The Institute of Operational Privacy Design (IOPD) is dedicated to promotion and adoption of privacy design standards for organizations.  Today, the IOPD is putting forth a draft of it’s first standard, the IOPD Design Process Standard, for how to implement and measure a company’s compliance with privacy by design requirements that are found in some of the privacy regulations and laws.  The industry has long known that the groundbreaking Privacy by Design Principles, which Dr. Ann Cavoukian put forth over 20 years ago, needed a tangible implementation process to operationalizes.  The IOPD created this.  The Standard is the industry’s first repeatable and comprehensive design process standard for a company to consistently reduce privacy risks in their products, services and business processes.

Most companies build their products with a fairly low level of integration of privacy risks. They implement organizational and technical measures because others have implemented those some measures. However, there is rarely introspection into whether those measures are optimal given the design goals of their services and the privacy risks generated.

The goal of the Standard is to help engineers, product managers, and other decision makers understand how to protect the individuals in their ecosystem and how to accurately assess the privacy risks to those individuals – thus achieving privacy by design.  The Standard breaks the design process into different components with implementing guidance, suggested evidence, and measure statements, like controls, for each one.  Each component builds upon the next to help an organization ensure that they have sufficiently and effectively considered appropriate threats, vulnerabilities, and adverse consequences to properly evaluate the privacy risk and implement the right strategies and controls to reduce it. The goal of the Standard is not be a prescriptive means of achieving privacy by design but an outline of the necessary components with a way of assessing the effectiveness of those components no matter how the organization’s design process flows.

The Standard contains two domains: prerequisites and design process.  The prerequisites domain requires that the company have in place the Governance to successfully integrate privacy into the design of systems (be they products, services, or business processes) AND have defined a Risk Model, which focuses on risks to the individual, to consistently evaluate the organization’s risk posture.   The design process domain includes the following six subcomponents:

1. Identify and Document Target;
2. Identify and Document Requirements;
3. Perform Trade Off Analysis;
4. Manage Privacy Risks;
5. Verify Context and Requirements; and
6. Monitor Context. 

Each of these components provides an objective and description which helps the organization understand the goal of the component and implementing guidance that helps the organization realize what they need to put in place to meet the Standard.

Everyone knows that, we are only as good as the weakest link in our business; be it the strength of our executive team, our employees, our supplies, our security, or our privacy.  A failure in any of these can cause business disruption.  So, the IOPD created a standard which is attainable for all organizations – both big and small.  The Standard is not prescriptive.  For example, it allows an organization to either be formal when selecting its Risk Model using something like FAIR (Factors Analysis of Information Risk) or informal by allowing the organization to create its own Risk Model. As long as the organization uses the Risk Model consistently and can prove a repeatable process, it will conform to the Standard.  The same is true for the component related to conducting Trade-Off Analysis.  The organization can either use industry standard tools like decision trees, influence diagrams, pro/cons comparison, and Borda counting or one they develop in-house.  The goal is to ensure that it provides consistent results for each use.

Keeping all this in mind, the IOPD hopes that organizations, individuals, and regulators alike embrace the Standard and continue to mature data protection for all people while progressively reducing global privacy harms.  Check out https://instituteofprivacydesign.org/certification-standard/ for more information.

If you would like to provide simple feedback on the draft, please contact us at https://instituteofprivacydesign.org/contact-us/ For more in depth comments, please use our comment spreadsheet and submit comments to info-A6w88ee@instituteofprivacydesign.org. Comment are being solicited through October 31st, 2022.