The privacy community looked on with great anticipation,when the ISO 31700 Privacy by Design (PbD) standard was unveiled last month. Timed perfectly to address the growing need for privacy knowledge and skills in the product development space, organisations were looking to see how the International Organisation for Standardization (ISO) was going to blend intuitive principles, with the rigour that has come to be expected of the organisation. Its potential significance was also not lost on many privacy specialists, who were increasingly involved in helping to manage privacy risks in the product development life cycle.
What was unveiled?
While the spirit of the foundation principles (as laid downby the Information and Privacy Commissioner of Ontario, Canada) certainly permeates many of the requirements of the new standard, it is very much a different creature – built for today’s interdisciplinary product development environment.
Importantly, it acknowledges the dual advocacy role today’s privacy practitioners must play. Contributions need to be as much about ensuring compliance, as it is about meeting growing consumer privacy needs. This reality is reflected in Cisco’s latest Consumer Privacy Survey, which classifies 32% of consumers as being ‘Privacy Actives’. That is, people who say they care about privacy, are willing to act to protect it, and most importantly, have already acted by switching companies or providers to better protect their privacy.
The standard also highlights the role’s increasing importance. Practitioners involved in product development are expected to add value to the business. They must develop stakeholder relationships that are centred less around fines and penalties, and more on lifting consumer retention and loyalty. This necessary and timely transformation, is at the heart of the new
ISO31700 Privacy by Design standard.
Making the most of theISO 31700 Privacy by Design standard
Several elements in the standard are worth highlighting for practitioners seriously thinking about using it.
Consumer Views and Preferences
An innovative aspect of the standard is its insistence on organisations obtaining consumer views and preferences. This provides several clear benefits. First and most importantly, practitioners will be able to tell if the privacy protections implemented, are actually working as intended. Second, the insights gained can help build an evidence based approach to improvements. Third, such insights will likely also be of interest and benefit to other stakeholders. Sharing it will help the organisation realise the depth of impact consumer privacy awareness is truly having on the business.
Stakeholders
The standard very much acknowledges the need for and assumes a multi-disciplinary approach to integrating privacy controls into products. With practices such as ‘dark patterns’ on the regulatory radar, embedding cross collaborations with technical experts, such as user experience designers and data specialists, has never been more important.
Use Cases
While use cases are not necessarily new, the standard’s insistence on using them is a strong reminder to keep a balanced focus. Use cases allow privacy practitioners to have constructive discussions around product impacts holistically. This is especially important when contextual factors in innovative business models, third party data sharing and emerging technologies
are raised.
Measurable
A practical and needed modernisation brought by the standard,is its requirement for Privacy by Design programs to establish measurement methods and metrics, in deployment and operations. This was arguably a major challenge with the original core principles. Lacking an operational framework, it was difficult for practitioners to fully embrace and execute them on the ground.
You can’t, after all, manage what you can’t measure.
Will it work in my organisation?
The standard is very much designed for all industries,countries and organisation sizes. It is also extremely scalable. By combining the focus on cross functional stakeholder engagement, with defined roles and responsibilities, it provides a framework that is portable and can easily fit in extra resources if or when they are needed.
If there is a potential criticism, it may be in relation to the amount of collateral associated with the program. Smaller organisations with limited resources may struggle under the load of what is expected of them. In such instances, it may be wise to either trim back how the standard’s requirements are performed or if it is an option, automate some of them into privacy management and/or work productivity platforms.
Conclusion
The ISO 31700 Privacy by Design standard is a practical modernisation of principles that many privacy practitioners already follow intuitively. Developed to meet today’s product development challenges, it has the potential to help reshape how privacy is viewed in many organisations. With the necessary tools at hand, privacy practitioners just have to decide when they want that transformation to take place.