5 min read time

ISO 31700 and Privacy by Design: What You Need to Know

by   in Cybersecurity

Recently, ISO 31700 was adopted as a Privacy by Design (PbD) standard. The concept of PbD was first developed by Ann Cavoukian, the former Information and Privacy Commissioner of Ontario, Canada, in 2009 and has become a central piece of global privacy regulations, including the GDPR, California Privacy Rights Act (CPRA) and Lei Geral de Protecao de Dados (LGPD) from Brazil.

ISO 31700 and Privacy by DesignPrivacy by design (PbD) is a concept that places privacy requirements in the design, development, and deployment of products, services and systems. Core elements contain guiding principles for collecting, using, retaining, and disclosing personal information and implementing appropriate security measures to protect that information. The idea is to embed privacy practices into how data is shared and in systems of engagement from the outset rather than trying to bolt on privacy protections after the fact. It is no small task, as much of the information and application sprawl is historical. However, conceptually it's a step in the right direction to preserve personal information and privacy.  

PbD and some of the new ISO standard blends well with existing standards and frameworks for data discovery and classification, data minimization (ISO 27701), data access governance (NIST 800) and data protection (including NIST 800-38G and SP 800-57) capabilities that preserve privacy and support the safe and ethical use of data. ISO 31700 also emphasizes the benefits of policy-based retention and disposition of information to support PbD. 

Privacy-enabling Technologies and ISO 31700

Privacy-enhancing technology (PET) refers to technologies designed to improve privacy and support standards like ISO 31700 by reducing the amount of personal data collected and shared. These technologies include PII detection, de-identification, anonymization, and data minimization techniques. In addition, PET aims to reduce the risk of personal data being used or misused in ways that could harm the user if not handled ethically. 

Within PET, there is a subset of capabilities designed to protect the privacy of individuals and organizations when they share, collect, or personally process data called privacy-preserving technology. These are used in various contexts, including consumer privacy, data analytics, and lifecycle management. They aim to ensure personal data remains protected and cannot be accessed or used by unauthorized parties. 

Privacy-enhancing technology that can advance PbD and ISO 31700:

  • Encryption: preserves data from unauthorized use/ access or seeing the data in clear text
  • Masking/Anonymization: preserves data by removing personally identifiable information (PII) from data sets, making it difficult to trace the data back to specific individuals
  • Tokenization: preserves data by replacing sensitive data with a unique, reversible token that can be used to represent the data but cannot be used to reveal the data itself without the presence of the token
  • Pseudonymization: preserves data by replacing PII with a pseudonym, or fake name, that cannot be traced back to the individual
  • Data minimization: preserves data by collecting and storing only the minimum amount necessary to achieve a specific purpose, reducing the risk of data misuse or abuse.
  • Data access monitoring and controls: preserve privacy by ensuring unauthorized parties cannot access or use personal data. 

ISO 31700 contains several core principles for organizations align with to help ensure PbD. Many of these principles, processes and practices are enhanced with privacy-enabling technologies. With specific callouts for lifecycle management being added, its evident privacy practices are maturing and aligning more with holistic information management across the entire enterprise. 

Voltage by OpenText Advantages

Voltage Fusion Data Discovery and Classification: Data discovery is vital for understanding your data's value and risk exposure. In addition, data classification helps identify and tag business critical, sensitive information (including PII, proprietary data, and intellectual property), which assists data minimization, privacy compliance and data protection efforts. Additionally, Voltage Fusion SmartScan intelligent sampling is ideally suited for privacy impact assessments across large data estates and can help organizations be more prescriptive in how they approach their PIAs and operationalize privacy and compliance programs. 

OpenTextTM Content CloudTM: OpenTextTM Content CloudTM suite integrates with the systems that produce and consume information, extending enterprise-grade content management deeper into the organization and facilitating seamless access, distribution and use of structured and unstructured data. Content Cloud's lifecycle management capabilities help support PbD by managing access to and retention of sensitive business and consumer information critical to privacy and records compliance.  

Security standards and Privacy framework support: ISO 31700 aligns with established security and privacy practices around ISO 27001/27701 and NIST. Voltage Fusion can help assess risk at scale and support data minimization in line with NIST and ISO 27701. In addition, Voltage SecureData developed the NIST standard for format-preserving encryption, which drives data protection techniques across our portfolio, ensuring information is shared securely and ethically within the business.  

ISO 31700 has additional requirements highlighting privacy controls and data protection as core tools to protect the corporate brand and reputation. Data discovery, data protection, and lifecycle management help establish practices that build data trust, ensuring enterprise information is kept, protected, managed and maintained based on PbD practices and standards.  

Global Regulations and Privacy by Design

California Privacy Rights Act (CPRA)

The CPRA emphasizes Privacy by Design practices and guides organizations toward embedding privacy into the design of their processes and IT systems. CPRA implicitly asks a user to opt-in to the sharing/ selling of personal information and has specific privacy-enhancing principles for data minimization and data protection as best practices. See how Voltage Powers CPRA

GDPR and UK GDPR

GDPR Article 25, sets up 'Data protection by design as a default,' and states that organizations must take 'appropriate technical and organizational measures to uphold data security and privacy rights. Article 25 specifically calls out privacy-enabling technologies like data minimization and data protection techniques like encryption, tokenization, and masking that preserve privacy. The UK GPDR includes the same measure as well. See how Voltage Powers GDPR

Brazil – Lei Geral de Protecao de Dados (LGPD)

The LGPD in Brazil requires organizations to have privacy built in by 'default' and demonstrate how privacy has been incorporated into processes and systems by the regulatory enforcement body in Brazil. See how Voltage Powers LGPD

Helping to Navigate the New Data Privacy Landscape

The privacy landscape is constantly evolving. At OpenText, we help customers stay ahead by delivering privacy-enhancing technology that supports improved privacy posture while supporting information management practices that drive innovation and uncover competitive advantage. 

For more information on Voltage by OpenText, visit our Data Privacy Hub or our Voltage portfolio page. You can join our Voltage Data Privacy and Protection Community and keep up with the latest Tips & Info about Data Privacy and Protection. Feel free to contact us for more information, we’d love to connect with you regarding your Privacy Compliance initiatives.

Labels:

Data Privacy and Protection