ISO 31700: The New Consumer Privacy Standard
The International Organization for Standardization (ISO) plans to implement ISO 31700—a standard for privacy by design. With an effective date set for February 8th, the standard won’t enforce compliance at first; instead it’ll provide 30 requirements for privacy-by-design principles.
Executive Director of the Global Privacy and Security by Design Centre, Ann Cavoukian, says, “We’re hoping privacy will be proactively embedded in the design of [an organization’s] operations and it will complement data protection laws.”
ISO 31700 Defined
ISO 31700 is a new international standard for data privacy. It’s an essential framework for handling information security and data privacy in the modern world. ISO 31700 implements strict guidelines for incorporating privacy considerations throughout the development and usage of a consumer product, including protecting personal information during use.
ISO 31700 consists of guidelines that can be applied to any type of organization or industry depending on their specific needs. It offers recommendations for the process of managing privacy risks and the management structure needed within an organization to deal with these issues effectively.
ISO 31700 Requirements
The final ISO 31700 standard will detail 30 requirements, including general guidance on designing capabilities to enable consumers to enforce their privacy rights, assigning relevant roles and authorities, and providing privacy information to consumers.
Additionally, it will present privacy by design to safeguard privacy throughout the lifecycle of a consumer product—including domestic data processing by the consumer. ISO 31700 will share insight for conducting privacy risk assessments, establishing and documenting requirements for privacy controls, how to design privacy controls, lifecycle data management, and mitigating a data breach.
3 Guiding Principles of Privacy by Design
The concept of privacy by design was first introduced by Ann Cavoukian, the Information and Privacy Commissioner of Ontario, Canada in the late 1990s. The goal was to ensure that privacy was considered throughout the development process of new technologies and products, and not simply as an afterthought.
The framework was developed as a response to the increasing amount of personal information being collected, stored, and shared by organizations and companies, as well as the growing number of data breaches and privacy violations. The 3 guiding principles of privacy by design are as follows:
- Empowerment and transparency: As people become more concerned about protecting their personal information (PII) in the digital age, there is a growing need for companies to be transparent and accountable when it comes to the design and operation of software systems that process PII. This includes providing clear privacy claims, using systematic methods for assessing privacy, and being open about how consumer privacy is being taken into account. The ultimate goal is to win consumer trust, achieve market success, comply with legal and regulatory requirements, and foster innovation by taking a consumer-centric approach to privacy considerations.
- Institutionalization and responsibility: Privacy by design focuses on the consumer perspective when institutionalizing robust privacy norms throughout the ecosystem. The consumer’s behavioral engagement with the product(s) and their privacy needs are considered early and throughout the lifecycle process. This way, decisions concerning consumer privacy needs will not only be more consistent and systematic, but also become a functional requirement alongside the interests of other stakeholders.
- Ecosystem and lifecycle: This method benefits both privacy and consumer protection by considering all relevant factors, even those beyond the control of a specific organization or component. This approach can be applied to all types of products and services that use personal information (PII), whether physical goods or intangible services such as software as a service. The framework is intended to be adaptable to the needs of organizations of all sizes and sectors, regardless of their location or maturity level.
What Does ISO 31700 Mean for Consumer Privacy and Protection?
Today’s consumers are more aware and conscious of data privacy than ever before. Their desire to make informed purchases presents organizations with a pressing need to provide ethical privacy frameworks. The goal of ISO 31700 is to empower consumers to have a greater say in their privacy rights and manage their data throughout its lifecycle.
The standard applies to companies that process personal data, including those that must comply with GDPR privacy regulations, which require organizations to conduct regular risk assessments. The ISO 31700 framework is helpful for this task because it provides guidance on identifying and assessing risks in various areas, including cybersecurity and privacy.
BigID’s Approach to ISO 31700
The ISO 31700 standard is a step forward in privacy protection. It ensures that companies and organizations consider their users’ privacy when designing products and services. In addition, data intelligence platforms like BigID can help your organization comply with all relevant regulations and laws on data privacy protection.
BigID’s advanced, data-driven compliance solutions help organizations protect all their sensitive data, support their privacy framework, implement privacy by design, and achieve compliance at scale. Here’s how:
- Discover all of your sensitive, regulated, and high-risk data
- Classify and catalog all types of sensitive data using NPL and ML techniques
- Identify high-risk users of sensitive data — and limit access to unauthorized users
- Automate end-to-end data subjects rights requests
- Mitigate risk with privacy impact assessments (PIA)
- Document third-party data sharing and cross border data transfers
- Manage policy-driven data retention and data minimization principles
- Remediate, retain or delete sensitive data at high risk
- Accurately determine impacted users after a data breach occurs and simplify incident response
- Align your data protection practices with the right privacy controls for IS 31700 compliance standards
Incorporating ISO 31700 sets a privacy-by-design standard that helps companies avoid noncompliance fees, expensive data breaches, reputational loss, and other costly liabilities. Set up a BigID demo to see how we can help you align with the ISO 31700 requirements, secure highly sensitive information, and build customer trust.