International Organization for Standardization (ISO)

The terminology used by the ISO 29100 privacy framework arguably most closely aligns with the terminology used under the GDPR. The following chart provides a side-by-side comparison of commonly used terms and concepts as they appear in the European GDPR, the California CCPA, and the newly passed Virginia Consumer Data Protection Act.

ISO 29100 Europe

The ISO 29100 privacy framework does not include formal requirements that a company must follow, but it does provide bullet points under each of its proposed principles that discuss what it means to adhere to the principle and many organizations refer to those bullet points as proposed controls.  In total, the original version of the

The ISO 29100 privacy framework sets forth the following eleven core principles:

1. Consent and choice

2. Purpose legitimacy and specification

3. Collection limitation

4. Data minimization

5. Use, retention and disclosure limitation

6. Accuracy and quality

7. Openness, transparency and notice

8. Individual participation and access

9. Accountability

10. Information security

11. Privacy compliance

In 2011, the International Organization for Standards technical committee on Information Security, Cybersecurity and Privacy Protection developed a privacy framework that was intended to propose common privacy terminology, define the roles of different organizations with respect to privacy, and establish core privacy principles.1  The result was the publication on December 15, 2011, of the

There are few published statistics regarding the adoption rate of privacy frameworks. The statistics that do exist have questionable reliability, primarily owing to sampling bias and self-reporting bias. For example, studies that ask clients of an organization that creates a privacy framework whether they adopted the privacy framework are likely to overreport adoption rates, as

There are numerous privacy frameworks. Some are established by independent organizations such as the International Organization for Standardization (ISO), which established the ISO 29100 privacy framework. Others are established by standard-setting bodies related to specific countries or governments. For example, the United States National Institute of Standards and Technology (NIST) established a NIST Privacy Framework.