What is an ISO Standard?

An ISO standard refers to a set of guidelines and requirements created by the International Organisation for Standardisation (ISO), a non-governmental organisation that creates and publishes international standards for a wide range of industries, products, and services. ISO standards serve as a framework for best practises, and they can assist organisations in improving their quality, efficiency, and safety.  

ISO 27001 is an example of an ISO standard that is relevant to privacy and data protection. This standard outlines the requirements for an Information Security Management System (ISMS) that includes privacy considerations. It includes guidelines for risk assessment, security controls, and continuous improvement of the ISMS. By following these guidelines, organisations can ensure that their data protection practices are comprehensive and effective. 

What is Privacy by Design:

Privacy by design (PbD) is a concept that emphasizes the importance of incorporating privacy considerations into the design and development of products, services, and processes. It involves considering privacy and data protection from the very beginning of a project or initiative, rather than as an afterthought. When originally developed PbD had seven principles, including that privacy should be an organization’s default setting (no action is required by an individual to protect their privacy), that it is embedded in the design of IT systems and business practises, and that it is part of the entire data lifecycle. PbD helps organizations to anticipate and address privacy risks, comply with legal and regulatory requirements, and demonstrate a commitment to protecting personal information. 

The new ISO 31700:

The ISO was expected to adopt Privacy by Design (PbD) as ISO 31700 on February 8, 2023. Ann Cavoukian, the creator of PbD, has praised ISO for implementing this a standard. She stated that “The standard is designed to be utilised by a whole range of companies — startups, multinational enterprises, organisations of all sizes. With any product, you can make this standard work because it’s easy to adopt. We’re hoping privacy will be pro-actively embedded in the design of [an organisation’s] operations and it will complement data protection laws.” 

With 30 requirements, the final ISO 31700 standard is more detailed than the original PbD. A draft of the standard indicates that it will be 32 pages long. It includes general guidance on designing capabilities to enable consumers to enforce their privacy rights, assigning relevant roles and authorities, providing consumers with privacy information, conducting privacy risk assessments, establishing and documenting requirements for privacy controls, designing privacy controls, lifecycle data management, and preparing for and managing a data breach. 

How Does ISO 31700 Help Organisations?  

Adopting the new ISO 31700 can assist with organisational compliance with legal and regulatory requirements for privacy and data protection. PbD is an important concept for organisations to consider in order to protect personal information and maintain consumer trust. It helps organisations anticipate and address privacy risks, comply with legal and regulatory requirements, and demonstrate a commitment to protecting personal information. This standard can also become a major competitive advantage for some businesses. Indeed, by adopting a privacy ISO standard companies can differentiate themselves by demonstrating their commitment to privacy and data protection. It would also build consumer trust since the standard would show that a company takes privacy seriously and is committed to protecting personal information.  

If you would like to discuss this topic or anything else data protection and privacy-related, please contact us at dpo@hewardmills.com.