Fourteen years after being introduced by the Canadian Privacy Commissioner, Privacy by Design (PBD) is about to become an international privacy standard for protecting consumer products and services.
On 8 February, the International Organization for Standardization (ISO) will adopt PBD as ISO 31700.
ISO 167 is a network of national standards bodies. It sets more than 24,000 standards, including ISO 27001, for information security management systems, some of which allow organizations to be certified for compliance after passing reviews by auditing firms such as Deloitte, KPMG, and PwC.
Initially, however, ISO 31700 will not be a conformance standard.
“It’s amazing that ISO is doing this,” said PbD creator Ann Cavokian, now executive director of the Toronto-based Global Privacy and Security by Design Centre. “it is too big.”
“We think this will be a major milestone in privacy.”
Unveiled in 2009, privacy by design Is a set of principles that demand that privacy be taken into account throughout an organization’s data management process.
It has since been adopted by the International Assembly of Privacy Commissioners and Data Protection Authorities, and has been incorporated into the European General Data Protection Regulation (GDPR). However, only organizations that hold data on European residents are obligated to comply with the GDPR. In 2018, ISO formed a group to begin planning to incorporate PbD into its standards.
Adoption by ISO “gives life to the concept of privacy by design being implemented,” Cavukian said, “helping organizations figure out how to do it. Designed to be used by enterprises, organizations of all sizes. With any product, you can make this standard work because it’s easy to adopt. We’re hoping that privacy is actively embedded in the design will go [an organization’s] operations and it will complement data protection laws.
As a guideline, Privacy by Design applies to IT systems, accountable business practices, and the physical design and network infrastructure.
As originally written, the PbD has seven principles, which state that privacy should be the default setting of an organization (no action is required by an individual to protect their privacy), that IT systems and is embedded in the design of business practices, and is part of the entire data lifecycle.
The final ISO 31700 standard is more detailed with 30 requirements. A draft of the standard suggests it will be 32 pages long. This includes general guidance on designing capabilities to enable consumers to enforce their privacy rights, assigning relevant roles and authorizations, providing consumers with privacy information, conducting privacy risk assessments, establishing and documenting requirements for privacy controls , how to design privacy controls, lifecycle data management, and preparing for and managing a data breach.
The proposed introduction notes that privacy by design refers to a number of methodologies for product, process, system, software and service development. The proposed bibliography that accompanies the document refers to other standards with more detailed requirements on identifying personal information, access controls, consumer consent, corporate governance, and other topics.
Along with the standard, a separate document will outline possible use cases.
will mark the launch via one hour webinar Providing an overview of the standard for business managers, company owners, consumer privacy advocates, and technology practitioners.
Cavokian reiterated an argument he’s made for years: Privacy can be a competitive advantage for businesses that embrace it. “Dated either or get rid of the secrecy and business model,” she said. “It can be a win-win. It’s privacy and business interest. You can do both.
