Meet the new ISO 31700 standard for Privacy by Design (PbD)

Previously, privacy was frequently neglected in the creation of new products and services. However, this trend is changing as companies understand the importance and benefits of incorporating privacy from the start of development. An increasing number of companies acknowledge that including privacy in their offerings from the outset is ethical and beneficial for business success. Therefore, we expect to see a move towards a “Privacy by Design” method in 2023, where user privacy is prioritized throughout the entire product development process.

This is also reflected in the fact that Privacy by Design (PbD) is an ISO standard as of February 8th 2023 – ISO 31700. The publication provides high-level requirements, and although it will not be a conformance standard, it will bring a lot of value: It will help to bring uniformity to PbD by incorporating 30 requirements throughout the 32-page document. Also, once more, PbD’s benefits are mentioned in the publication’s introduction through three guiding principles: Empowerment and transparency; institutionalization and responsibility; and ecosystem and lifecycle.

The recently published ISO 31700 standard includes general guidance on

  • designing capabilities to enable consumers to enforce their privacy rights,
  • assigning relevant roles and authorities,
  • providing privacy information to consumers,
  • conducting privacy risk assessments,
  • establishing and documenting requirements for privacy controls,
  • how to design privacy controls,
  • lifecycle data management and preparation and
  • managing a data breach.

Generally, ISO 31700 provides high-level requirements and recommendations for organisations that use PbD in the development, maintenance and operation of consumer goods and services. These are based on a consumer-centric approach, where the consumer’s privacy rights and preferences are placed at the center of product development and operation.

Privacy by Design applies to all products that use personally identifiable information (PII), whether physical goods or intangible services such as software-as-a-service (SaaS), or a combination of both. It is intended to be scalable.

While there is a wide range of use cases, the part 2 document of the ISO 31700 publication provides three example use cases to help better understand the implementation of the standard: the case of online retailing, the case of a fitness company and the case of smart locks for home front doors.

If you want to learn more about Privacy by Design, contact us for a free audit or demo!

Share this article


Article written by

Lisa Hofmann

Chief of Legal Operations at Pridatect | Certified legal specialist in data protection by the German security-related services institution TUEV. With extensive experience in assisting companies with privacy compliance.

Related articles



Would you like to receive regular updates on data protection and GDPR? Subscribe to our newsletter and you will be the first to receive our new blog articles, webinars and ebooks.

Free Webinars