Privacy-by-Design through Systematic Privacy Impact Assessment - a Design Science Approach

A major problem for companies that develop and operate IT applications that process personal data of customers and employees is to ensure the protection of this data and to prevent privacy breaches. Failure to adequately address this problem can result in considerable reputational and financial damages for the company as well as for affected data subjects. We address this problem by proposing a methodology to systematically consider privacy issues in a step-by-step privacy impact assessment (so called ‘PIA’). Existing PIA approaches lack easy applicability because they are either insufficiently structured or imprecise and lengthy. We argue that employing the PIA proposed in this article, companies will be enabled to realise a ‘privacy-by-design’ as it is now widely heralded by data protection authorities. In fact, the German Federal Office for Information Security (BSI) ratified the approach we present in this article for the technical field of RFID and published it as a guideline in November 2011. The contribution of the artefacts we created is twofold: First, we provide a formal problem representation structure for the analysis of privacy requirements. Second, we reduce the complexity of the privacy regulation landscape for practitioners who need to make privacy management decisions for their IT applications.

[1]  Barbara Krumay,et al.  Differentiating Privacy and Security: A Content Analysis of B2C Websites , 2011, AMCIS.

[2]  Martin Bichler,et al.  Design science in information systems research , 2006, Wirtschaftsinf..

[3]  Martin Rost,et al.  Datenschutz in 3D , 2011, Datenschutz und Datensicherheit - DuD.

[4]  Charles Oppenheim,et al.  Privacy Impact Assessments: International Study of Their Application and Effects , 2007 .

[5]  J McNally,et al.  Information Security Standards , 2011 .

[6]  Graham Greenleaf,et al.  Global Data Privacy in a Networked World , 2011 .

[7]  Shirley Gregor,et al.  The Nature of Theory in Information Systems , 2006, MIS Q..

[8]  Mikko T. Siponen,et al.  Information security management standards: Problems and solutions , 2009, Inf. Manag..

[9]  S. Spiekermann The RFID PIA – Developed by Industry, Endorsed by Regulators , 2011 .

[10]  J. Borges,et al.  A TAXONOMY OF PRIVACY , 2006 .

[11]  Michael D. Myers,et al.  The qualitative interview in IS research: Examining the craft , 2007, Inf. Organ..

[12]  David Wright,et al.  Should privacy impact assessments be mandatory? , 2011, Commun. ACM.

[13]  Daniel Tofan Information Security Standards , 2011 .

[14]  Mikko T. Siponen,et al.  Information security standards focus on the existence of process, not its content , 2006, CACM.

[15]  J. Rubenfeld The Right of Privacy , 1989 .

[16]  David Wright,et al.  Surveillance: Extending the Limits of Privacy Impact Assessment , 2012 .

[17]  Alan R. Hevner,et al.  Design Science in Information Systems Research , 2004, MIS Q..