Skip to Main Content
Main Menu
Standard

ISO 31700-01

The International Organization for Standardization (ISOP) 31700-01 focuses on consumer protection and provides high-level guidance and requirements for the implementation of privacy by design elements throughout the entire lifecycle of consumer products.

Who should use ISO 31700-01?

This voluntary international standard is directed to any organizations and third parties responsible for the concept, design, manufacturing, management, testing, operation, service, maintenance and disposal of consumer goods and services.

Key obligations of ISO 31700-01

Disposal and retention of consumer products

Consumer products shall only retain PII necessary to meet organizational needs. Companies must develop procedures for the responsible destruction of PII when the product reaches the end of its lifecycle (e.g., via deletion or anonymization). Destroy PII when it is not required to meet a business or legal requirement, and enable consumers to delete their PII stored on the product themselves.

Development of privacy controls within consumer products

Organizations should integrate privacy controls into the product’s development and management lifecycle to establish product privacy goals. Third-parties may be outsourced to aid in the development and integration of privacy controls. Third-party relationship policies must be established and their participation monitored for compliance. Consider the privacy needs and expectations of consumers throughout the development process and inform them on how to operate such controls.

Privacy risk assessments

Organizations should conduct privacy risk assessments before releasing a consumer product and on any third parties that intend to transfer personally identifiable information (PII) during the consumer product’s lifecycle.

Transparency

Organizations should provide consumers with transparency information regarding the product, including, but not limited to: the availability of and configuration options of privacy controls within the product, and products’ end-of-life withdrawal information (e.g. the entity will continue to retain and process PII).

Whitepaper

Privacy and Data Security in Mergers & Acquisitions

Data can be a valuable asset or an incredible liability to your business. Proactive data privacy practices are strategically critical in this data economy because of the extreme cost of mistakes today.

Achieve compliance

FAQs

  • Are there access rights and/or other data subject rights that I must comply with?

    No. ISO 31700-01 does not establish requirements for entities to comply with data subject rights. Depending on the jurisdiction where processing occurs, it is advisable to comply with relevant data protection laws in the event a consumer requests to have access to PII about them held by an entity and/or within a product.

  • What are some technical security measures I must apply when developing consumer products?

    ISO 3700-01 does not provide granular security requirements. However, entities are recommended to create and maintain documented evidence demonstrating that the design and operation of product privacy controls are effective. Documented information may include: privacy risk assessment results, PII flow maps, functional and non-functional privacy requirements of consumer products, test results of products, and product privacy policies.

  • What does privacy by design mean?

    Privacy by design is a design methodology wherein elements of privacy are considered and incorporated into the initial design stage and throughout the entire product lifecycle and within processes or services that involve processing of PII.

The information provided does not, and is not intended to, constitute legal advice. Instead, all information, content, and materials presented are for general informational purposes only.

Back to Top