Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
ISO/IEC 27706:2022 — Privacy by Design Engineering Requirements
Framework for implementing privacy by design throughout the system lifecycle with privacy-enhancing technologies and engineering processes
1. ISO/IEC 27706:2022 — Privacy by Design Framework
ISO/IEC 27706:2022 provides requirements and guidelines for implementing privacy by design (PbD) throughout the lifecycle of systems, products, and services that process PII. While 27701 focuses on the management system (PIMS — the organisational and process framework), 27706 addresses the engineering and design practices needed to build privacy into systems from the ground up. It operationalises the privacy by design principles originally articulated by Dr. Ann Cavoukian (Information and Privacy Commissioner of Ontario, Canada), translating them into verifiable engineering requirements that can be integrated into standard software and systems development lifecycles including Agile, DevOps, and Waterfall methodologies.
The standard addresses a critical gap in privacy governance: while many organisations have privacy policies and compliance processes, they often lack the engineering practices needed to translate those policies into working systems. 27706 bridges this gap by providing concrete engineering guidance organised around Cavoukian’s seven foundational principles, making privacy by design practical, repeatable, and auditable. It applies to all organisations that develop, deploy, or operate systems processing PII, from startups building their first application to large enterprises managing complex privacy programmes.
Privacy by design is not a one-time checklist item — it is a continuous engineering discipline. 27706 provides the framework to make PbD repeatable, measurable, and auditable across your entire product portfolio. The most successful implementations integrate PbD into existing development workflows rather than creating parallel privacy processes.
2. Core Privacy by Design Principles (Operationalised)
The standard takes Cavoukian’s seven foundational principles and transforms them into actionable engineering requirements with specific implementation guidance for each phase of the system development lifecycle:
| Principle | Original Statement | 27706 Engineering Requirement | Example Implementation |
|---|---|---|---|
| 1. Proactive not Reactive | Preventative measures, not remedial | Privacy impact assessments must be conducted before development begins, findings documented in system design specification | Integrate DPIA into project initiation gate; privacy threat modelling as part of architectural design review |
| 2. Privacy as Default | Automatic privacy protection | Default configuration must collect minimum PII; opt-out must never be default; strictest privacy settings apply at first use | Universal opt-in for telemetry; privacy-preserving defaults in configuration templates; cookie consent level set to minimum by default |
| 3. Privacy Embedded | Integrated into design, not bolted on | Privacy requirements must be in user stories, acceptance criteria, and definition of done; dedicated privacy backlog items | Privacy criteria in definition of done; automated privacy checks in CI/CD pipeline; privacy regression test suite |
| 4. Full Functionality | Positive-sum, not zero-sum | Privacy controls must not degrade core functionality; performance SLAs include privacy feature benchmarks | Benchmark page load time with and without privacy features; A/B test privacy feature impact on user experience |
| 5. End-to-End Security | Lifecycle protection | Data encrypted throughout lifecycle (transit, at rest, in use) with key management in system architecture | Implement TLS 1.3, AES-256-GCM, and confidential computing where needed; key rotation policies automated |
| 6. Visibility and Transparency | Open and auditable | Privacy notices must be machine-readable; processing logic independently auditable | JSON-LD privacy notices (IAB TCF format); algorithm impact assessments for automated decisions; audit logs with tamper-proof storage |
| 7. User-Centric | User control and consent | Privacy dashboards with unified consent management; data export/deletion self-service; plain-language explanations | Single privacy dashboard across all products; automated subject rights request fulfilment; layered privacy notices |
The most impactful engineering practice derived from 27706 is the concept of a “Privacy Backlog” — analogous to a security backlog but focused specifically on privacy features and controls. This ensures that privacy improvements are visible, prioritised, and resourced alongside feature development, rather than being deferred indefinitely as “future compliance work.”
3. Privacy Engineering Process Requirements
The standard defines a structured privacy engineering process with five interconnected phases. Phase one, Privacy Requirements Elicitation, involves identifying applicable privacy regulations (GDPR, CCPA, PIPL, etc.), conducting stakeholder privacy analysis to understand data subject expectations, and documenting comprehensive PII data flows using data flow diagrams or data mapping tools. Phase two, Privacy Risk Assessment, requires performing privacy-specific threat modelling using established frameworks such as LINDDUN (focusing on privacy threats: Linkability, Identifiability, Non-repudiation, Detectability, Disclosure of information, Unawareness, Non-compliance) or PRIAM (Privacy Risk Assessment Methodology). Each threat must be evaluated for severity and likelihood from both organisational and data subject perspectives.
Phase three, Privacy Architecture Design, guides engineers in selecting appropriate privacy-enhancing technologies (PETs) including differential privacy for statistical databases, federated learning for distributed ML training, homomorphic encryption for encrypted computation (with careful consideration of performance overhead), zero-knowledge proofs for credential verification, and trusted execution environments for confidential computing. Phase four, Privacy Implementation and Verification, requires integrating privacy controls into source code, conducting privacy-focused code reviews (separate from security code reviews), and automating privacy regression tests that verify consent enforcement, data minimisation, and retention limit compliance. Phase five, Privacy Validation, involves conducting privacy acceptance testing with representative users, performing privacy audit walkthroughs with internal or external auditors, and maintaining a comprehensive privacy evidence file that documents all privacy decisions, implementations, and testing results for regulatory demonstration.
4. Privacy-Enhancing Technologies (PETs) in Practice
ISO/IEC 27706 provides detailed guidance on applying PETs in real-world systems, including their strengths, limitations, and appropriate use cases. Differential privacy adds calibrated noise to query results to protect individual records while maintaining statistical utility — it is particularly useful for analytics on user behaviour data, health research, and smart city data aggregation. The standard emphasises that the privacy budget (epsilon, epsilon) must be carefully managed across multiple queries to prevent cumulative privacy loss. Federated learning trains machine learning models across decentralised data without raw data leaving user devices — applicable to keyboard prediction, health monitoring, and recommendation systems where data sensitivity is high. Homomorphic encryption enables computation on encrypted data without decryption, though the computational overhead (typically 10,000-1,000,000x for fully homomorphic encryption) limits current application to specific use cases such as encrypted search, private set intersection, and aggregated statistics. The standard advises engineers to select PETs based on a systematic privacy-utility-performance trade-off analysis rather than on theoretical privacy guarantees alone, and to validate implementations against realistic adversary models and workload patterns.
Differential privacy is not a silver bullet. The privacy budget must be carefully managed across multiple queries, and the utility loss from noise injection may be unacceptable for certain high-precision applications. Always validate differential privacy implementations against realistic query patterns and consider the risk of privacy budget exhaustion over the system’s operational lifetime.
The standard also addresses organisational enablers for PbD, including the need for privacy engineering training programmes, cross-functional privacy review boards, and privacy metrics and KPIs that track adoption and effectiveness of privacy controls. It recommends that organisations designate privacy champions within product teams, establish privacy communities of practice for knowledge sharing, and conduct regular privacy engineering maturity assessments to identify improvement opportunities.
Q1: How does 27706 differ from 27701?
A: 27701 defines a privacy management system (organisational and process focus), while 27706 defines privacy by design engineering practices (technical and design focus). They are complementary — organisations should implement both for comprehensive privacy governance, with 27706 providing the engineering toolkit and 27701 providing the management framework.
A: 27701 defines a privacy management system (organisational and process focus), while 27706 defines privacy by design engineering practices (technical and design focus). They are complementary — organisations should implement both for comprehensive privacy governance, with 27706 providing the engineering toolkit and 27701 providing the management framework.
Q2: What skills are needed to implement 27706?
A: The standard requires multidisciplinary teams: privacy engineers who understand PETs and privacy architecture patterns, privacy lawyers for regulatory interpretation and data subject rights, UX designers for privacy interface design and consent experiences, and data scientists for privacy metrics, anonymisation validation, and auditing.
A: The standard requires multidisciplinary teams: privacy engineers who understand PETs and privacy architecture patterns, privacy lawyers for regulatory interpretation and data subject rights, UX designers for privacy interface design and consent experiences, and data scientists for privacy metrics, anonymisation validation, and auditing.
Q3: Can 27706 be applied to AI and ML systems?
A: Yes, and it is particularly relevant for AI systems. The standard’s guidance on anonymisation, purpose limitation, and automated decision-making directly addresses AI privacy challenges. The LINDDUN threat modelling framework referenced in 27706 includes AI-specific privacy threats such as model inversion, membership inference, and training data extraction.
A: Yes, and it is particularly relevant for AI systems. The standard’s guidance on anonymisation, purpose limitation, and automated decision-making directly addresses AI privacy challenges. The LINDDUN threat modelling framework referenced in 27706 includes AI-specific privacy threats such as model inversion, membership inference, and training data extraction.
Q4: What is the relationship between 27706 and the EU AI Act?
A: The EU AI Act requires privacy by design for high-risk AI systems under Article 10 (data governance) and Article 13 (transparency). Compliance with 27706 can be used as technical evidence meeting these requirements, particularly for transparency obligations, human oversight mechanisms, and data governance practices for training, validation, and testing data.
A: The EU AI Act requires privacy by design for high-risk AI systems under Article 10 (data governance) and Article 13 (transparency). Compliance with 27706 can be used as technical evidence meeting these requirements, particularly for transparency obligations, human oversight mechanisms, and data governance practices for training, validation, and testing data.
