kSIST FprEN 17529:2021
(Main)Data protection and privacy by design and by default
Data protection and privacy by design and by default
This document provides requirements for manufacturers and/or service providers to implement Data protection and Privacy by Design and by Default (DPbDD) early in their development of their products and services, i.e. before (or independently of) any specific application integration, to make sure that they are as privacy ready as possible. The document will be applicable to all business sectors, including the security industry.
Datenschutz by Design und als Grundeinstellung
Dieses Dokument stellt Anforderungen an Hersteller und/oder Diensterbringer, Datenschutz und Schutz der Privatsphäre durch Technikgestaltung und datenschutzfreundliche Voreinstellungen (DPbDD, en: Data protection and Privacy by Design and by Default) frühzeitig in der Entwicklung ihrer Produkte und Dienste umzusetzen, d. h. vor (oder unabhängig von) einer bestimmten Anwendungsintegration, um sicherzustellen, dass sie möglichst datenschutzfähig sind. Das Dokument wird für alle Wirtschaftszweige, einschließlich der Sicherheitsindustrie, gelten.
Protection des données et de la vie privée dès la conception et par défaut
Le présent document donne aux fabricants et/ou aux fournisseurs de services les exigences pour mettre en œuvre la protection des données et de la vie privée dès la conception et par défaut (DPbDD) dès le début du développement de leurs produits et services, c'est-à-dire avant (ou indépendamment de) toute intégration dans une application spécifique, afin de s'assurer qu'ils sont aussi prêts que possible à respecter la vie privée. Le document s'appliquera à l'ensemble des secteurs commerciaux, y compris le secteur de la sécurité.
Varstvo podatkov in zasebnosti z načrtovanjem in kot privzeto
General Information
Standards Content (sample)
SLOVENSKI STANDARD
oSIST prEN 17529:2020
01-september-2020
Varstvo podatkov in zasebnosti z načrtovanjem in kot privzeto
Data protection and privacy by design and by default
Datenschutz by Design und als Grundeinstellung
Protection des données et de la vie privée dès la conception et par défaut
Ta slovenski standard je istoveten z: prEN 17529
ICS:
35.030 Informacijska varnost IT Security
oSIST prEN 17529:2020 en,fr,de
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
---------------------- Page: 1 ----------------------oSIST prEN 17529:2020
---------------------- Page: 2 ----------------------
oSIST prEN 17529:2020
EUROPEAN STANDARD
DRAFT
prEN 17529
NORME EUROPÉENNE
EUROPÄISCHE NORM
June 2020
ICS 35.030
English version
Data protection and privacy by design and by default
Protection des données et de la vie privée dès la Datenschutz by Design und als Grundeinstellung
conception et par défautThis draft European Standard is submitted to CEN members for enquiry. It has been drawn up by the Technical Committee
CEN/CLC/JTC 13.If this draft becomes a European Standard, CEN and CENELEC members are bound to comply with the CEN/CENELEC Internal
Regulations which stipulate the conditions for giving this European Standard the status of a national standard without any
alteration.This draft European Standard was established by CEN and CENELEC in three official versions (English, French, German). A
version in any other language made by translation under the responsibility of a CEN and CENELEC member into its own
language and notified to the CEN-CENELEC Management Centre has the same status as the official versions.
CEN and CENELEC members are the national standards bodies and national electrotechnical committees of Austria, Belgium,
Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,
Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia,
Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United Kingdom.Recipients of this draft are invited to submit, with their comments, notification of any relevant patent rights of which they are
aware and to provide supporting documentation.Recipients of this draft are invited to submit, with their comments, notification
of any relevant patent rights of which they are aware and to provide supporting documentation.
Warning : This document is not a European Standard. It is distributed for review and comments. It is subject to change without
notice and shall not be referred to as a European Standard.CEN-CENELEC Management Centre:
Rue de la Science 23, B-1040 Brussels
© 2020 CEN/CENELEC All rights of exploitation in any form and by any means Ref. No. prEN 17529:2020 E
reserved worldwide for CEN national Members and forCENELEC Members.
---------------------- Page: 3 ----------------------
oSIST prEN 17529:2020
prEN 17529:2020 (E)
Contents Page
European foreword ...................................................................................................................................................... 4
Introduction .................................................................................................................................................................... 5
1 Scope .................................................................................................................................................................... 6
2 Normative references .................................................................................................................................... 6
3 Terms, definitions and abbreviations ..................................................................................................... 6
3.1 Terms and definitions ................................................................................................................................... 6
3.2 Abbreviated terms .......................................................................................................................................... 7
4 General................................................................................................................................................................ 7
4.1 Preparing the grounds for data protection and privacy by design and by default ................. 7
4.2 Structure for disassembling product and service into applicable categories .......................... 8
4.2.1 Introduction ...................................................................................................................................................... 8
4.2.2 Product layers .................................................................................................................................................. 8
4.2.3 Service layers ................................................................................................................................................... 9
4.3 Self-declaration and levels of achievement ......................................................................................... 10
5 Process for a privacy aware development of products and services ......................................... 11
5.1 Leadership and market intelligence ...................................................................................................... 11
5.2 Preparation ..................................................................................................................................................... 12
5.3 Design ................................................................................................................................................................ 12
5.3.1 Determination of DPbPP requirements ................................................................................................ 12
5.3.2 Development .................................................................................................................................................. 13
5.3.3 Production and service provision ........................................................................................................... 14
5.3.4 Release of products and services ............................................................................................................ 14
5.4 Performance evaluation ............................................................................................................................. 14
5.5 Improvement .................................................................................................................................................. 14
6 Basic requirements on the design of products and services ......................................................... 14
6.1 Access ................................................................................................................................................................ 14
6.1.1 Access to data ................................................................................................................................................. 14
6.1.2 Copy of data ..................................................................................................................................................... 15
6.2 Accountability ................................................................................................................................................ 16
6.3 Accuracy ........................................................................................................................................................... 16
6.4 Data de-identification ................................................................................................................................. 17
6.5 Data minimization ........................................................................................................................................ 18
6.6 Data portability ............................................................................................................................................. 19
6.7 Confidentiality ............................................................................................................................................... 20
6.8 Erasure.............................................................................................................................................................. 22
6.9 Fairness ............................................................................................................................................................ 23
6.9.1 Determination of user age ......................................................................................................................... 23
6.9.2 Configurable children age threshold ..................................................................................................... 24
6.10 Information security .................................................................................................................................... 24
6.10.1 Unauthorized or unlawful processing ................................................................................................... 24
6.10.2 Data loss ........................................................................................................................................................... 27
6.10.3 Information protection targets ................................................................................................................ 28
6.10.4 Restore .............................................................................................................................................................. 28
6.11 Lawfulness ....................................................................................................................................................... 29
---------------------- Page: 4 ----------------------oSIST prEN 17529:2020
prEN 17529:2020 (E)
6.11.1 Data disclosure .............................................................................................................................................. 29
6.11.2 Consent ............................................................................................................................................................. 29
6.12 Objection to processing .............................................................................................................................. 30
6.13 Automated decision making ..................................................................................................................... 31
6.14 Restriction of processing ........................................................................................................................... 31
6.15 Storage limitation ......................................................................................................................................... 32
6.16 Transparency ................................................................................................................................................. 33
6.16.1 Information ..................................................................................................................................................... 33
6.16.2 Record of processing activities ................................................................................................................ 35
7 Requirements to the self-declaration of privacy aware design ................................................... 36
7.1 Process requirements ................................................................................................................................. 36
7.1.1 Preparation based on the product and service layer requirements .......................................... 36
7.1.2 Preparation additionally based on conduction of a DPIA .............................................................. 37
7.1.3 Determination of the level of achievement ......................................................................................... 37
7.2 Self-declaration statement ........................................................................................................................ 38
Annex A (informative) Applicability mapping between Clause 6 requirements and layers .......... 39
Annex B (informative) Approach for a definition .......................................................................................... 49
Annex C (informative) Guidelines related to EN ISO 9001 .......................................................................... 51
Annex ZA (informative) Relationship between this European Standard and the dataprotection by design and by default requirements of Regulation EU 2016/679 aimed
to be covered .................................................................................................................................................. 56
Bibliography ................................................................................................................................................................. 58
---------------------- Page: 5 ----------------------oSIST prEN 17529:2020
prEN 17529:2020 (E)
European foreword
This document (prEN 17529:2020) has been prepared by WG 5 “Data Protection, Privacy and Identity
Management” of the CEN/CENELEC JTC 13 “Cybersecurity and Data Protection”, the secretariat of
which is held by DIN.This document is currently submitted to the CEN Enquiry.
This document has been prepared under a mandate given to CEN and CENELEC by the European
Commission and the European Free Trade Association. This project is developed as part of
CEN/CLC/JTC 13 work programme in fulfilment of Standardization Request M/530.For relationship with EU Directive(s), see informative Annex ZA, which is an integral part of this
document.---------------------- Page: 6 ----------------------
oSIST prEN 17529:2020
prEN 17529:2020 (E)
Introduction
0.1 General
This document provides the component and subsystems developers with an early formalized process
for identification of privacy objects and requirements, as well as the necessary guidance on associated
assessment. It further provides support for understanding the cascaded liability and obligation of
manufacturers and service providers (Reference to GDPR and as applicable reference to Article 23, as
well as to rules applicable to governmental applications).The General Data Protection Regulation, in its Art. 25 charges data controllers, and implicitly
manufacturers, with implementing Data Protection by design and by default. The aim of this document
is to give requirements to manufacturers and/or service providers to implement Data protection and
Privacy by Design and by Default (DPbDD) early in the development of their products and services, i.e.
before (or independently of) any specific application or integration, to make sure that they are as
privacy ready as possible with regard to the anticipated markets.The quality management system of EN ISO 9001 is building the framework for the process to provide
products and services that incorporate Data protection and privacy by design. Enhancements are made
to EN ISO 9001 where necessary. Additionally, and as applicable in this preliminary generic phase for
the product or service, specific control objectives and requirements were derived from the General Data
Protection Regulation, the respective supplier or service provider is expected to fulfil. Finally, a self-
declaration mechanism is defined to be applied, when feasible pending the variety of anticipated use
cases, for accordingly designed products and services in order to provide orientation to data
controllers, to data subjects and to the society.For some purposes of processing and for some categories of personal data, a data protection impact
assessment (DPIA) according to EN ISO/IEC 29134 needs to be conducted and in addition to the
requirements given in this document, the treatment plan resulting from the DPIA needs to get fulfilled
as well.This document is intended for the use by manufacturers, suppliers, hard- and software developers,
system integrators providing products and services for the use by as data controller, and for the use by
controllers when selecting products and services for data processing.0.2 Compatibility with other management system standards
This document applies the framework developed by CEN/CENELEC and ISO to improve alignment
among its Management System Standards.This document enables an organization to align or integrate its development considerations on data
protection with the requirements of other Management System standards.---------------------- Page: 7 ----------------------
oSIST prEN 17529:2020
prEN 17529:2020 (E)
1 Scope
This document provides requirements for manufacturers and/or service providers to implement Data
protection and Privacy by Design and by Default (DPbDD) early in their development of their products
and services, i.e. before (or independently of) any specific application integration, to make sure that
they are as privacy ready as possible. The document will be applicable to all business sectors, including
the security industry.2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
EN ISO/IEC 29134, Information technology — Security techniques — Guidelines for privacy impact
assessment (ISO/IEC 29134)3 Terms, definitions and abbreviations
3.1 Terms and definitions
For the purposes of this document, the following term and definitions apply.
— IEC Electropedia: available at http://www.electropedia.org/
— ISO Online browsing platform: available at http://www.iso.org/obp
3.1.1
data protection by design
technical and organisational measures designed to implement data protection principles
Note 1 to entry: The measures shall be implemented in an effective manner and to integrate the necessary
safeguards into the processing.3.1.2
data protection by default
technical and organisational measures for ensuring that only personal data which are necessary for
each specific purpose of the processing are processedNote 1 to entry: Such measures should cover at least the amount of personal data collected, the extent of their
processing, the period of their storage and their accessibility.3.1.3
data protection impact assessment
DPIA
overall process of identifying, analysing, evaluating, consulting, communicating and planning the
treatment of potential privacy impacts with regard to the processing of personally identifiable
information, framed within an organization’s broader risk management frameworkNote 1 to entry: Adapted from ISO/IEC 29134:2017, 3.7.
---------------------- Page: 8 ----------------------
oSIST prEN 17529:2020
prEN 17529:2020 (E)
3.1.4
special categories of personal data
data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union
membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data
concerning health or data concerning a natural person's sex life or sexual orientation
[SOURCE: GDPR Article 9, Clause 1]3.2 Abbreviated terms
DPbDD Data protection and Privacy by Design and by Default
DPIA Data protection impact assessment
GDPR EU General Data Protection Regulation
GSMA Global system of mobile communication association
ISACA Information Systems Audit and Control Association
LoA Level of Achievement
4 General
4.1 Preparing the grounds for data protection and privacy by design and by default
Alongside the broadly formulated expectations in terms of protecting personal data during data
processing procedures, Data protection and privacy by design and by default relate to the ability of the
intended technical systems and components to be able to support this protection. Yet, manufacturers do
not have an obligation under the GDPR. Other instruments are therefore required to guide them in a
process through which their products or services are designed to be Data protection and privacy by
design and default friendly for a maximum of use cases, as per the anticipated market. An underlying set
of requirements consistent with the company’s quality process is detailed hereafter. Anticipated
benefits are for the end-users (customers/data controllers) ease to implement their privacy duties and
for the manufacturer a competitive edge.The GDPR contains many legal provisions for consideration by data controllers and processors; such
provisions rely largely on the diverse functional and operational conditions in which it is anticipated
that the product or service will be used. In this context and to support the providers of products and
services in their assessment, the obligations of data controllers were generically analysed if they
contain, explicitly or implicitly, the need for functional capabilities in support of data controllers
obligation.The following principles will be considered foundational for Data protection and privacy by design and
by default:1) DPbDD shall be proactive and preventative, not reactive and remedial.
2) Default settings and configuration shall be secure and privacy-aware.
3) Data protection and privacy shall be incorporated into design.
4) DPbDD seeks full functionality in accommodation of legitimate interests and objectives, no trade
offs.5) DPbDD will concern the entire data lifecycle.
---------------------- Page: 9 ----------------------
oSIST prEN 17529:2020
prEN 17529:2020 (E)
6) DPbDD shall be visible and transparent and subject to independent verification.
7) The interests of the individual should be kept uppermost by offering strong defaults, appropriate
notice and be kept user-centric by offering user-friendly options, even if such provisions appear as
less privacy-friendly.8) DPbDD measures shall be effective.
9) DPbDD measures shall be designed to be robust and be able to scale up in accordance with
increases in risk of breach of the data protection principles.10) DPdDD measures shall be regularly assessed.
When understanding data protection by design in the utmost possible way, consideration needs to be
given not only to the moment of supplying and providing. The whole lifecycle of both, the personal data
and the product and/or service needs to be considered as well.Special attention should be drawn to maintenance activities as well as to the frame conditions, under
which a reuse of products could happen. Furthermore, the service includes the operation of processing
as a processor on data controllers behalf. Some requirements of this document will draw attention to
this scenarios.If the service provider needs to be seen as a data controller himself, additional organizational and
technical measures should be put into place and be governed by an appropriated Management system,
e.g. EN ISO/IEC 27701. These organizational and technical measures will be out of scope for this
document.This document provides in 4.2 a structure for splitting up integrated products and services into layers,
which may be used to modulate them into building blocks that need to fulfil the same set of
requirements. In 4.3 the conformity scheme for a self-declaration is provided.In Clause 5, the requirements for a process of privacy aware development of products and services are
provided.In Clause 6, there are basic requirements on the design of products and services provided. Application
is specified to the respective product and service layers defined in 4.2 and control objectives give
reference to the GDPR.Clause 7 provides guidelines to the process of self-declaration and the requirements to determine the
level of achievement.In the Annexes A, B and C, detailed information is given on the mapping of basic requirements to
product or service layers on the definition of privacy by design and on guidance for applying ISO 9001
as a management system to the development. Additionally, the Annex ZA contains the conformity
statement for EU Mandate M/530.4.2 Structure for disassembling product and service into applicable categories
4.2.1 Introduction
As it does not seem practical to build requirements directly for products and for services, that can
highly differ in submodule assembly, architecture and bundling, set of module categories is defined in
the next two clauses. Any market product or service under this document needs to be seen as a
combination of some of this categories in the understanding of adding layers to get the full picture.
Therefore, the terms “product layer” and “service layer” will be used for these categories.
4.2.2 Product layersThe module categories, of which a product can consist, are defined as follows:
---------------------- Page: 10 ----------------------
oSIST prEN 17529:2020
prEN 17529:2020 (E)
1) Component layer — mainly physical submodules like microprocessors and microcontrollers,
DRAM-Modules, Interface controllers, media drives, physical storage media, sensors, actors or
power supply. This layer can include connectivity drivers and small programs as e.g. for upgrading
or dynamic connection.2) Device layer — bare bone with chassis, shielding, display, keyboards and casing. The device layer
integrates components from the component layer and is adding programs for BIOS and boot
capabilities.3) Operating system layer — software layer with programs supporting the configuration of the device,
the basic interaction with the user, like keyboard input and output via display or printer, the
support of user authentication, the administration of the device itself and its interconnectivity with
networks and with tools supporting local activities on the device.4) Communication layer — Connectivity components emulating physical links (wired or wireless) for
the purpose of information transmission. This layer is similar to the component layer, but differs
regarding specific concerns related with the aspect of the network it builds.5) Storage layer — logical layer for the management of storage locations on connected physical
storage media via the component layer. This includes locally or remotely connected media, raid or
cluster architectures, NAS or SAN concepts as well as fileservers and cloud storage.
6) User Interface layer — logical layer for the management of user interaction with a device or service,
which is not on Operating system layer. This layer also includes portals and, up to a certain degree,
content management systems.7) Integrated system layer — this layer applies, when a product is an integration of more than one
device. It requires a communication model between the devices with specified protocols and
transmission management. Integrated systems shall demonstrate the capabilities and default
settings for an appropriate network security.8) Application layer — software layer providing the expected functionality of a device or an integrated
system.9) Business process layer — logical layer above the application layer that is managing information
exchange between many devices, integrated systems or even organisations.10) System management layer — logical layer for the management of Operation and information
security regarding the devices, integrated systems, applications, Storages and/or communication
flows.4.2.3 Service layers
The module categories, of which a service can consist, are defined as follows:
1) Service management layer — human based service of configuration, operation control and incident
response.2) Self-service layer — application service to provide the customer or the user with tools to configure
other product or service layers.3) Integration service layer — customer specific service of making subsystems interoperable,
normally organized within a dedicated project under a customer defined management framework.
---------------------- Page: 11 ----------------------oSIST prEN 17529:2020
prEN 17529:2020 (E)
4) Transmission service layer — service that interconnects transmission lines via organizational
boarders.5) Update service layer — Program code updates provided human based proactive, automated
reactive or by only making the updates available for download.6) Cloud service layer — service providing operation facilities either on infrastructure level or on
application level.7) Content service layer — service providing additional data (e.g.: news, scoring figures, addresses),
sometimes with the possibility to enhance collected personal data.8) Outsourced business process layer — functional data processing either customer specific or as a
normalized offer to similar clients.9) Output service layer — services receiving customer data for the purpose of producing output media
(e.g.: photo calendars or marketing mails).10) Maintenance service layer — service reacting on demand of users and/or customers in order to
keep products and services usable over lifetime, including collect or bring-in services and device
swaps.11) Security as a service layer — semi-automated services evaluating systems, traffic and log entries in
order to detect, prevent or react on vulnerabilities and security breaches.12) Media recovery
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.