Skip to Main Content
Main Menu
Search Opener
Search Close
Contact us
Standard

ISO 31700-01

The International Organization for Standardization (ISOP) 31700-01 focuses on consumer protection and provides high-level guidance and requirements for the implementation of privacy by design elements throughout the entire lifecycle of consumer products.

Who should use ISO 31700-01?

This voluntary international standard is directed to any organizations and third parties responsible for the concept, design, manufacturing, management, testing, operation, service, maintenance and disposal of consumer goods and services.

Key obligations of ISO 31700-01

Disposal and retention of consumer products

Consumer products shall only retain PII to what is necessary to meet organizational needs. Organizations should develop procedures for the responsible destruction of PII when the product reaches the end of its lifecycle (e.g. via deletion or anonymization), and destroy the PII when it is not required to meet a business or legal requirement and/or enable consumers to delete their PII stored on the product themselves.

Development of privacy controls within consumer products

Organizations should integrate privacy controls for the consumer product into the product’s development and management lifecycle in order to establish product privacy goals. Third-parties may be outsourced to aid in the development and integration of privacy controls, but third-party relationship management policies must be established and their participation must be monitored for compliance. When developing privacy controls, consider the privacy needs and expectations of consumers throughout the development process, and inform how they can operate such controls.

Privacy risk assessments

Organizations should perform privacy risk assessments prior to the release of a consumer product, and on any third-parties who intend to transfer personally identifiable information (PII) during the consumer product lifecycle.

Transparency

Organizations should provide consumers with transparency information regarding the product, including, but not limited to: the availability of and configuration options of privacy controls within the product, and products’ end-of-life withdrawal information (e.g. the entity will continue to retain and process PII).

Whitepaper

Privacy and Data Security in Mergers & Acquisitions

Data can be a valuable asset or an incredible liability to your business. Proactive data privacy practices are strategically critical in this data economy because of the extreme cost of mistakes today.

Achieve compliance

PrivacyCentral

Privacy program development and compliance management

Automatically identify gaps and track compliance with PrivacyCentral for PC DSS v4.0, SOC2, ISO (e.g. 27701, 31700-01, 27550, etc.), NIST, and other privacy and security standards.
Nymity Research

Guidance and operational templates

Stay ahead of framework changes with expert guidance, ensuring your security and program practices remain compliant and up to date. Operationalize quickly with expert written operational templates for sample policies, checklists, training, and more.

Data Inventory Hub & Risk Profile

Complete risk management process

Automate your data inventory mapping with TrustArc’s Data Inventory Hub. Save time and reduce risk with automated data flow mapping, risk analysis, and remediation for personal data processes and general activities associated.
Assessment Manager

Mitigate risks for vendor management

Use pre-built DPIAs, risk, and vendor assessments to mitigate risks with TrustArc’s Assessment Manager.

FAQs

  • Are there access rights and/or other data subject rights that I must comply with?

    No. ISO 31700-01 does not establish requirements for entities to comply with data subject rights. Depending on the jurisdiction where processing occurs, it is advisable to comply with relevant data protection laws in the event a consumer requests to have access to PII about them held by an entity and/or within a product.

  • What are some technical security measures I must apply when developing consumer products?

    ISO 3700-01 does not provide granular security requirements. However, entities are recommended to create and maintain documented evidence demonstrating that the design and operation of product privacy controls are effective. Documented information may include: privacy risk assessment results, PII flow maps, functional and non-functional privacy requirements of consumer products, test results of products, and product privacy policies.

  • What does privacy by design mean?

    Privacy by design is a design methodology wherein elements of privacy are considered and incorporated into the initial design stage and throughout the entire product lifecycle and within processes or services that involve processing of PII.

Related Resources

The information provided does not, and is not intended to, constitute legal advice. Instead, all information, content, and materials presented are for general informational purposes only.

Back to Top