SIST EN 17529:2022
(Main)Data protection and privacy by design and by default
Data protection and privacy by design and by default
This document provides requirements for manufacturers and/or service providers to implement Data protection and Privacy by Design and by Default (DPbDD) early in their development of their products and services, i.e. before (or independently of) any specific application integration, to make sure that they are as privacy ready as possible. The document will be applicable to all business sectors, including the security industry.
Datenschutz by Design und als Grundeinstellung
Dieses Dokument stellt Anforderungen an Hersteller und/oder Diensterbringer, Datenschutz und Schutz der Privatsphäre durch Technikgestaltung und datenschutzfreundliche Voreinstellungen (DPbDD, en: Data protection and Privacy by Design and by Default) frühzeitig in der Entwicklung ihrer Produkte und Dienste umzusetzen, d. h. vor (oder unabhängig von) einer bestimmten Anwendungsintegration, um sicherzustellen, dass sie möglichst datenschutzfähig sind. Das Dokument wird für alle Wirtschaftszweige, einschließlich der Sicherheitsindustrie, gelten.
Protection des données et de la vie privée dès la conception et par défaut
Le présent document donne aux fabricants et/ou aux fournisseurs de services les exigences pour mettre en œuvre la protection des données et de la vie privée dès la conception et par défaut (DPbDD) dès le début du développement de leurs produits et services, c'est-à-dire avant (ou indépendamment de) toute intégration dans une application spécifique, afin de s'assurer qu'ils sont aussi prêts que possible à respecter la vie privée. Le document s'appliquera à l'ensemble des secteurs commerciaux, y compris le secteur de la sécurité.
Varstvo podatkov in zasebnosti z načrtovanjem in kot privzeto
Ta dokument določa zahteve za proizvajalce in/ali ponudnike storitev za izvajanje varstva podatkov in zasebnosti z načrtovanjem in kot privzeto (DPbDD) na zgodnji stopnji razvoja svojih izdelkov in storitev, tj. pred vključevanjem posebnih aplikacij (ali neodvisno od njega), da se zagotovi njihova čim boljša pripravljenost na varstvo zasebnosti. Dokument se bo uporabljal za vse poslovne sektorje, vključno z varnostnim sektorjem.
General Information
Standards Content (Sample)
SLOVENSKI STANDARD
SIST EN 17529:2022
01-september-2022
Varstvo podatkov in zasebnosti z načrtovanjem in kot privzeto
Data protection and privacy by design and by default
Datenschutz by Design und als Grundeinstellung
Protection des données et de la vie privée dès la conception et par défaut
Ta slovenski standard je istoveten z: EN 17529:2022
ICS:
35.030 Informacijska varnost IT Security
SIST EN 17529:2022 en,fr,de
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
---------------------- Page: 1 ----------------------
SIST EN 17529:2022
---------------------- Page: 2 ----------------------
SIST EN 17529:2022
EUROPEAN STANDARD EN 17529
NORME EUROPÉENNE
EUROPÄISCHE NORM
May 2022
ICS 35.030
English version
Data protection and privacy by design and by default
Protection des données et de la vie privée dès la Datenschutz by Design und als Grundeinstellung
conception et par défaut
This European Standard was approved by CEN on 5 December 2021.
CEN and CENELEC members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for
giving this European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical
references concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to
any CEN and CENELEC member.
This European Standard exists in three official versions (English, French, German). A version in any other language made by
translation under the responsibility of a CEN and CENELEC member into its own language and notified to the CEN-CENELEC
Management Centre has the same status as the official versions.
CEN and CENELEC members are the national standards bodies and national electrotechnical committees of Austria, Belgium,
Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,
Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia,
Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United Kingdom.
CEN-CENELEC Management Centre:
Rue de la Science 23, B-1040 Brussels
© 2022 CEN/CENELEC All rights of exploitation in any form and by any means
Ref. No. EN 17529:2022 E
reserved worldwide for CEN national Members and for
CENELEC Members.
---------------------- Page: 3 ----------------------
SIST EN 17529:2022
EN 17529:2022 (E)
Contents Page
European foreword . 4
Introduction . 5
1 Scope . 6
2 Normative references . 6
3 Terms, definitions and abbreviations . 6
3.1 Terms and definitions . 6
3.2 Abbreviated terms . 7
4 General. 7
4.1 Preparing the grounds for data protection and privacy by design and by default . 7
4.2 Structure for disassembling product and service into applicable categories . 8
4.2.1 Introduction . 8
4.2.2 Product perspectives . 9
4.2.3 Service elements . 9
4.3 Self-declaration and levels of achievement . 10
5 Privacy-aware development of products and services . 12
5.1 Leadership and market intelligence . 12
5.2 Preparation . 13
5.3 Design . 13
5.3.1 Determination of DPPbDD requirements . 13
5.3.2 Development . 14
5.3.3 Production and service provision . 15
5.3.4 Release of products and services . 15
5.4 Performance evaluation . 15
5.5 Improvement . 15
6 Data protection capability requirements on the design of products and services . 15
6.1 Access . 15
6.1.1 Access to data . 15
6.1.2 Copy of data . 16
6.2 Accountability . 16
6.3 Accuracy . 17
6.4 Data de-identification . 18
6.5 Data minimization . 19
6.6 Data portability . 20
6.7 Confidentiality . 21
6.8 Erasure. 23
6.9 Consent and Children . 24
6.9.1 Determination of user age . 24
6.9.2 Configurable children age threshold . 24
6.10 Information security . 25
6.10.1 Unauthorized or unlawful processing . 25
6.10.2 Data loss . 28
6.10.3 Information protection targets . 29
6.10.4 Restore . 29
6.11 Lawfulness . 30
2
---------------------- Page: 4 ----------------------
SIST EN 17529:2022
EN 17529:2022 (E)
6.11.1 Data disclosure . 30
6.11.2 Consent . 30
6.12 Objection to processing . 31
6.13 Automated decision making . 32
6.14 Restriction of processing . 32
6.15 Storage limitation . 33
6.16 Transparency . 34
6.16.1 Information . 34
6.16.2 Record of processing activities . 37
7 Requirements to the self-declaration of privacy-aware design . 38
7.1 Process requirements . 38
7.1.1 Preparation based on the product perspective and service element requirements . 38
7.1.2 Additional considerations related to DPIAs . 38
7.1.3 Determination of the level of achievement . 38
7.2 Self-declaration statement . 39
Annex A (informative) Applicability mapping between Clause 6 requirements and
perspectives or elements . 41
Annex B (informative) Approach for a specification . 53
Annex C (informative) Guidelines related to EN ISO 9001 . 55
Annex ZA (informative) Relationship between this European Standard and the data
protection by design and by default requirements of Regulation EU 2016/679 aimed
to be covered . 60
Bibliography . 62
3
---------------------- Page: 5 ----------------------
SIST EN 17529:2022
EN 17529:2022 (E)
European foreword
This document (EN 17529:2022) has been prepared by WG 5 “Data Protection, Privacy and Identity
Management” of the CEN/CENELEC JTC 13 “Cybersecurity and Data Protection”, the secretariat of which
is held by DIN.
This European Standard shall be given the status of a national standard, either by publication of an
identical text or by endorsement, at the latest by November 2022, and conflicting national standards shall
be withdrawn at the latest by November 2022.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CEN shall not be held responsible for identifying any or all such patent rights.
This document has been prepared as part of CEN/CLC JTC 13 work programme, not only as the first
deliverable called by mandate M/530 given to CEN and CENELEC by the European Commission, but also
to be generic enough to be applicable to a variety of domains other than the security industry, which was
in focus of the mandate.
For relationship with EU Regulation(s), see informative Annex ZA, which is an integral part of this
document.
Any feedback and questions on this document should be directed to the users’ national standards body.
A complete listing of these bodies can be found on the CEN website.
According to the CEN-CENELEC Internal Regulations, the national standards organisations of the
following countries are bound to implement this European Standard: Austria, Belgium, Bulgaria, Croatia,
Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland,
Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North
Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and the United
Kingdom.
4
---------------------- Page: 6 ----------------------
SIST EN 17529:2022
EN 17529:2022 (E)
Introduction
0.1 General
This document provides the component and subsystems developers with an early formalized process for
identification of privacy objectives and requirements, as well as the necessary guidance on associated
assessment. It further provides support for understanding the cascaded liability and obligation of
manufacturers and service providers (Reference to GDPR and as applicable reference to Article 25, as
well as to rules applicable to governmental applications).
The General Data Protection Regulation, in its Art. Twenty-five charges data controllers, and implicitly
manufacturers, with implementing Data Protection by design and by default.
The aim of this document is to give requirements to manufacturers and/or service providers to
implement Data protection and Privacy by Design and by Default (DPPbDD) early in the development of
their products and services, i.e. before (or independently of) any specific application integration, to make
sure that they are as privacy ready as possible with regard to the anticipated markets.
The quality management system of EN ISO 9001 provides a process framework through which products
and services can incorporate Data protection and privacy by design. Annex C shows how EN ISO 9001 can
be interpreted and extended for use in this domain where necessary. Control objectives and requirements
have been derived from the General Data Protection Regulation, which the component manufacturer or
software sub-systems or sub-service provider may choose to address. These clauses are applicable to the
B2B market, since manufacturers composing these sub-components in larger systems will need to
understand the limits and capabilities of each component, as part of their system design. Finally, a self-
declaration mechanism is specified which can be used by component manufacturers and service
providers as part of their attestation to system integrators of the capabilities, protections and limitations
of that component or service.
For some purposes of processing and for some categories of personal data, a data protection impact
assessment (DPIA) according to EN ISO/IEC 29134 needs to be conducted and in addition to the
requirements given in this document, the treatment plan resulting from the DPIA needs to be fulfilled as
well.
This document is intended to be used by manufacturers, suppliers, hard- and software developers
providing products and services to system integrators who themselves intend to offer products and
services to be used by data controllers and data processors. It allows system integrators to select and
correctly use the offerings of sub-system and component suppliers and manufacturers when developing
systems that may have data protection requirements.
0.2 Compatibility with management system standards
This document applies the framework developed by CEN/CENELEC and ISO to improve alignment among
its Management System Standards. However, this document itself does not represent a Management
System standard.
This document supports an organization to align or integrate its development considerations on data
protection with the requirements of Management System standards.
5
---------------------- Page: 7 ----------------------
SIST EN 17529:2022
EN 17529:2022 (E)
1 Scope
This document specifies requirements for manufacturers and/or service providers to implement Data
protection and Privacy by Design and by Default (DPPbDD) early in their development of their products
and services, i.e. before (or independently of) any specific application integration, to make sure that they
are as privacy ready as possible. This document is applicable to all business sectors, including the security
industry.
2 Normative references
There are no normative references in this document.
3 Terms, definitions and abbreviations
3.1 Terms and definitions
For the purposes of this document, the following term and definitions apply.
— IEC Electropedia: available at https://www.electropedia.org/
— ISO Online browsing platform: available at https://www.iso.org/obp
3.1.1
data protection by design
technical and organizational measures designed to implement data protection principles
Note 1 to entry: The measures shall be implemented in an effective manner and to integrate the necessary
safeguards into the processing.
3.1.2
data protection by default
technical and organizational measures for ensuring that only personal data which are necessary for each
specific purpose of the processing are processed
Note 1 to entry: Such measures should cover at least the amount of personal data collected, the extent of their
processing, the period of their storage and their accessibility.
3.1.3
data protection impact assessment
DPIA
overall process of identifying, analysing, evaluating, consulting, communicating and planning the
treatment of potential privacy impacts with regard to the processing of personal data, framed within an
organization’s broader risk management framework
Note 1 to entry: Adapted from ISO/IEC 29134:2017, 3.7.
3.1.4
privacy-aware
attribute of a product or service for the processing of personal data, meaning that data protection
requirements were considered in the design and pre-configuration and that privacy adverse functional
requirements were only made as far as necessary for the intended purpose of the product or service
6
---------------------- Page: 8 ----------------------
SIST EN 17529:2022
EN 17529:2022 (E)
3.1.5
special categories of personal data
data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union
membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data
concerning health or data concerning a natural person's sex life or sexual orientation
[SOURCE: GDPR Article 9, Clause 1]
3.2 Abbreviated terms
DPPbDD Data protection and Privacy by Design and by Default
DPIA Data protection impact assessment
GDPR EU General Data Protection Regulation 679/2016
GSMA Global system of mobile communication association
ISACA Information Systems Audit and Control Association
LoA Level of Achievement
4 General
4.1 Preparing the grounds for data protection and privacy by design and by default
Alongside the broadly formulated expectations in terms of protecting personal data during data
processing procedures, data protection and privacy by design and by default relate to the ability of the
intended technical systems and components to be able to support this protection. Reference is made to
consideration reason 78, sentence 4 for adopting of the GDPR. Yet, manufacturers do not have an
obligation under the GDPR. Other instruments are therefore required to guide them in a process through
which their products or services are designed to be data protection and privacy by design and default
friendly for a maximum of use cases, as per the anticipated market. An underlying set of requirements
consistent with the company’s quality process is detailed hereafter. Anticipated benefits are for the end-
users (customers/data controllers) ease to implement their privacy duties and for the manufacturer a
competitive edge.
The GDPR contains many legal provisions for consideration by data controllers and processors; such
provisions rely largely on the diverse functional and operational conditions in which it is anticipated that
the product or service will be used. In this context and to support the providers of products and services
in their assessment, the obligations of data controllers were generically analysed to determine whether
they contain, explicitly or implicitly, the need for functional capabilities in support of data controllers’
obligations.
The following principles are expected for data protection and privacy by design and by default:
1) DPPbDD should be proactive and preventative, not reactive and remedial.
2) Default settings and configuration should be secure and privacy-aware.
3) Data protection and privacy should be incorporated into design.
4) DPPbDD seeks full functionality in accommodation of legitimate interests and objectives, no trade-
offs.
5) DPPbDD should concern the entire data lifecycle.
7
---------------------- Page: 9 ----------------------
SIST EN 17529:2022
EN 17529:2022 (E)
6) DPPbDD should be visible and transparent and subject to independent verification.
7) The interests of the individual should be kept uppermost by offering strong defaults, appropriate
notice and be kept user-centric by offering user-friendly options, even if such provisions appear as
less privacy-friendly.
8) DPPbDD controls should be effective.
9) DPPbDD measures should be designed to be robust and be able to scale up in accordance with
increases in risk of breach of the data protection principles.
10) DPPdDD measures should be regularly assessed.
When understanding data protection by design in the utmost possible way, consideration needs to be
given not only to the moment of supplying and providing. The whole lifecycle of both, the personal data
and the product and/or service needs to be considered as well.
Special attention should be drawn to maintenance activities as well as to the general conditions, under
which a reuse of products could happen. Furthermore, the service includes the operation of processing
as a processor on data controllers behalf. Some requirements of this document will draw attention to this
scenarios.
If the service provider needs to be seen as a data controller, additional organizational and technical
measures should be put into place and be governed by an appropriated Management system, e.g.
EN ISO/IEC 27701. These organizational and technical measures will be out of scope for this document.
This document provides in 4.2 a structure for splitting up integrated products and services into layers,
which may be used to modulate them into building blocks that need to fulfil the same set of requirements.
Any reasonable approach may be taken to describing the system architecture, provided it allows a
mapping of the data protection concerns onto the architecture. When designing a major component from
sub-systems and services, it may be necessary for the overarching system architecture decomposition to
leverage the descriptions of the included components. Such approaches may draw on opaque or
transparent models for the component elements. In 4.3 the conformity scheme for a self-declaration is
provided.
In Clause 5, the requirements for an exemplar process of privacy-aware development of products and
services are provided.
In Clause 6, there are basic requirements on the design of products and services provided. Application is
specified to the respective product perspectives and service elements specified in 4.2 and control
objectives give reference to the GDPR.
Clause 7 provides guidelines to the process of self-declaration and the requirements to determine the
level of achievement.
In the Annexes A, B and C, detailed information is given on the mapping of basic requirements to product
perspectives or service elements on the definition of privacy by design and on guidance for applying
EN ISO 9001 as a management system to the development. Additionally, the Annex ZA contains the
conformity statement for EU Mandate M/530.
4.2 Structure for disassembling product and service into applicable categories
4.2.1 Introduction
As it does not seem practical to build requirements directly for products and for services, that can highly
differ in submodule assembly, architecture and bundling, a set of module categories is specified in the
next two clauses. Any complex product or service under this document can be decomposed into
8
---------------------- Page: 10 ----------------------
SIST EN 17529:2022
EN 17529:2022 (E)
component parts or layers. These can be used to represent products and services. The structural
decomposition is divided into product and service issues for ease of description.
4.2.2 Product perspectives
The module categories, of which a product can consist, are specified as follows:
1) Component perspective — mainly physical submodules like microprocessors and microcontrollers,
DRAM-Modules, Interface controllers, media drives, physical storage media, sensors, actuators or
power supply. This perspective can include connectivity drivers and small programs as e.g. for
upgrading or dynamic connection.
2) Device perspective — bare bone with chassis, shielding, display, keyboards and casing. The device
perspective integrates components from the component perspective and is adding programs for
BIOS and boot capabilities.
3) Operating system perspective — software perspective with programs supporting the configuration
of the device, the basic interaction with the user, like keyboard input and output via display or
printer, the support of user authentication, the administration of the device itself and its
interconnectivity with networks and with tools supporting local activities on the device.
4) Communication perspective — Connectivity components emulating physical links (wired or
wireless) for the purpose of information transmission. This perspective is similar to the component
perspective, but differs regarding specific concerns related with the aspect of the network it builds.
5) Storage perspective — logical perspective for the management of storage locations on connected
physical storage media via the component perspective. This includes locally or remotely connected
media, raid or cluster architectures, NAS or SAN concepts as well as fileservers and cloud storage.
6) User Interface perspective — logical perspective for the management of user interaction with a
device or service, which is not on Operating system perspective. This perspective also includes
portals and, up to a certain degree, content management systems.
7) Integrated system perspective — this perspective applies, when a product is an integration of more
than one device. It requires a communication model between the devices with specified protocols
and transmission management. Integrated systems are expected to demonstrate the capabilities and
default settings for an appropriate network security.
8) Application perspective — software perspective providing the expected functionality of a device or
an integrated system.
9) Business process perspective — logical perspective above the application perspective that is
managing information exchange between many devices, integrated systems or even organizations.
10) System management perspective — logical perspective for the management of Operation and
information security regarding the devices, integrated systems, applications, Storages and/or
communication flows.
4.2.3 Service elements
The module categories, of which a service can consist, are specified as follows:
1) Service management element — human based service of configuration, operation control and
incident response.
9
---------------------- Page: 11 ----------------------
SIST EN 17529:2022
EN 17529:2022 (E)
2) Self-service element — application service to provide the customer or the user with tools to configure
other product or service elements.
3) Integration service element — customer specific service of making subsystems interoperable,
normally organized within a dedicated project under a customer specified management framework.
4) Transmission service element — service that interconnects tra
...
SLOVENSKI STANDARD
oSIST prEN 17529:2020
01-september-2020
Varstvo podatkov in zasebnosti z načrtovanjem in kot privzeto
Data protection and privacy by design and by default
Datenschutz by Design und als Grundeinstellung
Protection des données et de la vie privée dès la conception et par défaut
Ta slovenski standard je istoveten z: prEN 17529
ICS:
35.030 Informacijska varnost IT Security
oSIST prEN 17529:2020 en,fr,de
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
---------------------- Page: 1 ----------------------
oSIST prEN 17529:2020
---------------------- Page: 2 ----------------------
oSIST prEN 17529:2020
EUROPEAN STANDARD
DRAFT
prEN 17529
NORME EUROPÉENNE
EUROPÄISCHE NORM
June 2020
ICS 35.030
English version
Data protection and privacy by design and by default
Protection des données et de la vie privée dès la Datenschutz by Design und als Grundeinstellung
conception et par défaut
This draft European Standard is submitted to CEN members for enquiry. It has been drawn up by the Technical Committee
CEN/CLC/JTC 13.
If this draft becomes a European Standard, CEN and CENELEC members are bound to comply with the CEN/CENELEC Internal
Regulations which stipulate the conditions for giving this European Standard the status of a national standard without any
alteration.
This draft European Standard was established by CEN and CENELEC in three official versions (English, French, German). A
version in any other language made by translation under the responsibility of a CEN and CENELEC member into its own
language and notified to the CEN-CENELEC Management Centre has the same status as the official versions.
CEN and CENELEC members are the national standards bodies and national electrotechnical committees of Austria, Belgium,
Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,
Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia,
Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United Kingdom.
Recipients of this draft are invited to submit, with their comments, notification of any relevant patent rights of which they are
aware and to provide supporting documentation.Recipients of this draft are invited to submit, with their comments, notification
of any relevant patent rights of which they are aware and to provide supporting documentation.
Warning : This document is not a European Standard. It is distributed for review and comments. It is subject to change without
notice and shall not be referred to as a European Standard.
CEN-CENELEC Management Centre:
Rue de la Science 23, B-1040 Brussels
© 2020 CEN/CENELEC All rights of exploitation in any form and by any means Ref. No. prEN 17529:2020 E
reserved worldwide for CEN national Members and for
CENELEC Members.
---------------------- Page: 3 ----------------------
oSIST prEN 17529:2020
prEN 17529:2020 (E)
Contents Page
European foreword . 4
Introduction . 5
1 Scope . 6
2 Normative references . 6
3 Terms, definitions and abbreviations . 6
3.1 Terms and definitions . 6
3.2 Abbreviated terms . 7
4 General. 7
4.1 Preparing the grounds for data protection and privacy by design and by default . 7
4.2 Structure for disassembling product and service into applicable categories . 8
4.2.1 Introduction . 8
4.2.2 Product layers . 8
4.2.3 Service layers . 9
4.3 Self-declaration and levels of achievement . 10
5 Process for a privacy aware development of products and services . 11
5.1 Leadership and market intelligence . 11
5.2 Preparation . 12
5.3 Design . 12
5.3.1 Determination of DPbPP requirements . 12
5.3.2 Development . 13
5.3.3 Production and service provision . 14
5.3.4 Release of products and services . 14
5.4 Performance evaluation . 14
5.5 Improvement . 14
6 Basic requirements on the design of products and services . 14
6.1 Access . 14
6.1.1 Access to data . 14
6.1.2 Copy of data . 15
6.2 Accountability . 16
6.3 Accuracy . 16
6.4 Data de-identification . 17
6.5 Data minimization . 18
6.6 Data portability . 19
6.7 Confidentiality . 20
6.8 Erasure. 22
6.9 Fairness . 23
6.9.1 Determination of user age . 23
6.9.2 Configurable children age threshold . 24
6.10 Information security . 24
6.10.1 Unauthorized or unlawful processing . 24
6.10.2 Data loss . 27
6.10.3 Information protection targets . 28
6.10.4 Restore . 28
6.11 Lawfulness . 29
2
---------------------- Page: 4 ----------------------
oSIST prEN 17529:2020
prEN 17529:2020 (E)
6.11.1 Data disclosure . 29
6.11.2 Consent . 29
6.12 Objection to processing . 30
6.13 Automated decision making . 31
6.14 Restriction of processing . 31
6.15 Storage limitation . 32
6.16 Transparency . 33
6.16.1 Information . 33
6.16.2 Record of processing activities . 35
7 Requirements to the self-declaration of privacy aware design . 36
7.1 Process requirements . 36
7.1.1 Preparation based on the product and service layer requirements . 36
7.1.2 Preparation additionally based on conduction of a DPIA . 37
7.1.3 Determination of the level of achievement . 37
7.2 Self-declaration statement . 38
Annex A (informative) Applicability mapping between Clause 6 requirements and layers . 39
Annex B (informative) Approach for a definition . 49
Annex C (informative) Guidelines related to EN ISO 9001 . 51
Annex ZA (informative) Relationship between this European Standard and the data
protection by design and by default requirements of Regulation EU 2016/679 aimed
to be covered . 56
Bibliography . 58
3
---------------------- Page: 5 ----------------------
oSIST prEN 17529:2020
prEN 17529:2020 (E)
European foreword
This document (prEN 17529:2020) has been prepared by WG 5 “Data Protection, Privacy and Identity
Management” of the CEN/CENELEC JTC 13 “Cybersecurity and Data Protection”, the secretariat of
which is held by DIN.
This document is currently submitted to the CEN Enquiry.
This document has been prepared under a mandate given to CEN and CENELEC by the European
Commission and the European Free Trade Association. This project is developed as part of
CEN/CLC/JTC 13 work programme in fulfilment of Standardization Request M/530.
For relationship with EU Directive(s), see informative Annex ZA, which is an integral part of this
document.
4
---------------------- Page: 6 ----------------------
oSIST prEN 17529:2020
prEN 17529:2020 (E)
Introduction
0.1 General
This document provides the component and subsystems developers with an early formalized process
for identification of privacy objects and requirements, as well as the necessary guidance on associated
assessment. It further provides support for understanding the cascaded liability and obligation of
manufacturers and service providers (Reference to GDPR and as applicable reference to Article 23, as
well as to rules applicable to governmental applications).
The General Data Protection Regulation, in its Art. 25 charges data controllers, and implicitly
manufacturers, with implementing Data Protection by design and by default. The aim of this document
is to give requirements to manufacturers and/or service providers to implement Data protection and
Privacy by Design and by Default (DPbDD) early in the development of their products and services, i.e.
before (or independently of) any specific application or integration, to make sure that they are as
privacy ready as possible with regard to the anticipated markets.
The quality management system of EN ISO 9001 is building the framework for the process to provide
products and services that incorporate Data protection and privacy by design. Enhancements are made
to EN ISO 9001 where necessary. Additionally, and as applicable in this preliminary generic phase for
the product or service, specific control objectives and requirements were derived from the General Data
Protection Regulation, the respective supplier or service provider is expected to fulfil. Finally, a self-
declaration mechanism is defined to be applied, when feasible pending the variety of anticipated use
cases, for accordingly designed products and services in order to provide orientation to data
controllers, to data subjects and to the society.
For some purposes of processing and for some categories of personal data, a data protection impact
assessment (DPIA) according to EN ISO/IEC 29134 needs to be conducted and in addition to the
requirements given in this document, the treatment plan resulting from the DPIA needs to get fulfilled
as well.
This document is intended for the use by manufacturers, suppliers, hard- and software developers,
system integrators providing products and services for the use by as data controller, and for the use by
controllers when selecting products and services for data processing.
0.2 Compatibility with other management system standards
This document applies the framework developed by CEN/CENELEC and ISO to improve alignment
among its Management System Standards.
This document enables an organization to align or integrate its development considerations on data
protection with the requirements of other Management System standards.
5
---------------------- Page: 7 ----------------------
oSIST prEN 17529:2020
prEN 17529:2020 (E)
1 Scope
This document provides requirements for manufacturers and/or service providers to implement Data
protection and Privacy by Design and by Default (DPbDD) early in their development of their products
and services, i.e. before (or independently of) any specific application integration, to make sure that
they are as privacy ready as possible. The document will be applicable to all business sectors, including
the security industry.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
EN ISO/IEC 29134, Information technology — Security techniques — Guidelines for privacy impact
assessment (ISO/IEC 29134)
3 Terms, definitions and abbreviations
3.1 Terms and definitions
For the purposes of this document, the following term and definitions apply.
— IEC Electropedia: available at http://www.electropedia.org/
— ISO Online browsing platform: available at http://www.iso.org/obp
3.1.1
data protection by design
technical and organisational measures designed to implement data protection principles
Note 1 to entry: The measures shall be implemented in an effective manner and to integrate the necessary
safeguards into the processing.
3.1.2
data protection by default
technical and organisational measures for ensuring that only personal data which are necessary for
each specific purpose of the processing are processed
Note 1 to entry: Such measures should cover at least the amount of personal data collected, the extent of their
processing, the period of their storage and their accessibility.
3.1.3
data protection impact assessment
DPIA
overall process of identifying, analysing, evaluating, consulting, communicating and planning the
treatment of potential privacy impacts with regard to the processing of personally identifiable
information, framed within an organization’s broader risk management framework
Note 1 to entry: Adapted from ISO/IEC 29134:2017, 3.7.
6
---------------------- Page: 8 ----------------------
oSIST prEN 17529:2020
prEN 17529:2020 (E)
3.1.4
special categories of personal data
data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union
membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data
concerning health or data concerning a natural person's sex life or sexual orientation
[SOURCE: GDPR Article 9, Clause 1]
3.2 Abbreviated terms
DPbDD Data protection and Privacy by Design and by Default
DPIA Data protection impact assessment
GDPR EU General Data Protection Regulation
GSMA Global system of mobile communication association
ISACA Information Systems Audit and Control Association
LoA Level of Achievement
4 General
4.1 Preparing the grounds for data protection and privacy by design and by default
Alongside the broadly formulated expectations in terms of protecting personal data during data
processing procedures, Data protection and privacy by design and by default relate to the ability of the
intended technical systems and components to be able to support this protection. Yet, manufacturers do
not have an obligation under the GDPR. Other instruments are therefore required to guide them in a
process through which their products or services are designed to be Data protection and privacy by
design and default friendly for a maximum of use cases, as per the anticipated market. An underlying set
of requirements consistent with the company’s quality process is detailed hereafter. Anticipated
benefits are for the end-users (customers/data controllers) ease to implement their privacy duties and
for the manufacturer a competitive edge.
The GDPR contains many legal provisions for consideration by data controllers and processors; such
provisions rely largely on the diverse functional and operational conditions in which it is anticipated
that the product or service will be used. In this context and to support the providers of products and
services in their assessment, the obligations of data controllers were generically analysed if they
contain, explicitly or implicitly, the need for functional capabilities in support of data controllers
obligation.
The following principles will be considered foundational for Data protection and privacy by design and
by default:
1) DPbDD shall be proactive and preventative, not reactive and remedial.
2) Default settings and configuration shall be secure and privacy-aware.
3) Data protection and privacy shall be incorporated into design.
4) DPbDD seeks full functionality in accommodation of legitimate interests and objectives, no trade
offs.
5) DPbDD will concern the entire data lifecycle.
7
---------------------- Page: 9 ----------------------
oSIST prEN 17529:2020
prEN 17529:2020 (E)
6) DPbDD shall be visible and transparent and subject to independent verification.
7) The interests of the individual should be kept uppermost by offering strong defaults, appropriate
notice and be kept user-centric by offering user-friendly options, even if such provisions appear as
less privacy-friendly.
8) DPbDD measures shall be effective.
9) DPbDD measures shall be designed to be robust and be able to scale up in accordance with
increases in risk of breach of the data protection principles.
10) DPdDD measures shall be regularly assessed.
When understanding data protection by design in the utmost possible way, consideration needs to be
given not only to the moment of supplying and providing. The whole lifecycle of both, the personal data
and the product and/or service needs to be considered as well.
Special attention should be drawn to maintenance activities as well as to the frame conditions, under
which a reuse of products could happen. Furthermore, the service includes the operation of processing
as a processor on data controllers behalf. Some requirements of this document will draw attention to
this scenarios.
If the service provider needs to be seen as a data controller himself, additional organizational and
technical measures should be put into place and be governed by an appropriated Management system,
e.g. EN ISO/IEC 27701. These organizational and technical measures will be out of scope for this
document.
This document provides in 4.2 a structure for splitting up integrated products and services into layers,
which may be used to modulate them into building blocks that need to fulfil the same set of
requirements. In 4.3 the conformity scheme for a self-declaration is provided.
In Clause 5, the requirements for a process of privacy aware development of products and services are
provided.
In Clause 6, there are basic requirements on the design of products and services provided. Application
is specified to the respective product and service layers defined in 4.2 and control objectives give
reference to the GDPR.
Clause 7 provides guidelines to the process of self-declaration and the requirements to determine the
level of achievement.
In the Annexes A, B and C, detailed information is given on the mapping of basic requirements to
product or service layers on the definition of privacy by design and on guidance for applying ISO 9001
as a management system to the development. Additionally, the Annex ZA contains the conformity
statement for EU Mandate M/530.
4.2 Structure for disassembling product and service into applicable categories
4.2.1 Introduction
As it does not seem practical to build requirements directly for products and for services, that can
highly differ in submodule assembly, architecture and bundling, set of module categories is defined in
the next two clauses. Any market product or service under this document needs to be seen as a
combination of some of this categories in the understanding of adding layers to get the full picture.
Therefore, the terms “product layer” and “service layer” will be used for these categories.
4.2.2 Product layers
The module categories, of which a product can consist, are defined as follows:
8
---------------------- Page: 10 ----------------------
oSIST prEN 17529:2020
prEN 17529:2020 (E)
1) Component layer — mainly physical submodules like microprocessors and microcontrollers,
DRAM-Modules, Interface controllers, media drives, physical storage media, sensors, actors or
power supply. This layer can include connectivity drivers and small programs as e.g. for upgrading
or dynamic connection.
2) Device layer — bare bone with chassis, shielding, display, keyboards and casing. The device layer
integrates components from the component layer and is adding programs for BIOS and boot
capabilities.
3) Operating system layer — software layer with programs supporting the configuration of the device,
the basic interaction with the user, like keyboard input and output via display or printer, the
support of user authentication, the administration of the device itself and its interconnectivity with
networks and with tools supporting local activities on the device.
4) Communication layer — Connectivity components emulating physical links (wired or wireless) for
the purpose of information transmission. This layer is similar to the component layer, but differs
regarding specific concerns related with the aspect of the network it builds.
5) Storage layer — logical layer for the management of storage locations on connected physical
storage media via the component layer. This includes locally or remotely connected media, raid or
cluster architectures, NAS or SAN concepts as well as fileservers and cloud storage.
6) User Interface layer — logical layer for the management of user interaction with a device or service,
which is not on Operating system layer. This layer also includes portals and, up to a certain degree,
content management systems.
7) Integrated system layer — this layer applies, when a product is an integration of more than one
device. It requires a communication model between the devices with specified protocols and
transmission management. Integrated systems shall demonstrate the capabilities and default
settings for an appropriate network security.
8) Application layer — software layer providing the expected functionality of a device or an integrated
system.
9) Business process layer — logical layer above the application layer that is managing information
exchange between many devices, integrated systems or even organisations.
10) System management layer — logical layer for the management of Operation and information
security regarding the devices, integrated systems, applications, Storages and/or communication
flows.
4.2.3 Service layers
The module categories, of which a service can consist, are defined as follows:
1) Service management layer — human based service of configuration, operation control and incident
response.
2) Self-service layer — application service to provide the customer or the user with tools to configure
other product or service layers.
3) Integration service layer — customer specific service of making subsystems interoperable,
normally organized within a dedicated project under a customer defined management framework.
9
---------------------- Page: 11 ----------------------
oSIST prEN 17529:2020
prEN 17529:2020 (E)
4) Transmission service layer — service that interconnects transmission lines via organizational
boarders.
5) Update service layer — Program code updates provided human based proactive, automated
reactive or by only making the updates available for download.
6) Cloud service layer — service providing operation facilities either on infrastructure level or on
application level.
7) Content service layer — service providing additional data (e.g.: news, scoring figures, addresses),
sometimes with the possibility to enhance collected personal data.
8) Outsourced business process layer — functional data processing either customer specific or as a
normalized offer to similar clients.
9) Output service layer — services receiving customer data for the purpose of producing output media
(e.g.: photo calendars or marketing mails).
10) Maintenance service layer — service reacting on demand of users and/or customers in order to
keep products and services usable over lifetime, including collect or bring-in services and device
swaps.
11) Security as a service layer — semi-automated services evaluating systems, traffic and log entries in
order to detect, prevent or react on vulnerabilities and security breaches.
12) Media recovery
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.