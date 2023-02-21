On February 8, 2023, the International Organization for Standardization – ISO – adopted the new ISO 31700 standard, which illustrates the high technical requirements for integrating data privacy into consumer products and services.

Since the entry into force of the GDPR, the principle of privacy by design it represented the most innovative and avant-garde principle placed to protect data protection against the evolution of the technique that can no longer be programmed a priori.

As known, the principle is governed by theart. 25 of the GDPR which provides for the need to protect personal data right from the design phase of the systems that provide for their collection and use. It follows that the correct implementation of privacy by design could guarantee the secure development of products and projects involving the processing of personal data.

The concept of privacy by design was, however, coined, even before the entry into force of the GDPR, by Anna Cavoukian – Canadian privacy commissioner – towards the end of the 90s of the last century, following the increase in the amount of personal data collected, stored and communicated by institutions and companies and, also, as a consequence of the increase in data episodes breach. The idea of ​​privacy by design elaborated by Cavoukian was based on 7 pillars – also taken up in the GDPR which find its maximum expression in the concept of accountability: according to which the preventive and proactive approach of the data controller should be able to incorporate privacy in the project and by default in order to ensure data protection for the entire life cycle of the same according to the principles set out inart. 5 of the GDPR. In particular, the one of transparency and the one of minimization stand out in importance.

The methodologies ISO 31700 take consumer privacy into account when designing and developing a product, considering the entire life cycle of the product, from pre-marketing, to consumer purchase and use, up to the intended time where all instances of that product will cease to be used. It means that a product has consumer-focused privacy controls and defaults, which provide adequate levels of privacy, without overburdening the consumer.

The goals that i new technical standards they intend to pursue are to drive wider adoption of privacy-conscious design, earn consumer trust, and meet their needs for robust privacy and data protection. The new ISO 31700 intends to achieve this Technical Standard through the implementation of privacy controls based on the perspective, context and needs of the consumer and by documenting in a concise and direct way to consumers how privacy issues have been addressed.

To better understand the principle of privacy by design, ISO 31700 has been divided into two parts:

· ISO 31700-1:2023 (Consumer protection – Privacy by design for consumer goods and services – Part 1: High level requirements) which contains an operational framework composed of thirty requirements. · ISO 31700-2:2023 (Consumer protection – Privacy by design for consumer goods and services – Part 2: almost out of use) which illustrates the practical applications of the legislation.

The first part presents a list of requirements, which contain information on how to design features that allow you to exercise control over your personal data. Furthermore, these requirements require the Organizations to implement the means and tools with which the user can exercise his rights (articles 15 – 22 GDPR) and to determine the needs of users in the development of services and products developed for them.

The second partInstead, it deals with the Uses Casesi.e. illustrative cases to practically show Organizations how the standard can be applied: for example specific case studies on online sales, to help and organize personal data processing systems connected to the services and products offered to consumers.

The new standard, therefore, provides some Guidelines for all Organizations such as Startups, multinationals, organizations of all sizes, inviting them to take into account consumer privacy during the design, development and entire life cycle of the product or service. The ISO does not represent an obligation, however its adoption will contribute to demonstrating from an accountability perspective, a fundamental principle illustrated inart. 24 GDPR, their compliance with the requirements of the GDPR.

In conclusion, the virtuous system of certifications that have been distinguishing the market in the last period, think, for example, of the certification cybersecurity, could represent a response to the needs that emerge from the development of technological products. The implementation of the privacy by design methodology would allow, right from the planning stage, to provide reference technical standards and which would lighten the burden of obligations if the principle was considered by the producers only in an ex post phase. Indeed, the activation of this methodology could favor the reputation of the organization and generate greater trust in the consumers receiving the products and/or services offered.

