New ISO standard to increase consumer privacy

This February, the International Organization for Standardization (ISO) will adopt Privacy by Design (PbD), a set of principles created by Executive Director of the Toronto-based Global Privacy and Security by Design Centre, Dr Ann Cavoukian, as a new international privacy standard for the protection of consumer products and services (ISO 31700).

Cavoukian, former Information & Privacy Commissioner of Ontario, Canada, designed PbD in 2009 to focus on the need for privacy to be considered throughout data management processes. The set of principles, which will be included in ISO 31700-1 Consumer protection — Privacy by design for consumer goods and services, advises that privacy processes should be within an organisation’s default setting, embedded into IT systems and business practices so that consumers are not tasked with protecting their own privacy.

“[ISO 31700] embraces win-win privacy solutions for organisations and consumers working together, towards the next generation of privacy-respectful consumer products ranging from social media to banking and even clothing.”

- ISO/PC 317 communications group

The set of principles had been implemented by the International Assembly of Privacy Commissioners and other data protection authorities and was also adopted into the European General Data Protection Regulation (GDPR). Speaking to the CQI, Cavoukian commented:

“Managers should be most interested in this because companies who have been certified in Privacy by Design have said that their customers have spoken of how the quality of their offering has gone up dramatically, and as a result, they have gained a competitive advantage. And now Privacy by Design has been made into an ISO standard — the ultimate protection! Never give up on privacy, which forms the foundation of our freedom.”

In 2018, ISO formed the technical committee ISO/PC 317 Consumer protection: Privacy by design for consumer goods and services, to start planning for the inclusion of PbD in its standards. While initially, ISO 31700 will not be a conformance standard, it will be far more detailed than the set of principles with a total of 30 requirements. The new ISO standard will include general guidance on designing privacy controls, enabling consumers to enforce their privacy rights, giving privacy information to consumers, handling data breaches and conducting privacy risk assessments, among other key issues.

Speaking to the CQI about the standard, the ISO/PC 317 communications group said:

“ISO 31700 promotes and standardises privacy practices – including alignment with quality, security, and other organisational systems – across all types of goods and services, so consumers can enjoy technology and other consumer products without sacrificing their privacy. The standard embraces win-win privacy solutions for organisations and consumers working together, towards the next generation of privacy-respectful consumer products ranging from social media, to banking and even clothing.”

To coincide with the launch on February 8, a webinar on the new standard will take place, with guest speakers including Dr Cavoukian, and Jan Schallaboeck, Chair of the technical committee, ISO/PC 317.