls, lifecycle data management, and preparing for and managing a data breach.
The launch of the standard will be marked by a one-hour webinar giving an overview of the standard for business managers, company owners, consumer privacy advocates, and technology practitioners. Cavoukian also emphasises that privacy can be a competitive advantage for businesses that adopt it and that it’s possible to balance privacy and business interests.