Data privacy by design: a new standard ensures consumer privacy at every step

On the eve of new EU regulations, and in the wake of recent large-scale data privacy breaches, a new ISO committee is leading the way with guidelines that put the consumer back in control.

The Internet-driven world shook when Facebook was recently exposed for having shared personal information about 87 million users to a private company, the aftershocks of which are still being felt as it becomes clear this is not a one-off event.

“The majority of privacy breaches remain unchallenged, unregulated and unknown,” said international privacy expert Dr Ann Cavoukian in her video address at the ISO workshop “Consumer protection in the digital economy”, which took place in Bali, Indonesia, this week. “Regulatory compliance alone is unsustainable as the sole model for ensuring the future of privacy,” she added. “Prevention is needed.”

As new EU regulations come into force late this month that require companies to protect personal data, restricting the way it is collected and used, ISO is taking the consumer’s voice one step further. A team of privacy experts has been formed to develop the first set of preventative international guidelines for ensuring consumer privacy is embedded into the design of a product or service, offering protection throughout the whole life cycle.

The new ISO project committee, ISO/PC 317, Consumer protection: privacy by design for consumer goods and services, will develop guidelines that will not only enforce compliance with regulations, but generate greater consumer trust at a time when it is needed most.

Privacy of personal data is one of many issues affecting online trust. The ISO workshop will also consider the impacts of data protection, artificial intelligence, the sharing economy and legislation on the online consumer experience.

A world-renowned Canadian expert, Dr Cavoukian pioneered the concept of “privacy by design”, a framework that seeks to proactively embed privacy into the design specifications of information technologies, networked infrastructure and business practices.

“Giving consumers back their privacy is good for business: a win-win for consumers and business alike,” she said.

“With 90 % of the population concerned about their privacy, there is a current lack of trust in business. Privacy by design will help to regain that trust by giving consumers privacy as the default. They no longer have to search for the ‘opt out’ box. Privacy is automatically built into the design and covers the full life cycle of the product.”

“Privacy by design” is now recognized as a core part of the EU General Data Protection Regulation (GDPR) and forms the basis of the ISO standardization work now underway. Implementing the standard will help companies comply with regulations and avoid potentially devastating data breaches that erode consumers’ confidence in online services.

Jean Stride, Secretary of ISO/PC 317, said the new EU directives will catch many companies by surprise, yet the penalties for non-compliance are high.

“The new standard being developed will place the consumer at the centre of the design process,” she said. “It will allow goods and service providers to address all the life-cycle issues of privacy by design, so that consumers can have greater confidence in their purchases and take back control over the use of their data.”