What is Privacy by Default?

IT systems must comply with privacy guidelines and be developed according to Privacy by Design principles. System parameters must be configured by default to protect privacy as much as possible. This is called Privacy by Default. For example, on a website the checkbox for I want to receive offers may not be selected by default.

Is Privacy by Design mandatory?

Yes. Article 25 of the GDPR requires controllers to implement data protection in the processing of personal data by design and by default.

Privacy by Design

What is Privacy by Design?

Privacy by Design is a design principle that requires you to fully account for privacy aspects during the development of information systems and processes. You consider potential privacy risks at the design stage. You then translate those risks into the necessary technical measures to prevent misuse of personal data.

Why is Privacy by Design Important?

Privacy is a key requirement in the development of digital systems today. We collectively collect and process more personal data, and therefore, a Europe-wide regulation has been established to govern its handling. General Data Protection Regulation (GDPR) includes requirements for IT systems and related processes. For example, we must ensure that system access is managed on an individual basis; group accounts are no longer permitted. Employees have access only to the personal data required for their role. This is known as the Principle of Least Privilege. For example, in a healthcare organization, only clinical staff may access medical records; other staff may not.

These requirements must be addressed at the design stage of your IT systems, that is, privacy by design. In practice, seven privacy design principles have been defined; we briefly explain them below.

Privacy by Design Principles

Privacy by Design requires consideration of seven principles:

Proactive, Not Reactive: You must consider privacy risks and corresponding measures in your design up front. Do not add them later based on trial and error.
Default Settings: All built-in privacy measures must be active by default. Users should not have to adjust settings to protect their privacy manually.
Privacy is Embedded by Default: Privacy measures must be integral to your design. Do not first develop core functionality and then add some privacy add-ons afterward.
Full Functionality: Privacy measures must be implemented to ensure both functionality and privacy are adequately supported and do not interfere with one another. Seek a win-win in your design.
End-to-End Security: Privacy protection must be implemented to ensure data is protected from end to end. That is, throughout the entire data lifecycle, from collection to deletion.
Visibility and Transparency: Ensure that users clearly understand what data is collected and how it is processed. Also, make clear how the data is used.
Respect for Privacy: The entire design must be created with the affected individuals in mind. Their privacy must be guaranteed.

How Does HelloID Meet the Privacy by Design Principles?

Iso 27001

Information security and privacy protection are central requirements in the design of the HelloID platform. Tools4ever is ISO 27001 certified, and a certified auditor has issued a SOC 2 Type II audit report. This demonstrates that, in addition to the platform, our development and operations processes are fully compliant with all security and privacy standards.

However, the platform must not only be privacy-secure itself. The IAM platform is an integral part of an organization’s end-to-end information security chain, and its functionality must directly help that chain as a whole meet the Privacy by Design principles. You can see this in HelloID’s built-in provisioning, service automation, and logging and reporting capabilities.

Provisioining proces-

HelloID fully automates the provisioning chain for user accounts and access rights. HelloID supports a direct connection to HR and other source systems. As a result, the platform always has a person’s current role in the organization, authorizations, and competencies. Based on this, HelloID uses configurable business rules to ensure that every connected target system has the correct accounts and access rights at all times; accounts and rights that are no longer needed are removed immediately.

AVG

When importing HR data into HelloID, we ensure full compliance with GDPR/AVG guidelines. Social Security Numbers and salary data are not imported. In consultation with the customer and the HR vendor, we determine which data are imported, and for compliance, these data are also visible in the raw data view.

HelloID additionally secures the issuance of extra access rights. Requests and issuance can be automated, with the relevant managers providing online approvals. Proper separation of duties can be enforced, and rights can be granted for a limited time to prevent users from inadvertently accumulating access.

audit en logging

Finally, HelloID ensures that all requests and changes are logged. This enables not only usage reporting but also review of audit trails in the event of a data breach or other issues. HelloID provides all necessary input for internal security evaluations, external audits, and certification processes. Integrations with the organization’s SIEM system are also available.