Privacy by design

Privacy by design is a set of principles for designing and operating software that broadly speaking can be said to implement the principles for data protection, such as data minimisation, limited data storage periods and purpose limitations. 

The GDPR states specifically that the data controller should adopt internal policies and implement measures which in particular meet the principles of data protection by design and data protection by default (“privacy by design” for short here) in order to be able to demonstrate compliance with the regulation. 

This makes privacy by design very important for Visma as a service provider too. We have implemented about thirty non-functional requirements, guidelines and/ or recommendations that have been adopted specifically for software development based on the recommendations provided by the data inspectorate.

These are categorised as:

  • Purpose, minimisation and proportionality
  • Data deletion
  • Data export and return
  • Data restore
  • Customer guidance
  • Automated decision making
  • Pseudonymisation and anonymisation
  • Consent from data subject

These requirements and recommendations range from the simple “does the application process only the minimum personal data required to function” and whether roles in the system can be configured to only have access to relevant data, to more complex and particular requirements for the deletion of data when a customer relationship is terminated, and methodological guidelines for various anonymisation- techniques.