Privacy by Design: what ISO 31700 changes for IAM teams

TL;DR: Privacy by Design becoming ISO 31700 pushes privacy from policy into architecture, with 30 requirements spanning consumer control, lifecycle data management, governance, and breach mitigation, according to 1Kosmos. The real test is whether identity systems can enforce minimum collection, consent, and verification without storing unnecessary personal data.

NHIMG editorial — based on content published by 1Kosmos: Privacy by Design standardisation and ISO 31700 implications

By the numbers:

• The network of 167 national standards bodies sets nearly 25,000 different standards covering almost all aspects of technology.
• A negative privacy experience involving a data breach can erode brand trust by as much as 44%.

Questions worth separating out

Q: How should teams implement Privacy by Design in identity architecture?

A: They should embed privacy controls into onboarding, authentication, consent, retention, and deletion workflows rather than treat privacy as a policy wrapper.

Q: When does a privacy standard become an identity governance issue?

A: It becomes an identity governance issue when the organisation must prove what personal data it holds, why it holds it, who can use it, and when it is removed.

Q: What do security teams get wrong about biometrics and privacy?

A: They often focus on authentication strength and ignore the data handling model around enrolment, storage, and recovery.

Practitioner guidance

• Minimise identity data at collection time Review onboarding, recovery, and verification flows to remove any PII that is not strictly needed for the transaction.
• Align consent with actual processing paths Document where user approval is captured, where it is enforced, and which systems inherit the decision.
• Rework authentication to reduce stored secrets Use passwordless and stronger verification patterns where appropriate so identity assurance does not depend on repeated storage of credentials or overexposed account data.

What's in the full article

1Kosmos's full article covers the operational detail this post intentionally leaves for the source:

• How the vendor maps Privacy by Design principles to product architecture and consumer identity flows
• The NIST, FIDO2, and iBeta certification context used to support its identity assurance claims
• The article’s explanation of how biometric verification is positioned against password-based and data-heavy authentication
• The survey and market references the vendor uses to argue that privacy experience affects trust and preference

👉 Read 1Kosmos's analysis of Privacy by Design and ISO 31700 →

Privacy by Design: what ISO 31700 changes for IAM teams?

Explore further

View Full Forum →  |  NHI Foundation Course →