# Understanding ISO 31700-1:2023 and Its Impact on Consumer Privacy

In January 2023, the ISO 31700-1:2023 standard was introduced, serving as a crucial guide for consumer protection and privacy. This standard focuses on the concept of Privacy by Design for products and services intended for personal use, excluding data processing by organizations. But what does “Privacy by Design” actually mean, and how is this standard aiming to shape the future of data protection?

## The Origin of the Privacy by Design Principle

To fully understand this standard, it’s helpful to start from the principle of Privacy by Design, developed in the 1990s by a privacy expert. This principle is based on the idea that data protection should be integrated into the design process from the earliest stages, rather than being an afterthought. This approach implies that privacy should not be an add-on but rather a central part of the design of products and services.

## Objectives of ISO 31700-1:2023

ISO 31700-1:2023 serves to outline a series of high-level requirements that companies must follow to adhere to the principle of Privacy by Design. These requirements apply to all materials and services, considering both end consumers and other stakeholders throughout the entire product lifecycle.

However, it is important to clarify that the standard focuses on processes rather than specific security measures. This means that the requirements do not merely establish what must be done, but rather how it should be done, directly influencing corporate culture and production processes.

## Requirements and Processes: A Practical Guide

Each requirement established by the standard is accompanied by explanations and detailed guidelines, creating a clear pathway for companies. For example, data access controls are mentioned not as standalone security measures but in the context of the technical skills needed for professionals involved in the product lifecycle.

This approach allows designers and engineers to focus on responsible and conscious implementation of privacy, rather than simply enacting security measures retroactively.

## Practical Examples of Standard Application

In support of the standard, a second part has been published containing three practical examples of how to apply the ISO 31700-1 requirements to various real scenarios, such as:

1. **B2C Ecommerce**: Here, the focus is on managing consumer data and interactions through online platforms.

2. **Gym**: An example where a service is introduced for collecting performance data, sending information through a mobile app, requiring increased attention to data privacy and security.

3. **Smart Lock**: The use of a security device with a smartphone app demonstrates how the ISO requirements can be implemented in an Internet of Things context, an area that presents unique privacy challenges.

However, it is important to note that not all requirements are necessarily applicable to every case, but it is likely that many of them will need to be considered.

## Towards ISO 37100 Certification

Currently, ISO 31700-1 does not include comprehensive certification requirements, limiting itself to those related to products. It is the responsibility of competent entities to develop certification programs based on the standard, following specific internationally recognized standards. It will be crucial for these programs to include additional requirements for the skills of personnel so they can adequately understand and assess the privacy practices incorporated into the product.

The professionals involved in verifying compliance with the requirements will need to possess a combination of legal and technical expertise in order to navigate the complex landscape of privacy regulations and cybersecurity practices.

## Conclusions

The ISO 31700-1:2023 standard represents a significant step towards a future in which consumer privacy is at the heart of the design and development of products and services. With a focus on creating processes and integrating practices of…