Welcome to the new ISO 31700 standard for privacy by design

Philipp Rosenauer
Partner Legal, PwC Switzerland

As of 8 February 2023, privacy by design is now an ISO standard titled «Consumer Protection – Privacy by Design for Consumer Goods and Services». The standard consists of both a high-level list of requirements (31700-1) and a more technical report through illustrative use cases to help understand the requirements (31700-2).

Privacy by design is a principle that calls for the integration of privacy into the architecture of goods and services and within business practice. Not only is it a requirement under EU law but also under the Swiss revised Federal Data Protection Act, Article 7.

Products and services are the front line of consumer protection, and it is important to remember that organisations have control over their operations. However, they do not have control of the way consumers use the products and services. As such, the only protection is the functionality that is embodied within the hardware and software. The new standard follows the data protection by design and by default principle of the General Data Protection Regulation and brings value by bringing uniformity to privacy by design, albeit not a conformance standard.

The ISO standard part 1:

Privacy by design applies to all products that use personally identifiable information, whether physical goods or intangible services.

As the first ISO standard on privacy by design, it does not specify thresholds or steps but keeps the ruleset high-level and provides examples for better understanding. In doing so, enabling innovation but still providing operational guidance throughout the lifecycle of consumer goods and services. As such, not only in the maintenance of the goods and services but also the ideation, creation, collection of personally identifiable information, and the destruction and disposal. It does so through three guiding principles: empowerment and transparency; institutionalisation and responsibility; and ecosystem and lifecycle.

The standard is straightforward and is organised in a way that is easily accessible and digestible for consumers, engineers and organisations at large. Each requirement includes an explanation and guidance for implementation. Some of the new ISO standard includes general guidance on:

designing capabilities to enable consumers to enforce their privacy rights
assigning relevant roles and authorities
conducting privacy risk assessments
designing privacy controls
integrating privacy controls and management lifecycles, and
preparing breach management.

The ISO standard part 2:

While there is a wide range of use cases, the part 2 document provides three example use cases to help better understand the implementation of the standard. The three examples are the case of online retailing, the case of a fitness company and the case of smart locks for home front doors.

Each example highlights the privacy protection goal, a description of the users, the personally identifiable information, product purpose and narratives for the stages within the lifecycle. Such illustrations and information should prove to be helpful for organisations, engineers as well as consumers. It is evident from the use cases that the standard follows a consumer-centric approach and puts the consumer’s privacy rights at the centre of product development, operation and deletion.

Our services

In all, ISO 31700’s focus is to better protect consumer data, particularly personal information. Having consulted other ISO standards and regulations, ISO 31700 will ensure that organisations take a proactive approach to protecting personal data through embedding privacy by design principles into their systems and processes from ground zero.

Our service map is designed to support you in complying with the ISO standard and understanding privacy by design further.