When the International Standards Organisation (ISO) published the new standard ISO 31700 earlier this year, it established a clearer set of practical guidelines for effective Privacy by Design (PbD) programmes. PbD, a hallmark of data privacy best practice, is an approach built upon seven guiding principles that aim to employ a privacy-first attitude, whereby privacy is seamlessly integrated into products, services and system designs by default. While the previous PbD principles provided a foundation, they lacked clear rules, methodologies and use-case examples for how to apply PbD in practice, leaving many organisations uncertain about how to employ an effective approach. ISO 31700 is intended to remedy that.
The importance of embedded privacy principles
PbD is an essential component to an organisation’s data privacy programme because it enables organisations to actively build processes and procedures throughout a product/service lifecycle to prevent privacy risks and breaches from occurring. The concept has gained significant traction as a requirement in various regulations, including the General Data Protection Regulation (GDPR). Under Article 25, the GDPR mandates organisations to embed PbD and privacy by default into their operations. However, the regulation lacks an exhaustive list of measures, and actual approaches often vary depending on the available technology, circumstances of the data processing, costs and risk assessment.
With European regulators increasingly penalising organisations for failure to comply with Article 25, it appears that many are not properly fulfilling the requirements of PbD. In recent years, large corporations have been fined millions for PbD failures, including one penalty that exceeded €400,000,000.
As a result, companies around the world are recognising the importance of PbD and beginning to incorporate its principles into their operations. Tech giants, for example, are increasingly incorporating privacy features directly into their products. From privacy-focused default settings to robust data encryption, privacy is appearing as a priority in product designs. Similarly, online retailers have implemented PbD by ensuring secure payment gateways, providing clear communication about data processing and offering user-friendly privacy settings for consumers to control their data. Various health care organisations that handle sensitive personal data have adopted PbD to safeguard patient information through secure data storage, controlled access and stringent privacy policies.
New ISO guidance
Although the European Data Protection Board (EDPB) has attempted to specify the prerequisites outlined in Article 25 (in “Guidelines 4/2019 on Article 25 Data Protection by Design and by Default,”), these guidelines are not universally applicable and presuppose prior familiarity and proficiency in the subject matter. This presupposition arises from the intricate language employed and the specific contextual division that pertains predominantly to GDPR and its underlying principles.
A solution to the lack of clarity around PbD arrived from the ISO in early 2023, with the publication of ISO 31700, which offers a globally relevant standard and accompanying guidance designed to assist organisations in integrating privacy and data protection measures into their processes, products and services. ISO 31700 focuses on the development of PbD throughout the lifecycle of consumer goods and services. It outlines 27 detailed requirements organised by five broader categories, including:
- General Requirements: Addressing preliminary elements that ensure compliance with PbD principles, including employee skills and education, consumer preferences and rights and role definitions.
- Consumer Communication Requirements: Ensuring data subjects' rights are respected, and necessary communications are provided by the data controller.
- Risk Management Requirements: Defining elements for an efficient risk assessment methodology, including the privacy impact assessment (PIA) to evaluate potential privacy risks in new products or services.
- Development, Implementation and Functioning of Privacy Controls Requirements: Providing guidelines for choosing, applying, monitoring and reviewing security measures for processing activities.
- Personal Data End-Lifecycle Requirements: Specifying controls related to the end-lifecycle of personal data.
A human-centric focus
ISO 31700 brings a novel approach to PbD by providing specific guidelines and requirements for implementation. Traditionally, PbD compliance was associated with the operational level of a programme and the incorporation of privacy controls during product/service development. However, PbD is not just a tick-box exercise to put policies and procedures in place but requires a focus on the end-user experience. The new standard emphasises this human-centric focus by providing guidance on consumer communication, accountability for providing privacy information, determining privacy preferences, and designing human-computer interfaces for privacy.
This standard recognises that safeguarding privacy and data protection extends beyond technical implementation and regulation adherence. It encompasses empathy-driven engagement with users, seamless provision of privacy-related information, and thoughtful orchestration of interfaces that prioritise user control and understanding. By offering a structured framework for organisations to follow, ISO 31700 enables a consistent and standardised approach to PbD implementation that encourages a proactive stance towards privacy protection, promoting transparency, and respecting user rights, which can lead to increased consumer trust and confidence in the organisation.
The standard also signifies a significant step towards a more holistic and comprehensive incorporation of PbD principles, ensuring they resonate with the real-world needs and expectations of individuals in today's digital landscape.
How the new standard benefits organisations beyond GDPR compliance
While adhering to ISO 31700 isn't mandatory for organisations, doing so can play a pivotal role in achieving compliance with data protection regulations such as GDPR, as well as in enhancing overall privacy and security measures. This proactive approach can safeguard organisations from substantial and cumbersome fines, while introducing a multitude of advantages, including:
- Enhanced Consumer Trust: Privacy is a fundamental concern for consumers in today's data-driven world. When organisations prioritise privacy and data protection, it creates a sense of trust and confidence among their customers. Consumers are more likely to engage with a brand they trust, leading to increased customer loyalty and retention.
- Competitive Edge: Adopting PbD principles can provide a competitive advantage, especially in industries where privacy concerns are prevalent. Consumers are becoming more privacy-conscious and actively seek out companies that demonstrate a commitment to protecting their personal data. Organisations that prioritise privacy can differentiate themselves from their competitors and attract a larger customer base.
- Positive Reputation and Brand Image: Embracing PbD can enhance an organisation's reputation and brand image. Being known as a privacy-conscious company can improve the perception of the organisation in the eyes of customers, partners and stakeholders. A positive reputation for data protection practices can lead to positive media coverage and word-of-mouth marketing.
- Reduced Legal and Reputational Risks: Privacy breaches and data mishandling can have severe legal and reputational consequences for organisations. By implementing PbD, organisations can proactively identify and mitigate privacy risks, reducing the likelihood of data breaches and potential legal liabilities.
- Cost Savings: Integrating privacy measures early in the design and development of products and services can be more cost-effective than retrofitting privacy controls later. PbD can prevent the need for expensive redesigns and security enhancements after a product has been launched, leading to cost savings in the long run.
- Global Business Opportunities: As data protection regulations evolve worldwide, many countries and regions are adopting stricter privacy laws. By implementing PbD, organisations can ensure that they meet the varying privacy requirements of different jurisdictions, making it easier to expand and do business internationally.
PbD, as outlined in the ISO 31700 standard, is a proactive approach to data protection that places consumers at the centre of organisational processes, products and services.
By following the principles of PbD and complying with ISO 31700 requirements, organisations can build trust with consumers, gain a competitive edge, reduce the risk of privacy breaches and support innovation and growth. Embracing PbD is not just a compliance obligation, it is an opportunity for organisations to enhance their reputation and foster a privacy-conscious culture. Organisations should create a readiness plan and engage the right experts to ensure future resilience.
The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.