For those keeping up, there has been a lot of activity in Privacy by Design (PbD) standardization. Earlier this year, both the Institute of Operational Privacy Design (IOPD) and the International Organization for Standardization (ISO) released standards. The IOPD released its Design Process Standard (the “IOPD Standard”) and ISO released ISO 31700-1: Consumer Protection – Privacy by Design for Consumer Goods and Services (the “ISO Standard”). As the name of the IOPD Standard implies, it covers the necessary components to incorporate privacy considerations into an organization’s design “process,” whether the design of a product, service, or business process. The ISO Standard sets the organizational context for privacy as an overlap to the Software Development Life Cycle (SDLC), not limited to any specific stage. This blog looks at both standards, comparing and contrasting the two. We’ll look at a few key areas. To start with, the IOPD Standard is a conformance standard, which means that an organization will be able to certify that it follows the standard. For each component, the standard provides evidence and evaluation criteria. Currently, the IOPD is developing the certification process and looking for beta companies that wish to apply for early consideration. If you’re interested, please reach out. The ISO Standard was not developed as a conformance standard. The requirements are high-level, thus providing too much subjectivity in any evaluation.
Another point of distinction, the ISO Standard is focused specifically on consumers and the Business to Consumer (B2C) model, whereas the IOPD Standard is broad and allows for consideration of risks to all individuals affected by the systems of all types of organizations, including, but not limited to, those operating in B2C, Business to Business (B2B), government, employment, and nonprofits contexts. Businesses focused on the consumer market could thus apply both standards, but those with non-consumer mandates would need to use the IOPD Standard.
While both standards use the term “requirements” and the importance of them incorporating privacy, the term is used differently in each standard. We think understanding this distinction is important. Using “requirements” correctly and concurrently is one of the ways these two standards can work together. The ISO Standard features 27 high-level technical and business specific privacy-related requirements for the organization wishing to apply the standard. Most of the requirements start out with “The organization shall…” One example is:
“The organization shall determine consumer needs related to the processing of their PII by products designed and developed for consumers.”
The standard goes on to provide a detailed explanation and guidance. Some of the ISO Standard business requirements actually require specific system-level requirements. “The organization shall design consumer-configurable privacy settings and privacy management measures taking account of the capabilities of consumers and their potential disabilities.” This describes a business requirement (a part of the design process) to include a feature (a system requirement of the product or service being designed). This latter use of the word requirement comports with the use of the term in the IOPD Standard, namely to describe the functional and non-functional requirements of the system (product, service, or business process) being designed. Because the IOPD Standard states that an organization should establish requirements but doesn’t define what they are, an organization could use some of the ISO Standard’s requirements, namely those, like the one above, that require system requirements. It can get confusing, hence why it’s important to elucidate the distinction.
Note, what the ISO Standard calls a requirement (a necessary element for the organization to follow the standard), the IOPD Standard refers to as a component ( a “necessary” component the organization’s design process must have).
Accountability is a hallmark of good business governance and a key aspect of successful privacy programs. Both standards require accountability, though they approach it slightly differently. The ISO Standard requires an accountable person for the overview of the product life cycle (4.5.1) and for each function in the design or operation of privacy controls (4.6.1). The IOPD Standard takes a little more holistic and organizational approach and requires accountability as a prerequisite at the governance level, stating that there must be “ownership or accountability for each of the design process points.” This highlights the differences and points to the compatibility of the two. The IOPD Standard presumes good governance as a prerequisite, whereas the ISO Standard includes more granular organizational features as part of their requirements set. Similar to how specific system level requirements from the ISO Standard can be used for those applying the IOPD Standard, the relevant organizational requirements could be used as evidence of meeting the IOPD Standard for governance.
Both standards take privacy risk into consideration but, as you might suspect, approach it slightly differently. The IOPD Standard is centered on risk and avoiding or mitigating risks to individuals. The IOPD Standard bakes this concept into the standard by requiring a defined risk model at the outset that enables the organization to consistently evaluate risk across all different systems. The risk model must identify threats, vulnerabilities, adverse consequences to people, and quantitative or qualitative means of measuring the likelihood and severity of those consequences. Measurement is key because organizations must also determine their risk tolerance and appetite to compare whether the risk exceeds that tolerance. While the ISO Standard requires privacy risk management, including conducting a risk assessments, that requirement is vague and relates to its definition (“effect of uncertainty on privacy”). Here, in contrast to the above discussions, the IOPD Standard can support the ISO Standard by providing a specific approach, requiring first a risk model, then a risk assessment (contextualizing factors from the model, eliciting issues, assessing the risk) and finally, responding to the risk through system design.
The difference in the two standards reflects where they are primarily used in the SDLC. The ISO Standard primarily occurs during requirement gathering and the design phases. Whereas the IOPD Standard is an overlay across all phases of the life cycle: requirements gathering, design, build, verification, and production.
While taking different approaches, the two standards are complementary in nature and elements from each can be used to support the other. Obviously, we here at the IOPD have our preferences, but we’re glad to see that the two standards are not in conflict and will ultimately help to bring about a more privacy-friendly world.
|
|
ISO Standard |
IOPD Standard |
Notes |
|
Date of Adoption |
8-Feb-23 |
1-Jan-23 |
Both were released in early 2023. |
|
Target |
Organizational operations, including product/service lifecycle |
Product/service lifecycle |
The ISO and IOPD Standards are complementary in this regard, with elements of the ISO Standard being useful as evidence for meeting the IOPD Standard. |
|
Conformance Standard |
No |
Yes |
The IOPD Standard is meant for companies to certify against, and the ISO Standard does not include evidence and evaluation criteria. |
|
Individual of Concern |
Consumers |
Consumers, employees, prospects, bystanders, data subjects, and any other individual put at risk through the product/service. |
The IOPD Standard concerns a much broader set of at-risk individuals. |
|
Applicability |
Business to Consumer (B2C) |
B2C, Business to Consumer, Government, Non-Profit, and others |
The IOPD Standard is broader in applicable markets. |
|
Scope |
Consumer goods and services that process PII |
All products, services, and business processes that affect an individual’s privacy |
The IOPD Standard is broader in scope. |
|
Privacy Model |
PII processing |
Includes informational, bodily, personal autonomy, and physical space privacy |
The ISO Standard is limited to just PII processing |
|
Accountability |
Accountable person |
Accountability through governance |
The ISO and IOPD Standards are complementary in this regard with the ISO Standard being used as evidence for meeting the IOPD Standard. |
|
Risk |
Requires risk management |
Specifies a risk management approach |
The ISO and IOPD Standards are complementary in this regard with the IOPD Standard being used as evidence for the risk management requirement of the ISO Standard. |
One Response