Privacy-by-Design Becomes an ISO Standard: a New Driver for Data-Centric Security

Consumer trust in online services is a growing preoccupation of today’s boardrooms. That’s because customers are increasingly prepared to walk if they don’t like what they see. In fact, 71% of consumers told PwC last year that they’re unlikely to buy from a company that loses their trust. This might happen following a serious data breach, or other privacy-related incident. Separate research shows that 68% would be put off buying online from a company with inadequate data security – rising even higher (75%) for firms which have breached customer data in the past.

The good news for organizations that want to burnish their privacy credentials and improve best practice is that a new ISO standard has just been published. ISO 31700 is based on privacy-by-design principles first developed in the 1990s, and could help by providing practical steps to implement these best practices.

The privacy-by-design journey

Privacy by design was developed by Ontario Information and Privacy Commissioner Anne Cavoukian with the tenets that privacy can’t be guaranteed solely via compliance with regulations – that it must be the default setting for organizations and built into everything they do by default. It was published as a framework in 2009 and adopted eventually by the GDPR.

The new ISO standard adds plenty more detail to the approach and can be seen as a way to help organizations of all sizes to “operationalize” privacy by design. In so doing, they should become more resilient to possible incidents and may find compliance with GPDR and other laws easier.

Although ISO 31700 has 30 requirements, the original privacy-by-design document contains just seven principles, which summarize the approach fairly neatly:

• Be proactive and preventative, not reactive and remedial: i.e. anticipate and prevent privacy invasive events before they happen
• Privacy must be the default setting: personal data is automatically protected in any given IT system or business practice, with no action required by the user
• Privacy is embedded into design as an essential component of core functionality, rather than a bolt on
• Implement in a positive sum, win-win manner and not via unnecessary trade-offs
• Deliver end-to-end security from start to finish, for full lifecycle protection
• Visibility and transparency is a must for users and providers alike
• User-centric privacy via strong privacy defaults, appropriate notice, and empowering user-friendly options

Why data-centric security matters

It becomes obvious reading the above that to implement privacy by design, organizations need a way to ensure all customer data they process, via any service or back-end system, must be protected by default throughout its entire lifecycle. This is exactly the promise of comforte’s data-centric security approach.

Our Data Security Platform automatically and continuously discovers and classifies data before seamlessly applying strong protection in line with corporate policy. Format-preserving techniques for data protection, such as tokenization, mean data can still be used in analytics and other business use cases, without compromising on privacy-by-design principles.

According to the ISO, the benefits of implementing its new privacy-by-design standard are:

Earn consumer trust and satisfy demands for robust privacy and data protection.

Institutionalize robust privacy norms throughout the ecosystem – including privacy protection and data handling practices – ensuring decisions concerning consumer privacy needs will be more consistent and systematic.

Benefit from a more holistic and integrated approach by ensuring privacy best practices apply to the broader information ecosystems in which technologies and organizations operate and function.

Support an iterative approach to product development, so that privacy enhancements can be deployed long after the initial design phase.