ISO/IEC DTR 31700-2

Style Definition: Heading 1: Indent: Left: 0 cm, First
line: 0 cm
ISO/IEC JTC 1/SC 44
Style Definition: Heading 2: Font: Bold, Indent: Left: 0
cm, First line: 0 cm
ISO/IEC CD TR 31700-2(en)
Style Definition: Heading 3: Font: Bold, Indent: Left: 0
cm, First line: 0 cm
Secretariat:  BSI
Style Definition: Heading 4: Font: Bold, Indent: Left: 0
cm, First line: 0 cm
Date: 2026-01-16
Style Definition: Heading 5: Font: Bold, Indent: Left: 0
cm, First line: 0 cm
Style Definition: Heading 6: Font: Bold
Style Definition: IntroHeading1: Font: Bold, Indent:
Left: 0 cm, First line: 0 cm
Style Definition: IntroHeading2: Font: Bold, Indent:
Consumer protection — Privacy by design for consumer goods and
Left: 0 cm, First line: 0 cm
services —
Style Definition: IntroHeading3: Font: Bold, Indent:
Left: 0 cm, First line: 0 cm
Style Definition: IntroHeading4: Font: Bold, Indent:
Left: 0 cm, First line: 0 cm
Style Definition: IntroHeading5: Font: Bold, Indent:
Left: 0 cm, First line: 0 cm
Style Definition: IntroHeading6
Part 2:
Style Definition: IntroHeading7
Use cases
Style Definition: IntroHeading8
Protection des consommateurs — Respect de la vie privée assuré dès la conception des biens de consommation
Style Definition: IntroHeading9
et services aux consommateurs —
Style Definition: Key Text
Partie 2: Cas d’usage Style Definition: Key Title
Style Definition: List Continue 1
Style Definition: TermNum2: Font: Bold, Indent: Left:
0 cm, First line: 0 cm
Style Definition: TermNum3: Font: Bold, Indent: Left:
0 cm, First line: 0 cm
Style Definition: TermNum4: Font: Bold, Indent: Left:
0 cm, First line: 0 cm
Style Definition: TermNum5: Font: Bold, Indent: Left:
0 cm, First line: 0 cm
FDIS stage
Style Definition: TermNum6: Font: Bold
Style Definition: Body Text
Style Definition: boxedText
Style Definition: Boxed List Continue 1
Style Definition: boxedTitle
Style Definition: FooterCentered
Style Definition: FooterPageNumber
Style Definition: FooterPageRomanNumber
Style Definition: FooterCenteredContinued
Style Definition: TPS Markup Base
Formatted: French (France)
ISO/IEC CD TRDTR 31700-2:20252026(en)
Formatted: French (France)
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication
may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying,
or posting on the internet or an intranet, without prior written permission. Permission can be requested from either ISO
at the address below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: + 41 22 749 01 11
Formatted: French (France)
E-mail: copyright@iso.org
Website: www.iso.org
Published in Switzerland
© ISO/IEC 20252026 – All rights reserved
ii
ISO/IEC CD TRDTR 31700-2:20252026(en)
Contents
Foreword . iii
Introduction . iii
Scope . iii
Normative references . iii
Terms and definitions . iii
Abbreviated terms . iii
Overview of ISO 31700-1 requirements and related concepts . iii
ISO 31700-1 Requirements . iii
Related concepts . iii
Viewpoints in the use cases . iii
Use case analysis . iii
General . iii
Use case template . iii
Use cases . iii
General . iii
On-line retailing . iii
Fitness company . iii
Smart locks for homes front doors . iii
Bibliography . iii
Foreword . iv
Introduction . v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Abbreviated terms . 2
[1]
5 Overview of ISO 31700-1 requirements and related concepts . 2
[1]
5.1 ISO 31700-1 requirements . 2
5.2 Related concepts . 3
5.3 Viewpoints in the use cases . 7
6 Use case analysis . 8
6.1 General. 8
6.2 Use case template . 8
7 Use cases . 9
7.1 General. 9
7.2 Online retailing . 10
7.3 Fitness company . 27
7.4 Smart locks for homes' front doors . 35
Bibliography . 54

© ISO/IEC 20252026 – All rights reserved
iii
ISO/IEC CD TRDTR 31700-2:20252026(en)
Foreword
ISO (the International Organization for Standardization) is a and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide federation of national standardsstandardization.
National bodies (that are members of ISO member bodies). The workor IEC participate in the development of
preparing International Standards is normally carried out through ISO technical committees. Each member
body interested in a subject for which a technical committee has been established has the right to be
represented on that committee. Internationalby the respective organization to deal with particular fields of
technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are described
in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the different types of
ISO documentsdocument should be noted. This document was drafted in accordance with the editorial rules
of the ISO/IEC Directives, Part 2 (see www.iso.org/directiveswww.iso.org/directives or
www.iec.ch/members_experts/refdocs).
Attention is drawnISO and IEC draw attention to the possibility that some of the elementsimplementation of
this document may beinvolve the subjectuse of (a) patent rights. ISO(s). ISO and IEC take no position
concerning the evidence, validity or applicability of any claimed patent rights in respect thereof. As of the date
of publication of this document, ISO and IEC had not received notice of (a) patent(s) which may be required to
implement this document. However, implementers are cautioned that this may not represent the latest
information, which may be obtained from the patent database available at www.iso.org/patents and
https://patents.iec.ch. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
Details of any patent rights identified during the development of the document will be in the Introduction
and/or on the ISO list of patent declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and expressions
related to conformity assessment, as well as information about ISO's adherence to the World Trade
Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www.iso.org/iso/foreword.html)
see www.iso.org/iso/foreword.html. In the IEC, see www.iec.ch/understanding-standards.
This document was prepared by ProjectJoint Technical Committee ISO/PC 317IEC JTC 1, Information
technology, Subcommittee SC 44, Consumer Protection –protection in the field of privacy by design for consumer
Formatted: Font: Not Italic
goods.
This second edition cancels and servicesreplaces the first edition (ISO/TR 31700-2:2023), which has been
Formatted: Font: Not Italic
technically revised.
The main changes are as follows:
[1]
— the list of high-level requirements (Table 1) has been updated to align with ISO 31700-1 ;
— editorial corrections have been made to figures.
A list of all parts in the ISO/IEC 31700 series can be found on the ISO and IEC websites.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www.iso.org/members.htmlwww.iso.org/members.html and
www.iec.ch/national-committees.
© ISO/IEC 20252026 – All rights reserved
iv
ISO/IEC CD TRDTR 31700-2:20252026(en)
Introduction
[1]
ISO 31700-1ISO 31700-1 provides high-level requirements and recommendations for organizations using
privacy by design in the development, maintenance and operation of consumer goods and services. These are
grounded in a consumer-focused approach, in which consumer privacy rights and preferences are placed at
the heart of product development and operation.
Use casecases help to identify, clarify and organize system requirements related to a set of goals, by illustrating
a series of possible sequences of interactions between stakeholder(s) and system(s) in a particular ecosystem.
[2]
The use cases in this document use a template that is based on IEC 62559-2IEC 62559-2 while enabling a
focus on privacy by design challenges and on the ISO 31700-1 provides hi requirements.
Although there are a wide range of use cases exist, this document providesfocuses on three sample use cases
[1]
to help further understandillustrate the implementation of ISO 31700-1 : on-lineISO 31700-1 : online
retailing, a fitness company and smart locks.
© ISO/IEC 20252026 – All rights reserved
v
ISO/IEC CD TRDTR 31700-2:20252026(en)
Consumer protection — Privacy by design for consumer goods and
services —
Part 2:
Use cases
1 Scope
This document provides illustrative use cases, with associated analysis, chosen to assist in understanding the
[1]
requirements of ISO 31700-1 .ISO 31700-1 .
The intended audience includes engineers and practitioners who are involved in the development,
implementation or operation of digitally -enabled consumer goods and services.
2 Normative references
There are no normative references in this document.
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses: — ISO
Online browsing platform: available at https://www.iso.org/obp
— ISO Online browsing platform: available at https://www.iso.org/obp
— — IEC Electropedia: available at http://www.electropedia.orghttps://www.electropedia.org/
Formatted: Body Text
3.1
privacy by design
design methodologies in which privacy is considered and integrated into the initial design stage and
throughout the complete lifecycle of products, processes or services that involve processing of Personally
Identifiable Informationpersonally identifiable information, including product retirement and the eventual
deletion of any associated personally identifiable information
Note 1 to entry: The lifecycle also includes changes or updates.
[SOURCE: ISO 31700-1:2023, 3.5]
[3]
[SOURCE: ISO 31700-1 , 3.5]
3.2
use case
description of a sequence of interactions of a consumer and a consumer product used to help identify, clarify,
and organize requirements to support a specific business goal
Note 1 to entry: Consumers can be users, engineers, ofor systems.
Note 2 to entry: A systemSystems of interest in this document is aare consumer goods systems or service systems.
[3]
[SOURCE: ISO 31700-1:2023,ISO 31700-1 , 3.22, modified — noteNote 2 to entry has been added].]
© ISO/IEC 20252026 – All rights reserved
ISO/IEC CD TRDTR 31700-2:20252026(en)
4 Abbreviated terms
HCI human computer interface
NIST National Institute of Standards and Technology
Formatted: Body Text
Formatted Table
PII Personallypersonally identifiable information
Formatted: Body Text
[1]
5 Overview of ISO 31700-1ISO 31700-1 requirements and related concepts
5.1 ISO 31700-1 Requirements
Table 1 lists ISO 31700-1:2023ISO 31700-1 requirements, categorised as:
— general (ISO 31700-1:2023, clause 4);
[1]
5.1 ISO 31700-1 requirements
[1]
Table 1 lists the subclauses containing requirements from ISO 31700-1 , categorized as:
[3]
— general (ISO 31700-1 , Clause 4);
[3]
— consumer communication requirements (ISO 31700-1:2023, clause(ISO 31700-1 , Clause 5);
[3]
— risk management requirements (ISO 31700-1:2023, clause (ISO 31700-1 , Clause 6);
— develop, deploydeveloping, deploying and operatedoperating designed privacy controls (ISO 31700-
[3]
1:2023, clause (ISO 31700-1 , Clause 7);
[3]
— end of PII lifecycle requirements (ISO 31700-1:2023, clause (ISO 31700-1 , Clause 8).
[1]
Table 1 — ISO 31700-1ISO 31700-1 requirements
[3]
Category ISO 31700-1 section number and requirementISO 31700-1 subclause number
Formatted Table
General 4.2 Designing capabilities to enable consumers to enforce their privacy rights
4.3 Developing capability to determine consumer privacy preferences
4.4 Designing human computer interface (HCI) for privacy
4.5 Assigning relevant roles and authorities
4.6 Establishing multi-functional responsibilities
4.7 Developing privacy knowledge, skill and ability
4.8 Ensuring knowledge of privacy controls
4.9 Documentation and information management
Consumer 5.2 Provision of privacy information
communication
5.3 Accountability for providing privacy information
requirements
5.4 Responding to consumer inquiries and complaints
5.5 Communicating to diverse consumer population
5.6 Prepare data breach communications
6.2 Conducting a privacy risk assessment
© ISO/IEC 20252026 – All rights reserved
ISO/IEC CD TRDTR 31700-2:20252026(en)
[3]
Category ISO 31700-1 section number and requirementISO 31700-1 subclause number
Formatted Table
Risk management 6.3 Assessing privacy capabilities of third parties
requirements
6.4 Establishing and documenting requirements for privacy controls
6.5 Monitoring and updating risk assessment
6.6 Including privacy risks in cybersecurity resilience design
Developing, deploying 7.2 Integrating the design and operation of privacy controls into the products
and operating designed development and management lifecycles
privacy controls
7.3 Designing privacy controls
7.4 Implementing privacy controls
7.5 Designing privacy control testing
7.6 Managing the transition of privacy controls
7.7 Managing the operation of privacy controls
7.8 Preparing for and managing a privacy breach
7.9 Operating privacy controls for the processes and products upon which the product in
scope depends upon throughout the PII lifecycle
End of PII lifecycle 8.2 Designing privacy controls for retirement and end of use
requirements
5.2 Related concepts
The tables in this clausesubclause illustrate the relationships between the requirements of ISO 31700-1ISO
[1]
31700-1 and related privacy engineering concepts, categorized as follows:
— lifecycle processes as shown in (Table 2;);
[4]
— privacy protection goals,ISO/IEC TR 27550 as shown in , see ISO/IEC TR 27550 (Table 3.
— ;)
[45]
— NIST Privacy frameworkFramework functions, as shown in (Table 4;
— );
— NIST privacy engineering objectives as shown in (Table 5.).
The resulting relations are shown in Table 6.
Table 2 — Lifecycle processes
OrganisationOrganizati Activities carried out by the organisationorganization to define and maintain policies
on policies related to privacy by design.
Product design and Activities carried out by the organisationorganization to design and develop consumer
development goods or services.
Activities carried out by the organisationorganization to manage privacy when consumer
Product use
goods or services are in use.
© ISO/IEC 20252026 – All rights reserved
ISO/IEC CD TRDTR 31700-2:20252026(en)
Table 3 — Privacy protection goals
Property that privacy-relevant data cannot be linked across domains that are constituted
by a common purpose and context.
Unlinkability
NOTE ItThis ensures that a PII principal can make multiple uses of resources or services
without others being able to link these uses together.
Property that ensures that all privacy-relevant data processing, including the legal,
Transparency
technical and organizational setting, can be understood as documented or stated.
Property that ensures that PII principals, PII controllers, PII processors and supervisory
Intervenability
[56]
authorities can intervene in all privacy-relevant data processing.
Table 4 — NIST Privacy Framework functions
Develop the organizational understanding to manage privacy risk for individuals
Identify-P
arisingriskarising from data processing for individuals.
Develop and implement the organizational governance structure to enable an ongoing
Govern-P understanding of the organization’s risk management priorities that are informed by
privacy risk.
Develop and implement appropriate activities to enable organizations or individuals to
manage data with suffi
Control-P
cientsufficient granularity to manage privacy risks.
Develop and implement appropriate activities to enable organizations and individuals to
Communicate-P have a reliable understanding and engage in a dialogue about how data are processed and
associated privacy risks.
Protect-P Develop and implement appropriate data processing safeguards.
Table 5 — NIST privacy engineering objectives
Enabling reliable assumptions by individuals, owners, and operators about data and their
Predictability
processing by a system, product, or service.
Providing the capability for granular administration of data, including alteration, deletion,
Manageability
and selective disclosure.
Enabling the processing of data or events without association to individuals or devices
Disassociability
beyond the operational requirements of the system.
[1]
Table 6 — ISO 31700-1ISO 31700-1 requirements relationship with associated concepts
ISO 31700-1
RequirementISO Privacy NIST Privacy NIST privacy
Category of Lifecycle
Formatted Table
[1]
31700-1 protection Framework engineering
requirement processes
requirement goals functions objectives
location
4.2 Designing
Predictablity
capabilities to Product design
Intervenability
Control-P,
enable consumers and Predictability
Communicate-P
Transparency
to enforce their development
Manageability
privacy rights
General
4.3 Developing
capability to Product design
Intervenability
Control-P,
determine and Predictability
Communicate-P
Transparency
consumer privacy development
preferences
© ISO/IEC 20252026 – All rights reserved
ISO/IEC CD TRDTR 31700-2:20252026(en)
ISO 31700-1
RequirementISO Privacy NIST Privacy NIST privacy
Category of Lifecycle
Formatted Table
[1]
31700-1 protection Framework engineering
requirement processes
requirement goals functions objectives
location
4.4 Designing
Predictablity
Product design
human computer
and Transparency Communicate-P Predictability
interface (HCI) for
development
Manageability
privacy
4.5 Assigning OrganisationOrg
relevant roles and anization - Govern-p Manageability
Formatted: Centered
authorities policies
4.6 Establishing OrganisationOrg
multi-functional anization - Govern-P Manageability
Formatted: Centered
responsibilities policies
4.7 Developing OrganisationOrg
privacy knowledge, anization - Govern-P Manageability
Formatted: Centered
skill and ability policies
4.8 Ensuring OrganisationOrg
Manageability
knowledge of anization - Govern-P
Formatted: Centered
Disassociability
privacy controls policies
4.9 Documentation OrganisationOrg
and information anization - Govern-P Manageability
Formatted: Centered
management policies
OrganisationOrg
5.2 Provision of
anization Transparency Communicate-P Predictability
privacy information
policies
5.3 Accountability OrganisationOrg
Predictability
Govern-P
for providing anization Transparency
Communicate-P
Manageability
privacy information policies
5.4 Responding to
Predictability
Consumer
consumer inquiries Product use Transparency Communicate-P
communication
Manageability
and complaints
requirements
5.5 Communicating
to diverse
Product use Transparency Communicate-P Predictability
consumer
population
5.6 Prepare data
breach Product use Transparency Communicate-P Predictability
communications
Predictability
6.2 Conducting a Product design
privacy risk and Unlinkability Identify-P Manageability
assessment development
Disassociability
Predictability
6.3 Assessing Product design
Risk
Identify-P, Formatted Table
privacy capabilities and Unlinkability Manageability
management
Protect-P
of third parties development
requirements Disassociability
6.4 Establishing and
Unlinkability Predictability
Product design Identify-P,
documenting
and Intervenability Control-P, Manageability
requirements for
development Communicate-P
Transparency Disassociability
privacy controls
© ISO/IEC 20252026 – All rights reserved
ISO/IEC CD TRDTR 31700-2:20252026(en)
ISO 31700-1
RequirementISO Privacy NIST Privacy NIST privacy
Category of Lifecycle
Formatted Table
[1]
31700-1 protection Framework engineering
requirement processes
requirement goals functions objectives
location
Predictability
6.5 Monitoring and Product design
Identify-P,
updating risk and Unlinkability Manageability
Govern-P
assessment development
Disassociability
6.6 Including
OrganisationOrg
privacy risks in Identify-P,
anization Unlinkability -
Formatted: Centered
cybersecurity Protect-P
policies
resilience design
7.2 Integrating the
design and
operation of privacy
Unlinkability Predictability
OrganisationOrg
controls into the
anization Intervenability Protect-P Manageability
products
policies
Transparency Disassociability
development and
management
lifecycles
Unlinkability Predictability
Product design
7.3 Designing
and Intervenability Protect-P Manageability
privacy controls
development
Transparency Disassociability
Unlinkability Predictability
Product design
7.4 Implementing
and Intervenability Protect-P Manageability
privacy controls
development
Transparency Disassociability
Unlinkability Predictability
7.5 Designing Product design
Developing,
privacy control and Intervenability Protect-P Manageability
deploying and
testing development
Transparency Disassociability
operating
designed Predictability
7.6 Managing the OrganisationOrg
Intervenability
Control-P,
privacy controls
transition of anization Manageability
Communicate-P
Transparency
privacy controls policies
Disassociability
Predictability
7.7 Managing the OrganisationOrg
Intervenability
Control-P,
operation of privacy anization Manageability
Communicate-P
Transparency
controls policies
Disassociability
7.8 Preparing for OrganisationOrg
Protect-P,
and managing a anization - -
Formatted: Centered
Control-P
privacy breach policies
Formatted: Centered
7.9 Operating
privacy controls for
the processes and
products upon Control-P,
Product use - -
Formatted: Centered
which the product Communicate-P
in scope depends
Formatted: Centered
upon throughout
the PII lifecycle
8.2 Designing
Predictability
End of PII Product design
privacy controls for Control-P,
lifecycle and - Manageability
Formatted: Centered
retirement and end Communicate-P
requirements development
Disassociability
of use
© ISO/IEC 20252026 – All rights reserved
ISO/IEC CD TRDTR 31700-2:20252026(en)
5.3 Viewpoints in the use cases
5.3.1 General
The viewpoints presented here are shown in the sequence diagrams of the use cases in Clause 7.
5.3.2 Consumer product viewpoint
Consumer products and associated organisationalorganizational practices protect consumers’ privacy when
the product is in use and throughout the PII lifecycle while the PII is under the organisation’sorganization’s
purview.
Considering how a product is likely to be used in practice, during product development, can require a number
of different contexts and situations to be evaluated. Different users with different capabilities areneed to be
catered for. This applies asis particularly relevent given that the product, once in the possession of a consumer
user, is operated in unconstrained circumstances where the consumer’sconsumers' understanding and
abilities can, and often do, vary considerably. Consumer use can also change over time and vary between
cultures or demographic groups.
For each type of use covered in this document, the precise definition of use is coupled with an accuratea
description of how the product and any associated organisationalorganizational processes would operate so
as to protect privacy.
Finally, consumer use can change over time and vary between cultures or demographic groups.
5.3.3 Engineering framework viewpoint
The development and management of privacy controls is an essential part of the engineering of consumers
products. The resulting engineering framework combines:
[7]
— processes based on standards such as ISO/IEC/IEEE 15288ISO/IEC/IEEE 15288;ISO/IEC/IEEE 15288 ;
— extensions of such processes that integrate privacy engineering. These extensions can be based on ISO/IEC
[4]
TR 27550,ISO/IEC TR 27550ISO/IEC TR 27550 with the support of frameworks such as the NIST Privacy
[45] [78]
Framework, and the use of OASIS PMRM to operationalize privacy principles;
— the integration of the consumer product viewpoint, which is supported by ISO 31700-1ISO 31700-1.ISO
[1]
31700-1 .
NOTE An additional reference to OASIS PMRM is under development: ISO/IEC 27561, Information technology —
Privacy operationalisation model and method for engineers — POMME
5.3.4 Ecosystem viewpoint
Consumer products involve two ecosystems:
— the supply chain, i.e.,. the ecosystem associated with the system lifecycle process. This involves
organisationorganization and contractual activities on the privacy capabilities provided by third parties;
— the data space, i.e.,. the ecosystem associated with users and providers of data. This involves
organisationorganization and contractual activities on data sharing.
© ISO/IEC 20252026 – All rights reserved
ISO/IEC CD TRDTR 31700-2:20252026(en)
6 Use case analysis
6.1 General
A use case template washas been developed in order to help illustrate, the use case examples in a consistent
manner, the use case examples. The template is structured in such a way as to provide the information that
[1]
illustrates the use of ISO 31700-1.ISO 31700-1 .
— The entries for the main narrative are general. They include ID: use case name; description of product,
service or process; privacy protection goal; ecosystem and systems of interest; users, stakeholders; PII;
purpose; and use case narrative.
[1]
— The entries for the extended narratives follow the requirements of ISO 31700-1:ISO 31700-1 : general
requirements; consumer communication requirements; risk management requirements; development,
deployment and operations of designed privacy controls; and end of PII lifecycle requirements.
6.2 Use case template
Table 7 provides a template for the main narrative of a use case.
Table 7 — Template for main narrative
Entry Entry description
Formatted: Font: Bold
ID Unique identification
Formatted: Font: Bold
Use case name Meaningful name Formatted Table
Description of product, service Short description of product
or process
Privacy protection goal Short description of privacy protection goals
Ecosystem and systems of Describe systems of interest
interest
Users Describe users
Stakeholders Describe stakeholders
PII Describe PII collected
Purpose Describe purpose of PII collection
Main narrative Short narrative on consumer goods and services (possibly with a sequence
diagram)
Table 8 provides a template for the extended narratives of a use case.
Table 8 — Template for extended narratives
Entry Entry description
Formatted: Font: Bold
ID Unique identification
Formatted: Font: Bold
Use case name Meaningful name Formatted Table
Additional narrative Narrative describing a specific variation, or focusing on the use of requirements
[1]
in a specific clause of ISO 31700-1.ISO 31700-1 . When possible, a sequence
diagram is provided. Table 9 lists possible categories of narratives.
Table 9 lists proposedpossible categories of extended narratives. They, which match the categories of ISO
[1]
31700-1ISO 31700-1 requirements.
© ISO/IEC 20252026 – All rights reserved
ISO/IEC CD TRDTR 31700-2:20252026(en)
Table 9 — Categories of extended narratives
[1]
Category of extended Relationship with ISO 31700-1ISO 31700-1
Formatted: Font: Bold
narratives
Formatted: Font: Bold
[3]
General requirements Focus on ISO 31700-1:2023,ISO 31700-1 , 4.2 to 4.9
Formatted Table
[3]
Consumer communication Focus on ISO 31700-1:2023,ISO 31700-1 , 5.2 to 5.6
Formatted: Font: Bold
requirements
[3]
Risk management requirements Focus on ISO 31700-1:2023,ISO 31700-1 , 6.2 to 6.6
[3]
Developing, deploying and Focus on ISO 31700-1;2023,ISO 31700-1 , 7.2 to 7.9
operating designed privacy
controls
[3]
End of PII lifecycle requirements Focus on ISO 31700-1:2023, 8.2Focus on ISO 31700-1 , 8.2
7 Use cases
7.1 General
Three use cases are described: on-lineonline retailing, a fitness company and smart locks. These use cases
[1]
cover ISO 31700-1ISO 31700-1 requirements as shown in Table 10.
NOTE A sequence diagram is provided for each narrative. The codes for the sequence diagrams in Figure 1 to Figure
16 are available at: https://standards.iso.org/iso/tr/31700/-2/ed-1/en/.the figures are available at:
https://standards.iso.org/iso-iec/tr/31700/-2/ed-2/en.
Table 10 — Use cases requirement coverage
On-
Fitness
[1]
Category of ISO 31700-1 RequirementISO 31700-1 requirement lineOnlin Smart
compa-
requirement location e locks
ny
retailing
Designing capabilities to enable consumers to
4.2 X
enforce their privacy rights
Developing capability to determine consumer
4.3 X
privacy preferences
Designing human computer interface (HCI) for
4.4 X
privacy
General
4.5 Assigning relevant roles and authorities X
4.6 Establishing multi-functional responsibilities X
4.7 Developing privacy knowledge, skill and ability X
4.8 Ensuring knowledge of privacy controls X
4.9 Documentation and information management X
5.2 Provision of privacy information X X
5.3 Accountability for providing privacy information X X
Consumer
communication 5.4 Responding to consumer inquiries and complaints X X X
requirements
5.5 Communicating to diverse consumer population X X X
5.6 Prepare data breach communications X X
6.2 Conducting a privacy risk assessment X X X
© ISO/IEC 20252026 – All rights reserved
ISO/IEC CD TRDTR 31700-2:20252026(en)
On-
Fitness
[1]
Category of ISO 31700-1 RequirementISO 31700-1 requirement lineOnlin Smart
compa-
requirement location e locks
ny
retailing
6.3 Assessing privacy capabilities of third parties X X X
Establishing and documenting requirements for
6.4 X X X
Risk
privacy controls
management
6.5 Monitoring and updating risk assessment X X X
requirements
Including privacy risks in cybersecurity resilience
6.6  X
design
Integrating the design and operation of privacy
7.2 controls into the products development and  X
management lifecycles
7.3 Designing privacy controls X X
7.4 Implementing privacy controls X X
Developing,
deploying and
7.5 Designing privacy control testing  X
operating
7.6 Managing the transition of privacy controls  X
designed
privacy controls
7.7 Managing the operation of privacy controls X X
7.8 Preparing for and managing a privacy breach X X
Operating privacy controls for the processes and
7.9 products upon which the product in scope depends X X
upon throughout the PII lifecycle
End of PII
Designing privacy controls for retirement and end of
lifecycle 8.2 X
use
requirements
7.2 On-lineOnline retailing
7.2.1 On-lineOnline retailing use case main description
Unique
Formatted: Font: Bold
ID UC 31700-01a
identification
Formatted: Font: Bold
Meaningful
Use case name On lineOnline retailing Formatted: Font: Bold
name
Formatted: Font: Bold
Description of Short A service that allows the customersconsumers to search, select
Formatted: Font: Bold
product, service description of and purchase the products, services and information remotely
or process product over the Internet. Formatted: Font: Bold
Short Data and PII provided to or collected by the retailer is limited to
Formatted: Font: Bold
Privacy description of information used to complete the sale, for delivery, to provide a
Formatted: Font: Bold
protection goal privacy receipt, to enable product or service improvement, and to provide
protection goals customer support.
Customer Privacy Expectation
CustomerConsumer privacy expectation.
Ecosystem and Describe
Formatted: Font: Bold
systems of systems of Consumer post -purchase privacy expectation.
Formatted: Font: Bold
interest interest
Online retailers’retailer's transaction system.
Online retailers’retailer's order fulfilment information system.
© ISO/IEC 20252026 – All rights reserved
ISO/IEC CD TRDTR 31700-2:20252026(en)
Online retailers’retailer's delivery system.
Internet service provider information system.
Any consumer placing an order, including vulnerable persons
Users Describe users
Formatted: Font: Bold
(e.g.,. seniors, minors, disabled)).
Formatted: Font: Bold
Retailer fulfilment and delivery staff.
Order processing system.
Delivery system.
Describe
Formatted: Font: Bold
Stakeholders Payment system.
stakeholders
Formatted: Font: Bold
Return system.
Marketing and tracking system.
Consumer device (e.g.,. tablet, smart phone, laptop)).
Describe PII Client name, address, email and phone. Credit card information
Formatted: Font: Bold
PII
processed for payment for processing of order.
Formatted: Font: Bold
Describe
Formatted: Font: Bold
Product use The PII is collected by the seller to fulfil the order and to enable
purpose of PII
purpose product development and service improvement.
Formatted: Font: Bold
processing
A consumer goes online to find toys for thetheir grandchildren.
The consumer visits several websites, including initiating orders
that the consumer does not complete. The consumer finds an
online retailer and completes an order for 2 items. To fulfil the
order, the consumer provides contact information, including
delivery address and payment method.
Short narrative
Formatted: Font: Bold
For the purposes of shipping andan order he, the consumer
on consumer
provides histheir contact information and address. In order to
goods and
Main narrative
process payment he enters his, they enter their credit card details. Formatted: Font: Bold
services
The online retailer asks if hethe consumer wants to set up an
(possibly with a
account. HeThe consumer declines. The online retailer asks if
diagram)
hethe consumer wants themthe retailer to retain thetheir contact
information after delivery for future purchases or returns. The
client declines to allow this except related to the right of return.
The online retailer asks some questions regarding family size,
ages and income. The client declines to answer and declines to
receive any information related to new products.
© ISO/IEC 20252026 – All rights reserved
ISO/IEC CD TRDTR 31700-2:20252026(en)
Consumer placing order Tablet and laptop Retailer Payment system
goes online and
find toys for grandchildren
purchase session
Place order
Contact information
Customer info:
- item ordered
- date
- contact information
Provide credit card information Provide credit card information
Account creation?
No account creation
Customer info: no account
Retain contact information?
No except for right of return
Information on family size, ages and income?
Decline
Information on products
Decline
Customer info:
- do not retain contact information
- no information on product
© ISO/IEC 20252026 – All rights reserved
ISO/IEC CD TRDTR 31700-2:20252026(en)

Sequence diagram of on-lineonline retailing use case main description
7.2.2 On-lineOnline retailing consumer communication
Unique
Formatted: Font: Bold
ID UC 31700-01b
identification
Formatted: Font: Bold
Meaningful
Use case name On lineOnline retailing Formatted: Font: Bold
name
Formatted: Font: Bold
© ISO/IEC 20252026 – All rights reserved
ISO/IEC CD TRDTR 31700-2:20252026(en)
The information system of the retailer company is subject to a
cybersecurity attack, causing the system to be stopped for several
hours.
Describe how
Formatted: Font: Bold
requirements The organisationorganization activates its consumer support
Narrative on for consumer programprogramme. It makes a privacy announcement on the
Formatted: Font: Bold
consumer communication web which confirms that there has been no privacy breach.
communication can help
The customerconsumer makes a specific inquiry on his
(possibly with a
concerning their purchase and gets customisedreceives
diagram)
customized information reassuring the customerthem that
neither their order was not impacted nor their payment (or other
PII) was impacted.
© ISO/IEC 20252026 – All rights reserved
ISO/IEC CD TRDTR 31700-2:20252026(en)
Consumer placing order Tablet and laptop Retailer 31700
ref
Establish governance structure
Establish privacy competence program
Establish consumer support program
(narrative 7.2.3 on general requiremnets)
goes online and
find toys for grandchildren
ref
Purchase session
(main narrative 7.2.1)
consumer support program
5.5 Communicating to diverse
Alert cybersecurity consumer population
5.6 Prepare data breach
Privacy announcement communications
website announcement on cybersecurity alert
but no privacy breach
request information on privacy
Check customer file 5.4 Responding to consumer
Return customised information inquiries and complaints

© ISO/IEC 20252026 – All rights reserved
ISO/IEC CD TRDTR 31700-2:20252026(en)

Sequence diagram of on-lineonline retailing consumer communication
7.2.3 On-lineOnline retailing summary
Unique
Formatted: Font: Bold
ID UC 31700-01c
identification
Meaningful
Formatted: Font: Bold
Use case name On lineOnline retailing
name
© ISO/IEC 20252026 – All rights reserved
ISO/IEC CD TRDTR 31700-2:20252026(en)
Consumer placing order Tablet and laptop Retailer
ref
Establish governance structure
Establish privacy competence program
(narrative 7.2.3 on general requirements)
ref
Establish consumer support program
(narrative 7.2.5 on consumer communication requirements)
ref
consumer service privacy risk analysis
(narrative 7.2.4 on risk management requirements)
ref
Privacy control implementation and operation
(narrative 7.2.6 on development, deployment and operation of designed privacy controls)
ref
Privacy control for retirement
(narrative 7.2.7 on end of PII lifecycle requirements)
goes online and
...