Architecture is Everything as ‘Privacy by Design’ Becomes an ISO Standard

On February 8, Privacy by Design (PbD) officially became an international privacy standard—but the architecture you use to operationalize its principles may matter as much as the standard itself.

To be sure, reports that the International Organization of Standardization (ISO) would adopt PbD as a standard as ISO 31700 was, as the kids like to say, kind of a big deal.

PbD calls for privacy protection to be engineered into the development of products, services, and system designs from the ground up—instead of after the fact. This includes websites, mobile apps, and software used to make an online purchase, open or access a bank account, arrange or coordinate healthcare, access government services, and countless other facets of everyday life.

First unveiled in 2009, Privacy by Design has been adopted by the International Assembly of Privacy Commissioners and Data Protection Authorities and incorporated in the European General Data Protection Regulation (GDPR). But adoption by the ISO marks a significant new milestone.

This network of 167 national standards bodies sets nearly 25,000 different standards covering almost all aspects of technology—including ISO 27001 for information security management systems. Some of these standards are sufficiently critical that organizations can be certified for compliance with them after passing a review from PwC, Deloitte, and other major audit firms.

But to be successful, organizations looking to implement ISO 31700 are going to have to think about the bigger picture.

Privacy by Design: 14 Going on 30

To understand why, let’s start with the basics. Privacy by Design isn’t a list of technological components. It’s a set of seven core principles. Chief among them is that data compromise isn’t something you respond to—it’s something you prevent.

With that in mind, maximum privacy should be your default setting, not an afterthought. And you should collect only the absolute minimum amount of personally identifiable information PII and other data as necessary; use it only for the purposes the user has expressly approved, and keep it only as long as needed for those purposes.

In short: Forget the false tradeoff between security and ease of use. PbD is predicated on the notion that the onus shouldn’t be on consumers to protect their identity and other personal data when buying or accessing a product or service. Instead, privacy should be as foundational to UX as friction-free functionality.

ISO 31700 goes even further. Leveraging PbD’s 14-year-old principles as a foundation, it outlines a more detailed set of 30 requirements. As ISONews.Net reports, these include guidance on enabling consumers to control and enforce their privacy rights, lifecycle data management, corporate governance, avoiding or mitigating a data breach—and more.

Translating these guidelines into the design of each new consumer-facing site, product, app, and service across the enterprise will be challenging. Without the right architecture, it’s likely to be impossible.

An Architecture Built for (And With) PbD

The 30 requirements of ISO 31700 necessitate an architectural backbone capable of supporting and managing countless moving parts across all products, services, channels, and more—all the time.

An architecture that’s able to facilitate fast, convenient, and fully-authenticated consumer interactions and transactions—without requiring personal data to be stored on servers where it can be hacked and either ransomed or used to commit fraud. One that no longer even requires passwords—leveraging biometrics and liveness tests that defeat virtually any attempt at identity spoofing.

Using our BlockID platform as an example, our entire architecture is based on, and amplifies, the principles of Privacy by Design, giving each user full control of his identity and personal data—how it’s used, how it’s stored, and for how long. Beyond avoiding data theft, this enables users to authenticate their identity without sharing information that might lead to decisioning bias or false matches based on incomplete, out-of-date, or incorrect information stored in other systems.

Obviously, any architecture designed for PbD is only as good as its ability to keep the wrong people from infiltrating corporate systems and accounts. That’s why our platform is also NIST-, FIDO2-, and iBeta biometrics-certified to ensure the authenticity of each user in real time.

Going From Zero-Sum to Win-Win

The need for Privacy by Design and other security standards couldn’t be clearer. Over the past year, traditional forms of multifactor authentication (MFA) proved unable to prevent a record number of data breaches and more than $52 billion in direct financial losses just the US. Thanks to 24 billion recently stolen login credentials available on the dark web, prospects for 2023 aren’t promising.

But here’s the thing. Those who argue that fending off such threats requires a tradeoff with user experience are blind to the groundswell behind movements like Privacy by Design and now ISO 31700. Organizations that work toward meeting this new standard aren’t doing it merely to meet performance objectives or comply with regulatory mandates. It’s becoming a competitive differentiator.

According to a recent survey from Google and Ipsos, a negative privacy experience involving a data breach can erode brand trust by as much as 44%. By comparison, businesses providing a positive privacy experience can increase brand preference by 43%. And 71% of consumers prefer to buy from brands that are honest about what data they collect and why. With consumer sentiment like that, don’t be surprised if ISO 31700 and its Privacy by Design end up paying dividends.

To learn more about 1Kosmos BlockID the only NIST, FIDO2, and iBeta biometrics-certified platform, ISO 31700-compliant digital identity platform on the market, schedule a free demo today!

The post Architecture is Everything as ‘Privacy by Design’ Becomes an ISO Standard appeared first on 1Kosmos.

*** This is a Security Bloggers Network syndicated blog from Identity & Authentication Blog authored by Rohan Pinto. Read the original post at: