iTeh StandardsiTeh Standards
EURUSD
Your shopping cart is empty.
ISO

ISO 31700-1

(Main)

Consumer protection — Privacy by design for consumer goods and services — Part 1: High-level requirements

Consumer protection — Privacy by design for consumer goods and services — Part 1: High-level requirements

This document establishes high-level requirements for privacy by design to protect privacy throughout the lifecycle of a consumer product, including data processed by the consumer. This document does not contain specific requirements for the privacy assurances and commitments that organizations can offer consumers nor does it specify particular methodologies that an organization can adopt to design and-implement privacy controls, nor the technology that can be used to operate such controls.

Protection des consommateurs — Respect de la vie privée assuré dès la conception des biens de consommation et services aux consommateurs — Partie 1: Exigences de haut niveau

General Information

Status
Not Published
Publication Date
30-Jan-2023
ICS
03.080.30 - Services for consumers
03.100.01 - Company organization and management in general
Technical Committee
ISO/PC 317 - Consumer protection: privacy by design for consumer goods and services
Drafting Committee
ISO/PC 317 - Consumer protection: privacy by design for consumer goods and services
Current Stage
6060 - International Standard published
Start Date
31-Jan-2023
Due Date
01-Nov-2022
Completion Date
31-Jan-2023
Ref Project

Buy Standard

REDLINE ISO/FDIS 31700-1 - Consumer protection — Privacy by design for consumer goods and services — Part 1: High-level requirements Released:26. 08. 2022REDLINE ISO/FDIS 31700-1 - Consumer protection — Privacy by design for consumer goods and services — Part 1: High-level requirements Released:26. 08. 2022
PreviousNext
Draft
REDLINE ISO/FDIS 31700-1 - Consumer protection — Privacy by design for consumer goods and services — Part 1: High-level requirements Released:26. 08. 2022
English language
37 pages
sale 15% off
Preview
sale 15% off
Preview
ISO/FDIS 31700-1 - Consumer protection — Privacy by design for consumer goods and services — Part 1: High-level requirements Released:26. 08. 2022ISO/FDIS 31700-1 - Consumer protection — Privacy by design for consumer goods and services — Part 1: High-level requirements Released:26. 08. 2022
PreviousNext
Draft
ISO/FDIS 31700-1 - Consumer protection — Privacy by design for consumer goods and services — Part 1: High-level requirements Released:26. 08. 2022
English language
37 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (Sample)

ISO 31700-1:2022(E)
2022-06-2908-10
ISO/PC 317 N270
Secretariat: BSI

Consumer protection –— Privacy by design for consumer goods and services — Part 1: High-

level requirements
---------------------- Page: 1 ----------------------
ISO/FDIS 31700-1:2022(E)
© ISO 20212022

All rights reserved. Unless otherwise specified, or required in the context of its implementation, no

part of this publication may be reproduced or utilized otherwise in any form or by any means,

electronic or mechanical, including photocopying, or posting on the internet or an intranet, without

prior written permission. Permission can be requested from either ISO at the address below or

ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Fax: +41 22 749 09 47
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
© ISO 2021 – All rights reserved
ii © ISO 2022 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/FDIS 31700:2021-1:2022(E)
Contents

Foreword ......................................................................................................................................................................... iv

Introduction..................................................................................................................................................................... v

1 Scope .................................................................................................................................................................... 1

2 Normative references .................................................................................................................................... 1

3 Terms and definitions .................................................................................................................................... 1

4 General ................................................................................................................................................................ 8

4.1 Overview ............................................................................................................................................................. 8

4.2 Design capabilities to enable consumers to enforce their privacy rights ................................... 9

4.3 Develop capability to determine consumer privacy preferences ............................................... 11

4.4 Design human computer interface (HCI) for privacy ...................................................................... 12

4.5 Assign relevant roles and authorities ................................................................................................... 12

4.6 Establish multi-functional responsibilities ........................................................................................ 13

4.7 Develop privacy knowledge, skill and ability .................................................................................... 14

4.8 Ensure knowledge of privacy controls ................................................................................................. 15

4.9 Documented information management ............................................................................................... 16

5 Consumer communication requirements ........................................................................................... 17

5.1 Overview .......................................................................................................................................................... 17

5.2 Provision of privacy information ........................................................................................................... 17

5.3 Accountability for providing privacy information ........................................................................... 19

5.4 Responding to consumer inquiries and complaints ........................................................................ 19

5.5 Communicating to diverse consumer population ............................................................................ 20

5.6 Prepare data breach communications.................................................................................................. 21

6 Risk management requirements ............................................................................................................ 21

6.1 Overview .......................................................................................................................................................... 21

6.2 Conduct a privacy risk assessment ........................................................................................................ 22

6.3 Assess privacy capabilities of third parties ........................................................................................ 23

6.4 Establish and document requirements for privacy controls ........................................................ 24

6.5 Monitor and update risk assessment .................................................................................................... 25

6.6 Include privacy risks in cybersecurity resilience design............................................................... 26

7 Develop, deploy and operate designed privacy controls ............................................................... 26

7.1 Overview .......................................................................................................................................................... 26

7.2 Integrate the design and operation of privacy controls into the product development

and management lifecycles ....................................................................................................................... 27

7.3 Design privacy controls .............................................................................................................................. 28

7.4 Implement privacy controls ..................................................................................................................... 28

7.5 Design privacy control testing ................................................................................................................. 29

7.6 Manage the transition of privacy controls .......................................................................................... 30

7.7 Manage the operation of privacy controls ........................................................................................... 31

© ISO 2021 – All rights reserved © ISO 2022 – All rights iii
reserved
---------------------- Page: 3 ----------------------
ISO/FDIS 31700-1:2022(E)

7.8 Prepare Breach Management .................................................................................................................. 31

7.9 Operate privacy controls for the processes and products that the product in scope

depends upon through the PII lifecycle. ............................................................................................... 32

8 End of PII lifecycle requirements ........................................................................................................... 33

8.1 Introduction ................................................................................................................................................... 33

8.2 Design privacy controls for retirement and end of use .................................................................. 33

Bibliography ................................................................................................................................................................. 35

© ISO 2021 – All rights reserved
iv © ISO 2022 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/FDIS 31700:2021-1:2022(E)
Foreword

ISO (the International Organization for Standardization) is a worldwide federation of national standards

bodies (ISO member bodies). The work of preparing International Standards is normally carried out

through ISO technical committees. Each member body interested in a subject for which a technical

committee has been established has the right to be represented on that committee. International

organizations, governmental and non-governmental, in liaison with ISO, also take part in the work. ISO

collaborates closely with the International Electrotechnical Commission (IEC) on all matters of

electrotechnical standardization.

The procedures used to develop this document and those intended for its further maintenance are

described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the

different types of ISO documents should be noted. This document was drafted in accordance with the

editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).

Attention is drawn to the possibility that some of the elements of this document may be the subject of

patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of any

patent rights identified during the development of the document will be in the Introduction and/or on

the ISO list of patent declarations received (see www.iso.org/patents).

Any trade name used in this document is information given for the convenience of users and does not

constitute an endorsement.

For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and

expressions related to conformity assessment, as well as information about ISO's adherence to the World

Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see

www.iso.org/iso/foreword.html.

This document was prepared by Project Committee ISO/PC 317, Consumer protection: privacy by design

for consumer goods and services.

Any feedback or questions on this document should be directed to the user’s national standards body. A

complete listing of these bodies can be found at www.iso.org/members.html.
© ISO 2021 – All rights reserved © ISO 2022 – All rights v
reserved
---------------------- Page: 5 ----------------------
ISO/FDIS 31700-1:2022(E)
Introduction

Consumers’ trust and how well individual privacy needs are met are defining concerns for the digital

economy. This includes how consumers' personally identifiable information (PII) and other data are

processed (collected, used, accessed, stored, and deleted) — or intentionally not collected or processed

by the organization and by the digital goods and services within that digital economy. If PII has been

compromised because of lax, outdated, or non-existent privacy practices, the consequences for the

individual can be severe. In addition, consumers' trust of the digital product can be damaged with

potentially legal or reputational impacts to the organization providing that consumer product.

“Privacy by Design” was originally used by the Information and Privacy Commissioner of Ontario, Canada.

with the goal that the individual need not bear the burden of striving for protection when using a

consumer product.

Privacy by design refers to several methodologies for product, process, system, software and service

development, e.g.[ References [1][], [2][], [3][], [4][], [5][] and [6] that takes]. These methodologies take

into account the privacy of a consumer throughout the design and development of a product, considering

the entire product lifecycle - from before it is placed on the market, through purchase and use by

consumers, to the expected time when all instances of that product finally stop being used. It means that

a product has default consumer-oriented privacy controls and settings that provide appropriate levels of

privacy, without placing undue burden on the consumer.

NOTE 1: This document provides references in the bibliography to other existing standards and resources, that

provide more detailed requirements and guidance on privacy (e.g. identification of PII, PII access and privacy

controls, consumer consent, notification of privacy breach, secure disposal of PII, interactions with third party

processors) for common functions within the organization (e.g. Corporate Governance; Data and Privacy

Governance; IT Operations and IT Services Management; Security and Security Management; Data Management and

Database Administration; Marketing, Product Management; Web and mobile application development, systems

development; Systems administration, network administration).

In this document, the benefits of privacy by design can be viewed through three guiding principles as

outlined below.
Empowerment and transparency

There is growing demand for accurate privacy assertions, systematic methods of privacy due diligence,

and greater transparency and accountability in the design and operation of consumer products that

process PII. The goal is to promote wider adoption of privacy-aware design, earn consumer trust and

satisfy consumer needs for robust privacy and data protection. In addition, the intent is to create and

promote innovative solutions that protect and manage consumers‘consumers' privacy: ia) by analysing

and implementing privacy controls based on the consumer’s perspective, context, and needs, and; ii) b)

by succinctly documenting and communicating to consumers directly how privacy considerations were

approached.
Institutionalization and responsibility

In today’s digital world of shared platforms, interconnected devices, cloud applications and

personalization, it is increasingly important to delineate and distinguish the responsibilities and

perspectives of the consumer of the products that process PII from those of product design, business and

other stakeholders in the ecosystems in which the product operates.

Privacy by design focuses on the consumer perspective when institutionalizing robust privacy norms

throughout the ecosystem including privacy protection and data handling practices. With privacy by

design, the consumer’s behavioural engagement with the product(s) and their privacy needs are

considered early and throughout the product lifecycle process. This way, decisions concerning consumer

© ISO 2021 – All rights reserved
vi © ISO 2022 – All rights reserved
---------------------- Page: 6 ----------------------
ISO/FDIS 31700:2021-1:2022(E)

privacy needs will be more consistent and systematic and become a functional requirement alongside the

interests of product design, business and other stakeholders.

Privacy by design also focuses on accountability, responsibility, and leadership. These aspects are

essential to successfully operationalizing and institutionalizing the privacy by design process. A

demonstrated leadership commitment to privacy by design is essential to operationalize and

institutionalize privacy in the product design process of an organization.
Ecosystem and lifecycle

A privacy by design approach can be applied to the broader information ecosystems in which both

technologies and organizations operate and function. Privacy and consumer protection benefit from

taking a holistic, integrative approach that considers as many contextual factors as possible (e.g.,. the type

of consumer, their goal and intent in using a product, and the data the product will process for that

consumer) – even (or especially) when these factors lie outside the direct control of any particular actor,

organization, or component in the system. [see S. 5.5.3 a)])].

Privacy by design applies to all products that use PII, whether physical goods, or intangible services such

as software as a service, or a mixture of both. It is intended to be scalable to the needs of all types of

organizations in different countries and different sectors, regardless of organization size or maturity.

It is possible that additional privacy issues and a need for related controls are identified at any point in

the product lifecycle, including during development or after use by consumers. Privacy by design

methodologies support iterative approaches to product development, with supplementary privacy

enhancements designed and deployed long after the initial design phase.

The primary audiences for this document are those staff of organizations and third parties, who are

responsible for the concept, design, manufacturing, management, testing, operation, service,

maintenance and disposal of consumer goods and services.
© ISO 2021 – All rights reserved © ISO 2022 – All rights vii
reserved
---------------------- Page: 7 ----------------------
FINAL DRAFT INTERNATIONAL STANDARD ISO/FDIS 31700-1:2022(E)
Consumer protection — Privacy by design for consumer goods
and services — Part 1: High-level requirements
1 Scope

This document establishes high-level requirements for privacy by design to protect privacy throughout

the lifecycle of a consumer product, including data processed by the consumer.

This document does not contain specific requirements for the privacy assurances and commitments that

organizations can offer consumers nor does it specify particular methodologies that an organization can

adopt to design and-implement privacy controls, nor the technology that can be used to operate such

controls.
2 Normative references
There are no normative references in this document.
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.

ISO and IEC maintain terminology databases for use in standardization at the following addresses:

— ISO Online browsing platform: available at https://www.iso.org/obp
— IEC Electropedia: available at https://www.electropedia.org/
3.1
consumer

individual member of the general public purchasing or using property, products for private purposes

Note 1 to entry: “Consumer” (including elderly, children, and persons with disabilities) covers both consumers and

potential consumers. Consumer products can be one-time purchases or long-term contracts or obligations.

Note 2 to entry: This term only applies to natural persons, not legal entities.

Note 3 to entry: Property, products or services (3.3) purchased or used by consumers can be used for professional

purposes and not only private ones (e.g. Bring Your Own Device).

[SOURCE: ISO/IEC Guide 14:2018, 3.2, modified –— "or serviced" has been removed from the definition,

Note 1 to entry has been modified, Notes 2 and 3 to entry have been added.]
3.2
personally identifiable information
PII
personal information
© ISO 2022 – All rights reserved 1
---------------------- Page: 8 ----------------------
ISO/FDIS 31700-1:2022(E)

information that (a) can be used to establish a link between the information and the natural person to

whom such information relates or (b) is or can be directly or indirectly linked to a natural person

Note 1 to entry: To determine whether a PII principal is identifiable, account should be taken of all the means which

can reasonably be used by the privacy stakeholder holding the data, or by any other party, to establish the link

between the set of PII and the natural person.

Note 2 to entry: A public cloud PII processor (3.18) is typically not in a position to know explicitly whether

information it processes falls into any specified category unless this is made transparent by the cloud service

customer.

[SOURCE: ISO/IEC 19944-1:2020, 3.3.1, modified — The admitted term has been deleted, Note 1 to entry

and Note 2 to entry have been shortened.]
3.3
privacy breach

situation where personally identifiable information (3.2) is processed in violation of one or more relevant

privacy safeguarding requirements (3.9)
[SOURCE: ISO/IEC 29100:2011, 2.13]
3.4
service

output of an organization with at least one activity necessarily performed between the organization and

the consumer (3.1)
Note 1 to entry: The dominant elements of a service are generally intangible.

Note 2 to entry: A service often involves activities at the interface with the consumer to establish consumer

requirements (3.69) as well as upon delivery of the service and can involve a continuing relationship such as banks,

accountancies or public organizations, e.g. schools or hospitals.
Note 3 to entry: Provision of a service can involve, for example, the following:

— an activity performed on a consumer-supplied tangible product (e.g. a car to be repaired);

— an activity performed on a consumer-supplied intangible product (e.g. the income statement needed to prepare

a tax return);

— the delivery of an intangible product (e.g. the delivery of information in the context of knowledge

transmission);
— the creation of ambience for the customer (e.g. in hotels and restaurants).
Note 4 to entry: A service is generally experienced by the consumer.

[SOURCE: ISO 9000:2015, 3.7.7, modified — to replace “customer” has been replaced with “consumer”.]

3.5
privacy by design

design methodologies in which privacy is considered and integrated into the initial design stage and

throughout the complete lifecycle of products, processes or services (3.3) that involve processing of

© ISO 2021 – All rights reserved
2 © ISO 2022 – All rights reserved
---------------------- Page: 9 ----------------------
ISO/FDIS 31700-1:2022(E)

personally identifiable information (3.2), including product retirement (3.1315) and the eventual deletion

(3.2426) of any associated personally identifiable information (3.2)
Note 1 to entry: The lifecycle also includes changes or updates.
3.6
interested party
stakeholder

person, group of people or organization (3.2.1) that has an interest in, can affect, be affected by, or

perceive itself to be affected by a decision or activity

[SOURCE: ISO 22886:2020(en), modified to include non-organized persons such as vulnerable

population and groups that have aligned responsibilities but may not have direct impact.]

3.7
consumer-configurable privacy setting
consumer privacy setting
consumer privacy control

specific choices made by a personally identifiable information (3.2) principal about how their personally

identifiable information may beis processed for a particular purpose

[SOURCE: ISO/IEC 29100:2011, 2.17, modified to address consumer enabled control— Preferred term

deleted, new preferred and admitted terms added.]
3.8
processing of personally identifiable information
processing of PII

operation or set of operations performed upon personally identifiable information (3.2)

Note 1 to entry: Examples of processing operations of personally identifiable information include, but are not limited

to, the collection, storage, alteration, retrieval, consultation, disclosure, anonymization, pseudonymization,

dissemination or otherwise making available, deletion or destruction of personally identifiable information.

[SOURCE;: ISO/IEC 29100:2011(en)], 2.23]
3.9
requirement

statement that translates or expresses a need and its associated constraints (3.7) and conditions (3.810)

in an unambiguous manner
Note 1 to entry: Requirements exist at different levels in the system structure.

Note 2 to entry: A requirement always relates to a system, software or service (3.34), or other item of interest.

[SOURCE: ISO/IEC/IEEE 29148:2018, 3.1.19, modified – "in an unambiguous manner” has been added to

the definition, Note 2 to entry has been deleted, and Note 3 to entry is now Note 2 to entry.]

3.10
condition

measurable qualitative or quantitative attribute (3.11) that is stipulated for a requirement (3.69) and that

indicates a circumstance or event under which a requirement applies
© ISO 2021 – All rights reserved © ISO 2022 – All rights 3
reserved
---------------------- Page: 10 ----------------------
ISO/FDIS 31700-1:2022(E)
[SOURCE: ISO/IEC/IEEE 29148:2018, 3.1.6]
3.11
attribute

inherent property or characteristic of an entity that can be distinguished quantitatively or qualitatively

by human or automated means

Note 1 to entry: ISO 9000 distinguishes two types of attributes: a permanent characteristic existing inherently in

something; and an assigned characteristic of a product, process, or system (e.g. the price of a product, the owner of

a product). The assigned characteristic is not an inherent quality characteristic of that product, process or system.

[SOURCE: ISO/IEC 25000:2014, 4.1, modified — The original Note 1 to entry has been removed; Note 2

to entry has become Note 1 to entry.]
3.12
third party
person or body that is independent of the organization (3.1)

Note 1 to entry: All business associates are third parties, but not all third parties are business associates.

Note 2 to entry: A third -party can be a PIIpersonally identifiable information controller (3.1719) or a PIIpersonally

identifiable information processor (3.1820) or both, depending on context.
[SOURCE: ISO: 37301: 2021, 3.3, modified – Note 2 to entry added.]
3.13
consumer product

good or service designed and produced primarily for, but not limited to, personal or household use,

including tsits components, parts accessories, instructions and packaging.
[SOURCE: ISO 10377:2013, 2.2],, modified]
3.14
personalpersonally identifiable information lifecycle
PII lifecycle

sequence of events from creation or origination, collection, through storage, use and transfer to

eventual disposal (e.g. secure destruction) of personally identifiable information (3.2).

3.15
retirement

withdrawal of active support by the operation and maintenance organization;, partial or total

replacement by a new system, or installation of an upgraded system

Note 1 to entry: This can include decommissioning, cessation of marketing, selling, or provision of parts, services or

software updates for the product.

[SOURCE: ISO/IEC/IEEE 15288:2015(en),, 4.1.39, modified — Note 1 to entry added.]

3.16
privacy control

measure that treats privacy risks (3.1618) by reducing their likelihood or their consequences

© ISO 2021 – All rights reserved
4 © ISO 2022 – All rights reserved
---------------------- Page: 11 ----------------------
ISO/FDIS 31700-1:2022(E)

Note 1 to entry: Privacy controls include organizational, physical and technical measures, e.g. policies, procedures,

guidelines, legal contracts, management practices, data-minimizing protocols and techniques or organizational

structures.

Note 2 to entry: Control is also used as a synonym for safeguard or countermeasure.

[SOURCE: ISO/IEC 29100:2011 Modified text added], modified — Note 1 to entry modified.]

3.17
information security
preservation of confidentiality, integrity and availability of information

Note 1 to entry: In addition, other properties, such as authenticity, accountability, non-repudiation, and reliability

can also be involved.
[SOURCE: ISO/IEC 27000:2018, 2.333.28]
3.18
privacy risk
effect of uncertainty on privacy

Note 1 to entry: Risk is defined as the “effect of uncertainty on objectives” in and .

Note 2 to entry: Uncertainty is the state, even partial, of deficiency of information related to, understanding or

knowledge of, an event, its consequence, or likelihood.

Note 3 2 to entry: a privacy risk can be PIIpersonally identifiable information (3.2) misuse or the risk that consumers

(3.1) will experience adverse consequences resulting from PIIpersonally identifiable information processing.

[SOURCE: ISO/IEC 29100:2011, 2.19, modified --— Note 1 to entry has been deleted, Note 2 to entry has

been added Note 3].]
3.19
personally identifiable information controller
PII controller

privacy stakeholder (or privacy stakeholders) that determines the purposes and means for processing

personally identifiable information (3.2) other than natural persons who use data for personal purposes

[SOURCE: ISO/IEC 29100:2011, 2.10 Modified to delete, modified — Note 1]to entry has been removed.]

3.20
personally identifiable information processor
PII processor

privacy stakeholder that processes personally identifiable information (3.2) on behalf of and in

accordance with the instruction of a PII controller (3.1719)
[SOURCE: ISO/IEC 29100:2011, 2.12]
3.21
human-centred design

approach to system design and development that aims to make interactive systems more usable by

focusing on the use of the system by human beings; applying human factors, ergonomics and usability

knowledge and techniques
© ISO 2021 – All rights reserved © ISO 2022 – All rights 5
reserved
---------------------- Page: 12 ----------------------
ISO/FDIS 31700-1:2022(E)

Note 1 to entry: The term "human-centred design" is used rather than "consumer-centred design" to emphasize that

design impacts a number of stakeholders, not just those typically considered as consumer (3.1). However, in

practice, they are often used synonymously.

Note 2 to entry: Usable systems can provide a number of benefits including improved productivity, enhanced

consumer wellbeing, avoidance of stress, increased accessibility, and reduced risk of harm.

[SOURCE: ISO/IEC 25063:2014, 3.6], modified — Note 1 to entry has been modified.]

3.22
use case

description of a sequence of interactions of a consumer (3.1) and a consumer product used to help

identify, clarify, and organize requirements (3.69) to support a specific business goal

Note 1 to entry: Consumer can be users, engineers, systems.

[SOURCE: ISO/TR 14872:2019, 3.9, modified –— "user" has been changed to "consumer",

Notes1"system" has been changed to "consumer product" and Note to entry has been added. Note 2

deleted].]
3.23
consumer vulnerability

state in which an individual can be placed at a disadvantage, or at risk of detriment, during his/her

interaction with a service provider due to the presence of personal, situational and market environment

factors
Note 1 to entry: Anyone can be vulnerable at any time. Vul
...

FINAL
INTERNATIONAL ISO/FDIS
DRAFT
STANDARD 31700-1
ISO/PC 317
Consumer protection — Privacy
Secretariat: BSI
by design for consumer goods and
Voting begins on:
2022-09-09 services —
Voting terminates on:
Part 1:
2022-11-04
High-level requirements
RECIPIENTS OF THIS DRAFT ARE INVITED TO
SUBMIT, WITH THEIR COMMENTS, NOTIFICATION
OF ANY RELEVANT PATENT RIGHTS OF WHICH
THEY ARE AWARE AND TO PROVIDE SUPPOR TING
DOCUMENTATION.
IN ADDITION TO THEIR EVALUATION AS
Reference number
BEING ACCEPTABLE FOR INDUSTRIAL, TECHNO-
ISO/FDIS 31700-1:2022(E)
LOGICAL, COMMERCIAL AND USER PURPOSES,
DRAFT INTERNATIONAL STANDARDS MAY ON
OCCASION HAVE TO BE CONSIDERED IN THE
LIGHT OF THEIR POTENTIAL TO BECOME STAN-
DARDS TO WHICH REFERENCE MAY BE MADE IN
NATIONAL REGULATIONS. © ISO 2022
---------------------- Page: 1 ----------------------
ISO/FDIS 31700-1:2022(E)
FINAL
INTERNATIONAL ISO/FDIS
DRAFT
STANDARD 31700-1
ISO/PC 317
Consumer protection — Privacy
Secretariat: BSI
by design for consumer goods and
Voting begins on:
services —
Voting terminates on:
Part 1:
High-level requirements
COPYRIGHT PROTECTED DOCUMENT
© ISO 2022

All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may

be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on

the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below

or ISO’s member body in the country of the requester.
RECIPIENTS OF THIS DRAFT ARE INVITED TO
ISO copyright office
SUBMIT, WITH THEIR COMMENTS, NOTIFICATION
OF ANY RELEVANT PATENT RIGHTS OF WHICH
CP 401 • Ch. de Blandonnet 8
THEY ARE AWARE AND TO PROVIDE SUPPOR TING
CH-1214 Vernier, Geneva
DOCUMENTATION.
Phone: +41 22 749 01 11
IN ADDITION TO THEIR EVALUATION AS
Reference number
Email: copyright@iso.org
BEING ACCEPTABLE FOR INDUSTRIAL, TECHNO-
ISO/FDIS 31700-1:2022(E)
Website: www.iso.org
LOGICAL, COMMERCIAL AND USER PURPOSES,
DRAFT INTERNATIONAL STANDARDS MAY ON
Published in Switzerland
OCCASION HAVE TO BE CONSIDERED IN THE
LIGHT OF THEIR POTENTIAL TO BECOME STAN-
DARDS TO WHICH REFERENCE MAY BE MADE IN
© ISO 2022 – All rights reserved
NATIONAL REGULATIONS. © ISO 2022
---------------------- Page: 2 ----------------------
ISO/FDIS 31700-1:2022(E)
Contents Page

Foreword ....................................................................................................................................................................................................................................... vi

Introduction .............................................................................................................................................................................................................................vii

1 Scope ................................................................................................................................................................................................................................. 1

2 Normative references ..................................................................................................................................................................................... 1

3 Terms and definitions .................................................................................................................................................................................... 1

4 General ........................................................................................................................................................................................................................... 8

4.1 Overview ...................................................................................................................................................................................................... 8

4.2 Designing capabilities to enable consumers to enforce their privacy rights ................................. 9

4.2.1 Requirement ........................................................................................................................................................................... 9

4.2.2 Explanation ............................................................................................................................................................................. 9

4.2.3 Guidance ................................................................................................................................................................................. 10

4.3 Developing capability to determine consumer privacy preferences .................................................. 10

4.3.1 Requirement ........................................................................................................................................................................ 10

4.3.2 Explanation .......................................................................................................................................................................... 11

4.3.3 Guidance ................................................................................................................................................................................. 11

4.4 Designing human computer interface (HCI) for privacy ............................................................................... 11

4.4.1 Requirement ........................................................................................................................................................................ 11

4.4.2 Explanation ..........................................................................................................................................................................12

4.4.3 Guidance .................................................................................................................................................................................12

4.5 Assigning relevant roles and authorities .....................................................................................................................12

4.5.1 Requirement ........................................................................................................................................................................12

4.5.2 Explanation .......................................................................................................................................................................... 12

4.5.3 Guidance .................................................................................................................................................................................12

4.6 Establishing multi-functional responsibilities ....................................................................................................... 13

4.6.1 Requirement ........................................................................................................................................................................13

4.6.2 Explanation .......................................................................................................................................................................... 13

4.6.3 Guidance .................................................................................................................................................................................13

4.7 Developing privacy knowledge, skill and ability ................................................................................................... 13

4.7.1 Requirement ........................................................................................................................................................................13

4.7.2 Explanation .......................................................................................................................................................................... 14

4.7.3 Guidance ................................................................................................................................................................................. 14

4.8 Ensuring knowledge of privacy controls ..................................................................................................................... 14

4.8.1 Requirement ........................................................................................................................................................................ 14

4.8.2 Explanation .......................................................................................................................................................................... 14

4.8.3 Guidance .................................................................................................................................................................................15

4.9 Documentation and information management ...................................................................................................... 15

4.9.1 Requirement ........................................................................................................................................................................15

4.9.2 Explanation .......................................................................................................................................................................... 15

4.9.3 Guidance ................................................................................................................................................................................. 16

5 Consumer communication requirements ..............................................................................................................................16

5.1 Overview ................................................................................................................................................................................................... 16

5.2 Provision of privacy information ........................................................................................................................................ 17

5.2.1 Requirement ........................................................................................................................................................................ 17

5.2.2 Explanation .......................................................................................................................................................................... 17

5.2.3 Guidance ................................................................................................................................................................................. 17

5.3 Accountability for providing privacy information .............................................................................................. 18

5.3.1 Requirement ........................................................................................................................................................................ 18

5.3.2 Explanation .......................................................................................................................................................................... 19

5.3.3 Guidance ................................................................................................................................................................................. 19

5.4 Responding to consumer inquiries and complaints ........................................................................................... 19

5.4.1 Requirement ........................................................................................................................................................................ 19

5.4.2 Explanation .......................................................................................................................................................................... 19

iii
© ISO 2022 – All rights reserved
---------------------- Page: 3 ----------------------
ISO/FDIS 31700-1:2022(E)

5.4.3 Guidance ................................................................................................................................................................................. 19

5.5 Communicating to diverse consumer population ................................................................................................ 19

5.5.1 Requirement ........................................................................................................................................................................ 19

5.5.2 Explanation .......................................................................................................................................................................... 19

5.5.3 Guidance ................................................................................................................................................................................. 20

5.6 Prepare data breach communications ........................................................................................................................... 20

5.6.1 Requirement ........................................................................................................................................................................20

5.6.2 Explanation .......................................................................................................................................................................... 20

5.6.3 Guidance ................................................................................................................................................................................. 20

6 Risk management requirements .....................................................................................................................................................21

6.1 Overview ................................................................................................................................................................................................... 21

6.2 Conducting a privacy risk assessment ........................................................................................................................... 21

6.2.1 Requirement ........................................................................................................................................................................ 21

6.2.2 Explanation .......................................................................................................................................................................... 21

6.2.3 Guidance .................................................................................................................................................................................22

6.3 Assessing privacy capabilities of third parties ...................................................................................................... 22

6.3.1 Requirement ........................................................................................................................................................................22

6.3.2 Explanation .......................................................................................................................................................................... 23

6.3.3 Guidance .................................................................................................................................................................................23

6.4 Establishing and documenting requirements for privacy controls .....................................................23

6.4.1 Requirement: ......................................................................................................................................................................23

6.4.2 Explanation .......................................................................................................................................................................... 23

6.4.3 Guidance ................................................................................................................................................................................. 24

6.5 Monitoring and updating risk assessment ................................................................................................................. 24

6.5.1 Requirement ........................................................................................................................................................................ 24

6.5.2 Explanation .......................................................................................................................................................................... 24

6.5.3 Guidance ................................................................................................................................................................................. 24

6.6 Including privacy risks in cybersecurity resilience design ......................................................................... 25

6.6.1 Requirement ........................................................................................................................................................................ 25

6.6.2 Explanation .......................................................................................................................................................................... 25

6.6.3 Guidance ................................................................................................................................................................................. 25

7 Developing, deploying and operating designed privacy controls ................................................................25

7.1 Overview ................................................................................................................................................................................................... 25

7.2 Integrating the design and operation of privacy controls into the product

development and management lifecycles .................................................................................................................... 26

7.2.1 Requirement ........................................................................................................................................................................26

7.2.2 Explanation .......................................................................................................................................................................... 26

7.2.3 Guidance ................................................................................................................................................................................. 26

7.3 Designing privacy controls ....................................................................................................................................................... 27

7.3.1 Requirement ........................................................................................................................................................................ 27

7.3.2 Explanation .......................................................................................................................................................................... 27

7.3.3 Guidance ................................................................................................................................................................................. 27

7.4 Implementing privacy controls ........................................................................................................................................... .. 27

7.4.1 Requirement ........................................................................................................................................................................ 27

7.4.2 Explanation .......................................................................................................................................................................... 27

7.4.3 Guidance ................................................................................................................................................................................. 27

7.5 Designing privacy control testing ......................................................................................................................................28

7.5.1 Requirement ........................................................................................................................................................................28

7.5.2 Explanation ..........................................................................................................................................................................28

7.5.3 Guidance .................................................................................................................................................................................28

7.6 Managing the transition of privacy controls ............................................................................................................29

7.6.1 Requirement ........................................................................................................................................................................29

7.6.2 Explanation ..........................................................................................................................................................................29

7.6.3 Guidance .................................................................................................................................................................................29

7.7 Managing the operation of privacy controls .............................................................................................................30

7.7.1 Requirement ........................................................................................................................................................................30

7.7.2 Explanation .......................................................................................................................................................................... 30

© ISO 2022 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/FDIS 31700-1:2022(E)

7.7.3 Guidance ................................................................................................................................................................................. 30

7.8 Preparing for and managing a privacy breach........................................................................................................30

7.8.1 Requirement ........................................................................................................................................................................30

7.8.2 Explanation .......................................................................................................................................................................... 31

7.8.3 Guidance ................................................................................................................................................................................. 31

7.9 Operating privacy controls for the processes and products upon which the

product in scope depends throughout the PII lifecycle ................................................................................... 31

7.9.1 Requirement ........................................................................................................................................................................ 31

7.9.2 Explanation .......................................................................................................................................................................... 31

7.9.3 Guidance ................................................................................................................................................................................. 31

8 End of PII lifecycle requirements ....................................................................................................................................................32

8.1 Overview ................................................................................................................................................................................................... 32

8.2 Designing privacy controls for retirement and end of use ........................................................................... 32

8.2.1 Requirement ........................................................................................................................................................................ 32

8.2.2 Explanation .......................................................................................................................................................................... 32

8.2.3 Guidance ................................................................................................................................................................................. 32

Bibliography .............................................................................................................................................................................................................................34

© ISO 2022 – All rights reserved
---------------------- Page: 5 ----------------------
ISO/FDIS 31700-1:2022(E)
Foreword

ISO (the International Organization for Standardization) is a worldwide federation of national standards

bodies (ISO member bodies). The work of preparing International Standards is normally carried out

through ISO technical committees. Each member body interested in a subject for which a technical

committee has been established has the right to be represented on that committee. International

organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.

ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of

electrotechnical standardization.

The procedures used to develop this document and those intended for its further maintenance are

described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the

different types of ISO documents should be noted. This document was drafted in accordance with the

editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).

Attention is drawn to the possibility that some of the elements of this document may be the subject of

patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of

any patent rights identified during the development of the document will be in the Introduction and/or

on the ISO list of patent declarations received (see www.iso.org/patents).

Any trade name used in this document is information given for the convenience of users and does not

constitute an endorsement.

For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and

expressions related to conformity assessment, as well as information about ISO's adherence to

the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see

www.iso.org/iso/foreword.html.

This document was prepared by Project Committee ISO/PC 317, Consumer protection: privacy by design

for consumer goods and services.

Any feedback or questions on this document should be directed to the user’s national standards body. A

complete listing of these bodies can be found at www.iso.org/members.html.
© ISO 2022 – All rights reserved
---------------------- Page: 6 ----------------------
ISO/FDIS 31700-1:2022(E)
Introduction

Consumers’ trust and how well individual privacy needs are met are defining concerns for the digital

economy. This includes how consumers' personally identifiable information (PII) and other data are

processed (collected, used, accessed, stored, and deleted) — or intentionally not collected or processed

by the organization and by the digital goods and services within that digital economy. If PII has been

compromised because of lax, outdated, or non-existent privacy practices, the consequences for the

individual can be severe. In addition, consumers' trust of the digital product can be damaged with

potentially legal or reputational impacts to the organization providing that consumer product.

“Privacy by Design” was originally used by the Information and Privacy Commissioner of Ontario,

Canada. with the goal that the individual need not bear the burden of striving for protection when using

a consumer product.

Privacy by design refers to several methodologies for product, process, system, software and service

development, e.g References [1], [2], [3], [4], [5] and [6]. These methodologies take into account the

privacy of a consumer throughout the design and development of a product, considering the entire

product lifecycle - from before it is placed on the market, through purchase and use by consumers, to

the expected time when all instances of that product finally stop being used. It means that a product

has default consumer-oriented privacy controls and settings that provide appropriate levels of privacy,

without placing undue burden on the consumer.
NOTE This document provides references in the bibliography to ot
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.

This May Also Interest You

ISO
ISO/TR 31700-2(Main)
Consumer protection — Privacy by design for consumer goods and services — Part 2: Use cases

This document provides illustrative use cases, with associated analysis, chosen to assist in understanding the requirements of 31700-1. The intended audience includes engineers and practitioners who are involved in the development, implementation or operation of digitally enabled consumer goods and services.

  • Draft
    31 pages
    English language
    sale 15% off
  • Draft
    31 pages
    English language
    sale 15% off
ISO
ISO/TS 24519:2022(Main)
Service activities relating to drinking water supply, wastewater and stormwater systems — Water and wastewater services for temporary settlements for displaced persons

This document provides guidelines for alternative water services (AWS) and alternative wastewater services (AWWS) to temporary settlements for displaced persons e.g. refugee/internally displaced persons (IDP) camps, for drinking, sanitation and hygiene purposes. It addresses AWS and AWWS principles and methods, operational planning and implementation. This document provides guidelines for drinking water supply to temporary settlements, and the disposal of wastewater, by implementation of different methods; it does not deal with the ways of using water inside the temporary settlements. This document deals with drinking water quantity but does not provide methods for quality testing. Water quality test methods are included in the scope of ISO TC 147. The document does make recommendations regarding public safety with respect to the location of distribution and collection points. On-site treatments are not discussed in this document but, depending on circumstances, they can be suitable. In such case, helpful technical guidelines are provided in the bibliography of this document. This document complements ISO 24527, whose scope excludes drinking water supplied to temporary settlements. It also complements other ISO TC 224's documents such as ISO 24518 and ISO/TS 24520. This document is intended to be used by the responsible body for the provision of the water service. It can be used by interested parties such as water utilities, governments and governmental organizations, security bodies, international refugee agencies, related NGOs and relevant industry stakeholders.

  • Technical specification
    17 pages
    English language
    sale 15% off
ISO
ISO/TR 31700-2(Main)
Consumer protection — Privacy by design for consumer goods and services — Part 2: Use cases

This document provides illustrative use cases, with associated analysis, chosen to assist in understanding the requirements of 31700-1. The intended audience includes engineers and practitioners who are involved in the development, implementation or operation of digitally enabled consumer goods and services.

  • Draft
    31 pages
    English language
    sale 15% off
  • Draft
    31 pages
    English language
    sale 15% off
ISO
ISO/IEC 19086-2:2018/Amd 1:2023(Amendment)
Cloud computing — Service level agreement (SLA) framework — Part 2: Metric model — Amendment 1
  • Standard
    4 pages
    English language
    sale 15% off
ISO
ISO 7209:2023(Main)
Titanium and titanium alloys — Plate, sheet and strip — Technical delivery conditions

This document specifies requirements for the manufacture and technical delivery conditions of plate, sheet and strip made from titanium and titanium alloys.

  • Standard
    18 pages
    English language
    sale 15% off
  • Draft
    18 pages
    English language
    sale 15% off
  • Draft
    18 pages
    English language
    sale 15% off
ISO
ISO/IEC 30179:2023(Main)
Internet of Things (IoT) — Overview and general requirements of IoT system for ecological environment monitoring

This document specifies the Internet of Things system for ecological environment monitoring in terms of the following: – system infrastructure and system entities of the IoT system for ecological environment monitoring for natural entities such as air, water, soil, living organisms; and – the general requirements of the IoT system for ecological environment monitoring.

  • Standard
    15 pages
    English language
    sale 15% off
ISO
ISO 12509:2023(Main)
Earth-moving machinery and rough-terrain trucks — Lighting, signalling and marking lights, and reflex reflectors

This document specifies requirements for installation and performance of lighting, signalling and marking lights, and reflex reflectors. It is applicable to ride-on self-propelled wheeled or crawler earth-moving machines as defined in ISO 6165, and rough-terrain variable-reach trucks as defined in ISO 10896-1 and ISO 10896-2, hereafter known as “machines”. These machines are used off-road and can occasionally be driven on the road. NOTE 1 Meeting the requirements of this document does not ensure conformance to national or regional on-road regulations. NOTE 2 Rough-terrain trucks with mast as defined in ISO 3691-1 and rough-terrain lorry-mounted trucks as defined in ISO 20297-1 are not specifically covered by this document, but this document can be used for guidance.

  • Standard
    54 pages
    English language
    sale 15% off
  • Standard
    54 pages
    French language
    sale 15% off
ISO
ISO 13741-1:2023(Main)
Plastics/rubber — Determination of residual monomers and other organic components by capillary-column gas chromatography — Part 1: Direct liquid injection method

This document specifies a method for the determination of residual monomers and other (saturated) organic components in aqueous polymer dispersions and latices as well as in related products. It makes use of capillary-column gas chromatography with direct injection of the liquid sample. Residual monomers and saturated volatiles that have been successfully determined by this method include acrylic and methacrylic esters, acrylonitrile, butadiene, styrene, vinyl acetate, vinyl chloride as well as by-products such as acetaldehyde and ethylbenzene.

  • Standard
    9 pages
    English language
    sale 15% off
ISO
ISO/TR 22126-3:2023(Main)
Financial services — Semantic technology — Part 3: Semantic enrichment of the ISO 20022 conceptual model

This document examines semantic enrichment to support the maintenance of the ISO 20022 conceptual model. It reports on existing and proposed practices to enrich a model: — in a repository, annotating repository concepts with metadata using semantic markup or constraints; — outside a repository, using references to repository concepts, such as the provenance of changes.

  • Technical report
    12 pages
    English language
    sale 15% off
ISO
ISO 14619:2023(Main)
Space systems — Space experiments — General requirements

This document addresses experimental add-on components to a space system under development and specifies the procedures for preparing and carrying out space experiments (SEs), and analysis and processing of the findings. It is applicable to both manned and unmanned space systems. It can be tailored to the specific needs of different kinds of SEs.

  • Standard
    12 pages
    English language
    sale 15% off