Implementing Privacy by Design through Privacy Impact Assessments

Abstract

Privacy has come a long way from being a fundamental physical right to being implemented as virtual online privacy under GDPR. Recent privacy breaches around the world have highlighted the role of the design of information systems in protecting the privacy of individuals online. GDPR envisions to achieve this through Privacy by Design (PbD) in business and technological systems. Privacy by Design is the law regulating the architecture of information systems through its code and organizational measures to facilitate usercentric privacy. It is relatively a new concept initially developed by Ann Cavoukian along with PbD Principles. The principles themselves do not ensure the holistic implementation of the PbD process. What is lacking in the current model of PbD is an implementation mechanism to operationalize the PbD as a process. This study builds upon the model suggested by Kroener and Wright to operationalize PbD through a dual approach: a set of principles (PbD Principles) and a process (PIAs). Firstly, this study starts an informed discussion on PbD and its robust theoretical basis under Lessig's Theory of Regulation. Secondly, it proposes to address the lack of operationalization by using Privacy Impact Assessments (PIAs) as a tool to conduct the PbD process. It brings together the two concepts and shows how PbD, as a process, can be better performed if complemented with PIAs. Lastly, it develops a framework for such a PbD process and constructs a lifecycle model to address the gaps in its operationalization. It demonstrates the feasibility of the developed PbD operationalization model by applying it to an existing information system: the Föli Mobile Application.