Privacy by Design

What is Privacy by Design

What is Privacy by Design and why is it important today? This is a topic we’ll be diving into in the coming months.

Editor’s Note: This column was taken from AIIM’s whitepaper, Information Privacy and Security: GDPR is the Tip of the Iceberg.

Organizations must consider the concept of Privacy by Design moving forward, which attempts to embed privacy principles within privacy best practices, systems and software. Formulated by the Privacy Commissioner for the Province Ontario, Privacy by Design encompasses seven foundational principles for embedding privacy within systems and software.

Privacy by Design principles were espoused by International Conference of Privacy Commissioners “as a holistic concept that may be applied throughout the organization, including its technology and business practices.”

GDPR has entrenched Privacy by Design, requiring data processors and controllers to “implement appropriate technical and organizational measures for ensuring that by default only personal data necessary for each specific purpose of the processing are processed.”

One of the key foundational tenets of Privacy by Design is that privacy rights ought to be protected and enforced by default in order to proactively mitigate privacy risks. From a software and process design perspective it means that Privacy by Design should encompass:

  • Data Minimization: to restrict collection to the minimum amount of personally identifiable information required for processing;
  • Data Classification: to ensure that personally identifiable information is tagged and assigned the appropriate level of protection from exposure;
  • Data Pseudonymization and Encryption: to ensure the ongoing confidentiality, integrity, availability and resilience of personal data and data systems, and to preserve privacy through the processing of personal data in ways that can no longer be attributed to a specific data subject;
  • Data Aggregation: to provide for tools to aggregate personally identifiable information to the highest level;
  • Auditing and Control: to provide data subjects with agency over their personal information and which empowers data processors to demonstrate compliance; and
  • Intuitive User Interface Design: to enable users to easily understand privacy notices, to provide affirmative consent (since under GDPR implied consent is no longer permissible) and to withdraw consent by providing intuitive access to privacy settings including simple to understand privacy icons.

Read more about information privacy and GDPR download: Information Privacy and Security: GDPR is Just the Tip of the Iceberg.