On January 31, 2023, the International Standards Organization (ISO), published a new standard, ISO 31700-1:2023, on Privacy by Design for consumer goods and services. Privacy by Design (PbD) was introduced as a concept back in 1995 by the Information and Privacy Commissioner of Ontario, Canada, with the goal that privacy should be integrated into products, services and systems by default.
Today, PbD is now a legal requirement under many prominent privacy regulations across the world, including the General Data Protection Regulation (GDPR).
Privacy by Design has seven main principles for organizations to keep in mind during the design process.
Proactive not reactive; preventative not remedial
Instead of reacting to privacy risks or invasions when they happen, companies will actively build processes and procedures to prevent them from occurring in the first place.
Privacy as the default
When browsing a website, or logging into an app or software, the last worry on a user’s mind should be their privacy. Privacy as Default means your users automatically receive the highest level of data protection throughout their experience.
This includes concepts such as collection limitation and data minimization, where you collect and store the minimum amount of data required.
Privacy embedded into design
Privacy shouldn’t be something to slap on to a product or service after it’s been designed – it needs to part of the development process, with each design stage accounting for user privacy checks.
Full functionality – Positive-sum, not zero-sum
Incorporating privacy into the user experience of a product or service is not a zero-sum game. In other words, privacy-first practices don’t have to come at the expense of user experience, in fact, they enhance it.
End-to-end Security – Lifecycle protection
From the moment your organization collects user data to the point it’s destroyed, a critical part of PbD is making sure this data is secure at every stage of the data lifecycle.
Visibility and transparency – Keep it open
Your users should never be in the dark about how you deal with their data. Transparency leads to trust, and this journey is made possible by clear documentation and communication.
Respect for User Privacy – Keep it User-Centric
The best user experience puts privacy first, and respects the user’s privacy interests. This is done by providing with control over how their data is used and getting feedback along the way.
Given how the principles above form a natural framework for organizations to follow to ensure user privacy is a part of their business model, it’s no surprise that these principles have found their way into many prominent privacy regulations across the world.
Europe – GDPR
Article 25 of the GDPR is titled ‘Data protection by design and by default’ and states that data controllers are required to implement ‘appropriate technical and organizational measures’ to ensure data security and privacy rights are upheld. The UK GPDR includes the same measure as well.
US – California Consumer Protection Act (CCPA), as amended by Proposition 24
The CCPA, as amended, emphasizes Privacy by Design practices – with specific mentions for business to embed privacy into the design of their processes and IT systems. Mandates such as a clear link for users to opt-out of the sale or share of their data, an option for users to limit the use of their sensitive personal information, and a focus on data minimization all point to privacy by design practices.
Brazil – Lei Geral de Protecao de Dados (LGPD)
The LGPD in Brazil requires businesses to have their data processes and systems designed with privacy as the ‘default setting’. They also need to be able to demonstrate how privacy has been incorporated into the product or service design to the ANPD, the enforcement body in Brazil.
The ISO’s new standard on Privacy by Design includes two parts.
Three guiding principles are outlined for unlocking the benefits of PbD.
Empowerment and transparency
This means promoting wider adoption of privacy-aware design, earning consumer trust, and satisfying the consumer need for robust privacy and data protection.
Institutionalization and responsibility
This means integrating the consumer perspective and their behavioral engagement and needs early into the product lifecycle process and respecting it throughout. This promotes consistency on customer privacy decisions and by extension helps to demonstrate leadership commitment to PbD.
Ecosystem and lifecycle
The PbD approach can be applied to broader information ecosystems that mix technologies and organizations. This holistic approach considers all stages of the product lifecycle and supports iterative approaches to product development, with enhancements deployed long after the initial design phase.
Based on these guiding principles, the standard focuses on how organizations can carry out the steps below to operationalize PbD effectively.
1. Consider the different life cycles of consumer PII and the product/service life cycles.
For PbD efforts to succeed, the designers need to be mindful and accommodating for both life cycles.
2. Reference the ISO/IEC 27701 and the NIST Privacy Framework.
Organizations should follow a privacy information management system.
3. Design capabilities to enable consumers to exercise their privacy rights.
Determine consumer privacy preferences and give them control and choice (e.g., through a preference center, consent management platform).
4. Ensure accountability for PbD.
Make sure you ask the following questions of your business.
5. Have transparent and up-to-date consumer communication in place.
Ensure your consumers know that they can configure privacy settings according to their preferences. The standard also calls out how organizations need to be aware of their diverse consumer population. This means different age groups, tech literacy levels, and technology access all need to be considered and reflected in the product/service design as well as in related documentation and communications.
6. Conduct PIAs when required.
This includes both as a PbD tool and to manage privacy risks.
7. Integrate privacy controls throughout the company operations and the product life cycle.
The standard walks through how to achieve this to help your organization set up for PbD success.
Apart from these PbD focused measures that the ISO standard mainly covers, it also touches on other requirements that are commonly covered as broader privacy compliance obligations, including vendor management, cybersecurity resilience design, and the communication of PII data breaches.
When addressing PbD, the standard not only mentions the possibility of severe consequences for an individual in the case of compromised personal data, but also the damage that the ensuing loss of trust will have on the organization.
Implementing Privacy by Design for your organization can seem like a daunting task at first.
OneTrust can help your organization embed PbD in its processes by consolidating information from internal and external stakeholders to provide a comprehensive view for how data is collected, the purpose for which its being used, where the data is located, the potential risks and what protections are in place. Users can assess, track and report on privacy risk across assets, vendors, processing activities for projects or products.
Deploy our Privacy by Design template into business tools like Jira so stakeholders can contribute technical and contextual information when its most relevant, with OneTrust PIA and DPIA Automation. With real-time analytics, you can show compliance with privacy regulations while demonstrating the value of your privacy program to relevant stakeholders.
Learn more about how OneTrust can help you on the journey to Privacy by Design with a free demo today.