Data Privacy Day and Data Privacy Week are annual events that raise awareness about the importance of protecting personal information. The events promote a culture of privacy, empower individuals to take control of their personal information, and encourage businesses to reflect on their approach to privacy in their daily operations. This year, as we celebrate Data Privacy Week, it is an opportune time to examine the impending International Standards Organization and International Electrotechnical Commission 31700 (or ISO/IEC 31700) standard for privacy by design for consumer goods and services, which is set to be adopted on February 8, 2023.
What is Privacy By Design?
One of the key principles of privacy by design is “privacy by default” which means that the most privacy-protective options are set as the default setting and that privacy settings should be user-friendly and easy to understand. The earliest approach to privacy by design, also known as PdB, dictated seven principles that organizations could follow to incorporate privacy into the design and development of systems and processes from the ground up to greatly enhance the protection of personal information:
- “Proactive not Reactive; Preventative not Remedial”: Anticipate and prevent privacy events before they occur.
- “Privacy as the Default Setting”: Protect data to the maximum extent possible even if the user does nothing.
- “Privacy Embedded into Design”: Rather than attempt to bolt privacy on later, build it in from the ground up.
- “Full Functionality – Positive-Sum, not Zero-Sum”: Find ways to cover legitimate use of data without making concessions that compromise its protection.
- “End-to-End Security – Full Lifecycle Protection”: Secure data throughout its entire use and then retaining and removing it as soon as is appropriate.
- “Visibility and Transparency – Keep it Open”: Build trust by allowing independent verification of data protection practices for both users and data providers.
- “Respect for User Privacy – Keep it User-Centric”: Focus on the user and their privacy as a top priority, making it easy for users to secure, and protecting it as if it were your own.
- Privacy by design targets IT systems, business processes, and physical design and network infrastructure. It is intended to protect data of all kinds, but particularly sensitive data like personal information. The goal for organizations is to not only better protect data, but to gain a competitive advantage through the approach.
What is ISO 31700 and Privacy By Design?
The adoption of ISO 31700 standard for privacy by design has received positive reaction, with PbD experts like Ann Cavoukian stating that it brings new life to the concept of privacy by design. The standard is intended for use by companies of all sizes, from startups to global enterprises, and aims to proactively incorporate privacy into the design of an organization’s operations. The ISO/IEC 31700 stated focus is to better protect consumer data, particularly personal information: “Consumers’ trust and how well individual privacy needs are met, are defining concerns for the digital economy. This includes how their personally identifiable information (or PII) and other data, are processed by the organization as well as by the digital goods and services. When PII has been compromised because of lax, inadequate or insufficient security measures, it can have serious consequences for consumers.”
