Fourteen years after being introduced by a Canadian privacy commissioner, Privacy by Design (PbD) is about to become an international privacy standard for the protection of consumer products and services.
On Feb. 8, the International Organization for Standardization (ISO) will adopt PbD as ISO 31700.
The ISO is a network of 167 national standards bodies. It sets over 24,000 standards, including ISO 27001 for information security management systems, some of which organizations can be certified for compliance with after passing a review by auditing firms like Deloitte, KPMG, and PwC.
Initially, however, ISO 31700 will not be a conformance standard.
“It’s amazing that ISO is doing this,” said PbD creator Ann Cavoukian, now executive director of the Toronto-based Global Privacy and Security by Design Centre. “It’s huge.”
“We think it will be a major milestone in privacy.”
Unveiled in 2009, Privacy by Design is a set of principles that calls for privacy to be taken into account throughout an organization’s data management process.
Since then it has been adopted by the International Assembly of Privacy Commissioners and Data Protection Authorities, and incorporated in the European General Data Protection Regulation (GDPR). However, only organizations that hold data of European residents are obliged to follow the GDPR. In 2018, the ISO formed a group to start planning for the inclusion of PbD in its standards.
Adoption by the ISO “gives life to operationalizing the concept of Privacy by Design,” said Cavoukian, “helping organizations figure out how to do it. The standard is designed to be utilized by a whole range of companies — startups, multinational enterprises, organizations of all sizes. With any product, you can make this standard work because it’s easy to adopt. We’re hoping privacy will be pro-actively embedded in the design of [an organization’s] operations and it will complement data protection laws.”
As a guideline, Privacy by Design applies to IT systems, accountable business practices, and physical design and networked infrastructure.
As originally written, PbD has seven principles, including those stating that privacy should be an organization’s default setting (no action is required by an individual to protect their privacy), it is embedded into the design of IT systems and business practices, and it is part of the entire data lifecycle.
The final ISO 31700 standard is more detailed, with 30 requirements. A draft of the standard shows it will be 32 pages long. It includes general guidance on designing capabilities to enable consumers to enforce their privacy rights, assigning relevant roles and authorities, providing privacy information to consumers, conducting privacy risk assessments, establishing and documenting requirements for privacy controls, how to design privacy controls, lifecycle data management, and preparing for and managing a data breach.
The proposed introduction notes that Privacy by Design refers to several methodologies for product, process, system, software, and service development. The proposed bibliography that comes with the document refers to other standards with more detailed requirements on identifying personal information, access controls, consumer consent, corporate governance, and other topics.
Along with the standard, a separate document will outline possible use cases.
The launch will be marked by a one-hour webinar giving an overview of the standard for business managers, company owners, consumer privacy advocates, and technology practitioners.
Cavoukian repeated the argument she has made for years: Privacy can be a competitive advantage for businesses that adopt it. “Get rid of the dated either-or model of privacy and business,” she said. “This can be a win-win. It’s privacy and business interests. You can do both.”