Spotlight: ISO 31700 standard – Protecting the consumer with privacy by design
As the ISO 31700 standard on privacy by design for consumer goods and services comes into effect this month. Stephen Bailey, Global Privacy Services practice lead at NCC Group shares thoughts on how this could help in the world of consumer protection.
In from the start and always on
The concept of privacy by design and by default has been around for a while now and various forms of it appear in many laws, standards and frameworks. As with its perhaps better-known sidekick, security by design, the point is for privacy to be built in from the start of product development and set in favour of the user of the product or service, so they do not have to do anything to have privacy – and, of course, security.
The new ISO 31700 Consumer protection – Privacy by design for consumer goods and services – joins the rather extensive stable of ISO standards and could be set to play a part in helping organisations get their houses in order when it comes to privacy by design and complying with existing legislation.
Existing data protection legislation requires that “appropriate technical and organisational measures” are in place to ensure the principles of data protection are implemented effectively.
Regulators provide some help for organisations in working out what that could mean but even their guidance is typically just statements of the obvious things from data protection law, like only process what you need, tell people what you are doing with their personal data and who helps you do it, etc.
The onus is on organisations to sort out the detail themselves, which is perhaps where ISO 31700 might help.
The new standard covers the lifecycle of a consumer product, including any data that the actual consumer, defined as an individual buying or using a product, processes.
Its 27 detailed requirements, organised into five high level areas, cover everything from who is accountable for the different aspect of the design or operation of a product, through to what happens at the end of the product’s life – or someone’s use of it.
There is an element of the ‘perfect world’ view in the new standard, a good example being its guidance on avoiding design practices that exploit ambiguity - the reality is many organisations actively use dark patterns to nudge people into selecting the ‘Accept’ button for things like cookies.
As ISO 31700 itself says, standards and frameworks covering privacy, such as the NIST Privacy Framework (companion to their Cyber Security Framework) and ISO 27701 (companion to the ISO 27001 standard) have clear requirements relating to privacy by design, covering the key concepts but this standard goes further with a greater level of detail.
The difficult step for many organisations will be how far down they go from the key concepts approach to the greater detail given in this new standard.
Organisations interested in considering using this new standard to frame their approach to privacy should start by determining which of their products or services it could apply to. They can then assess how their current approach to the lifecycle of those products and services measures up and they can then identify what the gaps are between that and where they need to get to, which they can then use to create a prioritised roadmap to closing those gaps.
For those that do see the value in complying with it, it will give their privacy by design approach validity, a degree of credibility and a competitive advantage - important as we all become much more aware of the value of our personal data and the rights we have under data protection law.
For our privacy consulting team, this provides an externally recognised structure for the privacy by design work that we already do with our clients which, coupled with the security by design approach that we bring to bear, could give these clients the edge they need to bring successful products to market.