The principles of Privacy by Design and Privacy by Default enshrined in the General Data Protection Regulation (GDPR) are intended to ensure that products and applications are developed in a more consumer-friendly way. The new ISO standard 31700 creates an international standard for this for the first time. We explain the most important requirements of the standard and what it means for companies.
What is in the new ISO 31700?
The ISO (International Organization for Standardization) published the two-part standard ISO 31700-1 and ISO 31700-2 on consumer protection and Privacy by Design for consumer goods and services on 8 February 2023. Corresponding requirements for data protection by design result directly from Art. 25 GDPR. The new ISO standard is intended to help establish a framework for the implementation of Privacy by Design. Initially, the standard is non-binding.
The ISO 31700 standard goes into greater detail than the original conceptual draft of 2009, by the then Privacy Commissioner of the Canadian Province of Ontario, Ann Cavoukian, and now contains 30 requirements instead of the seven principles.
ISO 31700-1 contains general guidance and advice on
- to develop features that enable consumers to enforce their data protection rights,
- to assign relevant roles and powers,
- to provide privacy information to consumers,
- to conduct data protection risk assessments,
- to define and document requirements for data protection controls,
- on the design of data protection controls,
- on data management over the entire life cycle and
- to prepare for and deal with data protection breaches.
The standard is not intended to contain specific requirements and methods, but rather to be understood as a general instruction for action.
Specific implementation guidance is then explained in ISO 31700-2 in a separate document using specific examples. The standard puts consumer privacy rights and preferences at the centre of product development and operation. The use cases shown are from online retail, a fitness company and smart (networked) locking systems. Exemplary specific system requirements are shown, illustrated by means of a series of possible sequences of interactions between stakeholders and systems in a given ecosystem.
Relevance of ISO 31700 for companies
The standard is intended to create a proposal for the global standardisation of Privacy by Design for the first time and to emphasise the requirements from the consumer’s point of view. The approach is that compliance with the standard not only fulfils data protection requirements of companies, but also strengthens consumer trust in service providers. If the standard delivers on its promise, the (apparent) contradiction between privacy-compliant technology design and business success can be resolved.
The short formula is: Companies gain a competitive advantage through consumer acceptance.
Conclusion: non-binding often insufficient
Unfortunately, non-binding (albeit international) standards often fall short of expectations. A real impact on business practice is not to be expected for the time being. As is so often the case, voluntary self-commitment is not to be had without a corresponding market pressure.
A certification option would be the first step in the right direction. Voluntary implementation by a critical mass of companies that could raise such a requirement to the prevailing standard in practice will be unlikely without providing something in return for such investment.
For those interested, the standard can be purchased. A free preview of ISO 31700-1 and 31700-2 can also be viewed for initial perusal.
The German original of this article was published by our partner activeMind AG.