23 Feb The new ISO 31700:2023 and the standardization of Privacy by Design

Authors: Mattia Brambilla Pisoni, Francesca Tugnoli.

The idea of Privacy by Design

Article 25 of Regulation (EU) 2016/679 (hereinafter, “GDPR” or the “Regulation”), highlights, among other things, the need for data controllers to observe the principle of Privacy by Design (hereinafter, “PbD”). The principle of PbD requires data controllers to respect the principles of personal data protection set forth in the Regulation due to the fact that the design of the processing activity could have a potential impact on protection of personal data[1]. The PbD principle can be fulfilled through the implementation of appropriate technical and organizational measures while considering the elements specified under Article 32 of the GDPR. They include:

1. 1. 1. Taking into account the state of art;
      2. the nature, scope, context and the purpose of processing;
      3. the processing-related risks.

Data protection should therefore be integrated into the organizational priorities, goals, design processes and the planning operations required under Article 25 of the GDPR. This is crucial for the development and the distribution of a product or the delivery of a service which requires the processing of personal data.

The origins of Privacy by Design

Even though the idea of PbD came up already in the end of ’90s, it was effectively presented for the first time during the 32^nd International Conference of Data Protection & Privacy Commissioners which took place in Jerusalem in 2010[2]. The conference brought about the adoption the Resolution on Privacy by Design, a document which set out the seven foundational principles of PbD, which are:

1. 1. 1. Proactive not reactive, preventative not remedial: This principle implies that the actions of the data controller should aim to prevent the possible risks involved in the processing activity, as well as to plan necessary preventive actions.
      2. Privacy as the default setting: This principle relates to Article 25(2) of the GDPR and states that, during the development of products and services which require the processing of personal data, data controllers should implement default settings which are dedicated to guaranteeing the compliance of the GDPR principles in the processing of activities.
      3. Privacy embedded into design: This principle implies that privacy shall be embedded into technologies, operations and all processes of the organization.
      4. Full functionality: Positive-sum, not zero-sum: This principle implies that privacy should not be a compromised (zero-sum) against the efficiency of technology or service. It should be an added value (positive sum);
      5. End-to-end lifecycle protection: This means that personal data protection should be guaranteed during the whole lifecycle of the product or service, from its design to its discontinuation or withdrawal.
      6. Visibility and transparency: This principle makes reference to data subjects in terms of protecting their personal data and ensuring the exercise of their data subject rights.
      7. Respect for user privacy: This means that the data subject’s privacy interests must always be protected with reference to the exercise of data subject rights.

ISO/IEC 31700:2023

Despite the need for concrete guidelines on how these principles shall (or could) be implemented, no formal guidance, at least in terms of specific requirements, had been drafted until very recently. As a matter of fact, the implementation of PbD has traditionally been entrusted to data controllers. They decided on the ways to implement the PbD principles into their processing, products and services. Essentially, there was no uniform standard to be implemented by every organization in their processing activities.

This was the situation until 9 February 2023, when the International Organization for Standardization (ISO) published a new standard, the ISO/IEC 31700:2023 (hereinafter the “standard”) on the development of Privacy by Design for consumer goods and services[3]. The standard is applicable to goods and services for personal use, i.e., not intended for organizations, which process personal data.

The standard contains the necessary requirements for the implementation of the PbD principles within the organization’s processes when a processing activity of a users’/data subjects’ personal data is involved in the delivery of such services or in the creation and distribution of such products. The adoption of the standard signifies development in the field of data protection as it provides a list of requirements that need to be fulfilled in order to guarantee all the PbD principles according to ISO.

From a different perspective, it should be noticed that, even if the standard’s requirements may also be implemented by organizations that are not subject to the GDPR[4] like any other standard, it does not represent a guarantee of compliance with the Regulation itself[5].

The structure of the standard

The standard is made of two parts. Firstly, there is ISO/IEC 31700-1:2023 which includes the High-Level Requirements. Secondly, ISO/IEC 31700-2:2023 provides Use Cases[6]. Nonetheless, currently the standard is not certifiable according to the ISO 17065[7], even if, hypothetically, it could be[8]. To make it certifiable, it is necessary to wait for the Certification Bodies to develop the relative framework.

The standard’s certifiability is comprised of 30 requirements, divided into five categories as follows:

1. 1. 1. General Requirements: These concern all the preliminary elements that allow the compliance with the PbD principle. Some of the key elements include: the employees’ skills, the identification of the consumers’ preferences and rights, the definition of roles and responsibilities and the employees’ education and training;
      2. Consumer communication Requirements: These aim to guarantee the exercise of data subjects’ rights, as well as compliance with the communications owed by the data controller;
      3. Risk Management Requirements: These aim to define the mandatory elements required to build an efficient risk assessment methodology. Within such requirements, a key element of the ISO 31700 emerges, the Privacy Impact Assessment (PIA). In fact, the PIA represents a necessary element in order to evaluate the potential impact of privacy risks of a new service or product offered by the data controller. This way, such risks would be mitigated previously to the launch of the product or to the delivery of the service;
      4. Development, Implementation and Functioning of the Privacy Controls Requirements: These aim to provide a guideline for the choice, the application, the monitoring and, if necessary, the review of the security measures applicable to a given processing activity; and
      5. Personal Data End-Lifecycle Requirements: Which aim to specify all the previous controls if referred to the personal data end-lifecycle.

The standard describes (and is applicable) only to processes but does not provide or describe any kind of security measures, even if this could be useful to fulfill the goal of PbD[9].

Conclusion

ISO 31700:2023 is an important innovation for the data protection world, because it represents the very first source of operative guidelines for data controllers concerning the implementation of the PbD in their products or services. The standard thus outlines an effective and significant step forward of that very “state of art” mentioned in Article 25 of GDPR.

[1] Ann Cavoukian, The 7 Foundation Principles, Implementation and Mapping of Fair Information Practices, 2011.

[2] 32nd International Conference of Data Protection and Privacy Commissioners, Jerusalem, 27-29 October 2010 (https://globalprivacyassembly.org/wp-content/uploads/2015/02/32-Conference-Israel-resolution-on-Privacy-by-Design.pdf)  and Ann Cavoukian.

[3] See https://www.iso.org/standard/84977.html.

[4] Howard Solomon, Privacy by Design to become an ISO standard next month, in IT World Canada, January 2023.

[5] Moreover, ISO 31700:2023 does not represent the only international standard and adopting concepts and definitions from the GDPR does not constitute a proper implementation guideline to reach the relative compliance or, broadly speaking, to implement it. Recall, e.g., the ISO: IEC 27701:2019 (https://www.iso.org/standard/71670.html).

[6] The Use Cases represent a useful tool to show how the standard should be effectively applied. The ISO 31700-2:2023 includes three different use cases, namely: an e-commerce platform, a gym and a smart-lock. The application of several of the standard’s requirements is shown for each of them (https://www.iso.org/standard/84978.html).

[7] ISO/IEC 17065 represents the natural evolution of the previous standard ISO Guide 65 (published in Europe as EN 45011). EN 45011 was the main reference by Accreditation Bodies to verify the competence of the Bodies concerned, as part of verification activities preparatory to the granting of accreditation. Plus, it has been used in periodic surveillance activities and by Accreditation Bodies that entered into the multilateral agreements EA (European cooperation for Accreditation) and IAF (International Accreditation Forum). Here again, as happened during the transition from EN 45012 to ISO/IEC 17021 in 2006, the improvement aspect inherent in the standards revision process is highlighted: the Standards Body (ISO) issues the standard, the Accreditation Bodies, which come under the two EA/IAF international organizations, use it to evaluate Bodies and grant accreditations, highlighting elements of weakness and improvement, which are condensed into the application guidance documents (EA/IAF Guidelines). See, Alberto Musa, La norma ISO/IEC 17065:2012 “Conformity assessment Requirements for bodies certifying products, processes and services” Continuità e novità rispetto alla precedente EN 45011, in Qualità, AICQ – Associazione Italiana Cultura Qualità, 2013.

[8] See Cesare Gallotti, Privacy by design: requisiti e casi d’uso della norma ISO 31700, in Risk Management 360, 2023 (https://www.riskmanagement360.it/analisti-ed-esperti/privacy-by-design-requisiti-e-casi-duso-della-norma-iso-31700/).

[9] To this end, reference should be made to the provisions of other standards and sources, like the ISO 27001:2022, ISO 27018:2019, ISO 27400:2022, as well as to the Handbook on Security of Personal Data Processing published by the ENISA (https://www.enisa.europa.eu/publications/handbook-on-security-of-personal-data-processing).