Blog

7 steps to comply with ISO 31700-1:2023 (standard on Privacy by Design)

This standard looks to define clear rules for organizations around how consumers’ personal information is processed and how consumer privacy is addressed throughout the product lifecycle

Linda Thielova
OneTrust DPO, Head of Privacy Center of Excellence
February 10, 2023

photo of a spiral staircase with glass railing and white metal barristers. The viewer is looking down from the top of the staircase so that the steps form a semi circle.

On January 31, 2023, the International Standards Organization (ISO), published a new standard, ISO 31700-1:2023, on Privacy by Design for consumer goods and services. Privacy by Design (PbD) was introduced as a concept back in 1995 by the Information and Privacy Commissioner of Ontario, Canada, with the goal that privacy should be integrated into products, services and systems by default. 

Today, PbD is now a legal requirement under many prominent privacy regulations across the world, including the General Data Protection Regulation (GDPR). 

What are the principles of Privacy by Design?

Privacy by Design has seven main principles for organizations to keep in mind during the design process.

Proactive not reactive; preventative not remedial

Instead of reacting to privacy risks or invasions when they happen, companies will actively build processes and procedures to prevent them from occurring in the first place. 

Privacy as the default

When browsing a website, or logging into an app or software, the last worry on a user’s mind should be their privacy. Privacy as Default means your users automatically receive the highest level of data protection throughout their experience. 

This includes concepts such as collection limitation and data minimization, where you collect and store the minimum amount of data required.

Privacy embedded into design

Privacy shouldn’t be something to slap on to a product or service after it’s been designed – it needs to part of the development process, with each design stage accounting for user privacy checks. 

Full functionality – Positive-sum, not zero-sum

Incorporating privacy into the user experience of a product or service is not a zero-sum game. In other words, privacy-first practices don’t have to come at the expense of user experience, in fact, they enhance it. 

End-to-end Security – Lifecycle protection

From the moment your organization collects user data to the point it’s destroyed, a critical part of PbD is making sure this data is secure at every stage of the data lifecycle. 

Visibility and transparency – Keep it open

Your users should never be in the dark about how you deal with their data. Transparency leads to trust, and this journey is made possible by clear documentation and communication. 

Respect for User Privacy – Keep it User-Centric

The best user experience puts privacy first, and respects the user’s privacy interests. This is done by providing with control over how their data is used and getting feedback along the way. 

Privacy by Design in regulations across the world

Given how the principles above form a natural framework for organizations to follow to ensure user privacy is a part of their business model, it’s no surprise that these principles have found their way into many prominent privacy regulations across the world. 

Europe – GDPR

Article 25 of the GDPR is titled ‘Data protection by design and by default’ and states that data controllers are required to implement ‘appropriate technical and organizational measures’ to ensure data security and privacy rights are upheld. The UK GPDR includes the same measure as well. 

US – California Consumer Protection Act (CCPA), as amended by Proposition 24

The CCPA, as amended, emphasizes Privacy by Design practices – with specific mentions for business to embed privacy into the design of their processes and IT systems. Mandates such as a clear link for users to opt-out of the sale or share of their data, an option for users to limit the use of their sensitive personal information, and a focus on data minimization all point to privacy by design practices. 

Brazil – Lei Geral de Protecao de Dados (LGPD)

The LGPD in Brazil requires businesses to have their data processes and systems designed with privacy as the ‘default setting’. They also need to be able to demonstrate how privacy has been incorporated into the product or service design to the ANPD, the enforcement body in Brazil. 

ISO PbD standard

The ISO’s new standard on Privacy by Design includes two parts. 

  1. ISO 31700-1:2023: High-level requirements for Privacy by Design 
  2. ISO 31700-2:2023: Use cases to help understand these requirements

Three guiding principles are outlined for unlocking the benefits of PbD.

Empowerment and transparency

This means promoting wider adoption of privacy-aware design, earning consumer trust, and satisfying the consumer need for robust privacy and data protection.

Institutionalization and responsibility

This means integrating the consumer perspective and their behavioral engagement and needs early into the product lifecycle process and respecting it throughout. This promotes consistency on customer privacy decisions and by extension helps to demonstrate leadership commitment to PbD.

Ecosystem and lifecycle

The PbD approach can be applied to broader information ecosystems that mix technologies and organizations. This holistic approach considers all stages of the product lifecycle and supports iterative approaches to product development, with enhancements deployed long after the initial design phase.

Based on these guiding principles, the standard focuses on how organizations can carry out the steps below to operationalize PbD effectively. 

1. Consider the different life cycles of consumer PII and the product/service life cycles.

For PbD efforts to succeed, the designers need to be mindful and accommodating for both life cycles.

2. Reference the ISO/IEC 27701 and the NIST Privacy Framework.

Organizations should follow a privacy information management system.

3. Design capabilities to enable consumers to exercise their privacy rights.

Determine consumer privacy preferences and give them control and choice (e.g., through a preference center, consent management platform). 

4. Ensure accountability for PbD.

Make sure you ask the following questions of your business.

  • Is PbD accurately distributed within the organization?  
  • Are key skillsets represented?  
  • Are there sufficient awareness, knowledge sharing, and training practices on the operational elements of PbD?
     

5. Have transparent and up-to-date consumer communication in place.

Ensure your consumers know that they can configure privacy settings according to their preferences. The standard also calls out how organizations need to be aware of their diverse consumer population. This means different age groups, tech literacy levels, and technology access all need to be considered and reflected in the product/service design as well as in related documentation and communications. 

6. Conduct PIAs when required.

This includes both as a PbD tool and to manage privacy risks.

7. Integrate privacy controls throughout the company operations and the product life cycle.

The standard walks through how to achieve this to help your organization set up for PbD success. 

Apart from these PbD focused measures that the ISO standard mainly covers, it also touches on other requirements that are commonly covered as broader privacy compliance obligations, including vendor management, cybersecurity resilience design, and the communication of PII data breaches.

When addressing PbD, the standard not only mentions the possibility of severe consequences for an individual in the case of compromised personal data, but also the damage that the ensuing loss of trust will have on the organization.

How OneTrust can help

Implementing Privacy by Design for your organization can seem like a daunting task at first.

OneTrust can help your organization embed PbD in its processes by consolidating information from internal and external stakeholders to provide a comprehensive view for how data is collected, the purpose for which its being used, where the data is located, the potential risks and what protections are in place. Users can assess, track and report on privacy risk across assets, vendors, processing activities for projects or products.

Deploy our Privacy by Design template into business tools like Jira so stakeholders can contribute technical and contextual information when its most relevant, with OneTrust PIA and DPIA Automation. With real-time analytics, you can show compliance with privacy regulations while demonstrating the value of your privacy program to relevant stakeholders.

Learn more about how OneTrust can help you on the journey to Privacy by Design with a free demo today. 


You may also like

Webinar

Third-Party Risk

5 Ways to save time when assessing third parties for privacy and security risks webinar

Join our webinar and learn how to save time and streamline third-party risk assessment throughout the TPRM lifecycle.

October 25, 2023

Learn more

Webinar

Third-Party Risk

Live demo: Building your third-party risk management program with OneTrust

Explore how OneTrust can help you build an efficient third-party risk management program that streamlines manual processes and uncovers hidden risks.

September 28, 2023

Learn more

eBook

Technology Risk & Compliance

Prioritizing the right InfoSec frameworks for your organization

In this free eBook, we explore the basics of three top InfoSec frameworks and how to decide which is the best fit for your organization.

September 27, 2023

Learn more