The start of a new year always brings New Year’s resolutions. If privacy by design is one of yours (just months after the Irish watchdog announced a €265 million fine for a breach of this concept, it seems reasonable to have it on your radar), 2023 is off to a good start with a new “privacy by design” international standard. On January 31, 2023, the International Organization for Standardization (ISO) published the standard numbered ISO 31700, officially titled “Consumer protection – Privacy by design for consumer goods and services.” It consists of two parts: a list of requirements (31700-1) and use cases (31700-2). The standard is due to be adopted by ISO on February 8.
The new standard bears an obvious resemblance to “data protection by design and by default” – a concept that is well known to companies striving to comply with (and operationalize the requirements of) the General Data Protection Regulation (GDPR). It is, therefore, worth exploring whether the two have anything in common and, if so, whether the new regime brings any good news to those dealing with the GDPR.
A Quick Overview
ISO is a global network of national bodies tasked with setting standards in different areas to address, for example, technology or societal issues. In essence, an ISO standard is an internationally recognized way of doing “things.” Some standards allow businesses to (voluntarily) certify as operating at that level if they meet the prescribed specifications and pass appropriate reviews.
On the other hand, privacy by design is a concept calling for the integration of privacy into the design and architecture of systems and business practices. Initially developed in 2009 by the Information and Privacy Commissioner of Ontario, it became an express requirement under EU law following the adoption of the GDPR. Article 25 GDPR requires all data controllers to embed data protection by design (and by default, which is a complementary concept) into their processes from the design stage and throughout their life cycle.
“Data protection by design” means that controllers must apply appropriate technical and organizational measures to their processing of personal data. There is no exhaustive list of measures, and they may vary depending on the available technology, circumstances of the processing, costs and risk assessment. The bottom line is that any design must respect data protection principles and rights. “Data protection by default” builds upon this requirement and prevents controllers from using default settings that result in “excessive” processing. Further guidance on how to operationalize these obligations is provided by the European Data Protection Board (EDPB) guidelines. For example, in relation to transparency, EDPB clarifies that this would entail clear and plain language, accessibility, timeliness, etc.
ISO 31700 lays down 30 requirements for embedding data privacy into consumer products and services. Like the EDPB’s approach, it does not specify thresholds or steps but keeps the ruleset high-level and provides examples for better understanding.
The standard revolves around a few pillars, each consisting of several privacy requirements. For example, the “consumer communication” pillar instructs on how to provide consumers with privacy information, respond to inquiries and complaints or prepare a data breach communication. The “risk management” pillar addresses processes such as privacy risk assessments or third-party due diligence. Further, there is an entire pillar dedicated to “privacy controls” such as data breach management. ISO 31700 also covers many other requirements, including the enforcement of consumers’ privacy rights, the assignment of relevant roles and authorities and allowing for the determination of consumer privacy preferences.
ISO 31700 is not directly linked to the EU data protection framework, but some overlaps do exist. For example, it adopted a “GDPR-ish” definition of personal information, and many of its requirements overlap with those from the GDPR. The obligation to provide privacy information and to ensure the enforcement of privacy rights is just one of the examples. Also, the standard’s sources clearly reveal that both the GDPR and the EDPB’s guidelines were used in the preparation of ISO 31700.
So, what is the relationship between ISO 31700 and the GDPR’s privacy by design and by default requirement? For now, officially, none. Conformity with the ISO standard does not equate to complying with the GDPR (and vice versa), and businesses looking to adhere to the GDPR must still observe its requirements separately.
By all means, ISO 31700 should prove to be helpful for organizations. For some, ISO can serve as an inspiration for those developing technical and organizational measures and safeguards under the GDPR – a sort of “cheat sheet” with guidance and ideas. Also, the EDPB itself encouraged controllers to make use of certifications and codes of conduct available on the market. This suggests that companies relying on international standards may find it easier to showcase their compliance to authorities or build trust from consumers, which could also prove to be a strategic advantage over competitors. Finally, it is worth remembering that the GDPR foresees the introduction of special certification mechanisms according to the GDPR criteria. In providing guidance on this topic, the EDPB accepted that the certification criteria may be drawn up in observance of the ISO standards. There is certification for (almost) everything; here are another set of standards that could serve as a relevant compliance benchmark.