Privacy by Design

Privacy by design is the principle of building data protection into systems and processes from the outset. GDPR Article 25 makes it a legal requirement. You must consider data protection at the design stage, not as an afterthought.

Back to Dictionary

What is privacy by design?

Privacy by design (data protection by design) is codified in GDPR Article 25(1). It requires data controllers to implement appropriate technical and organisational measures designed to implement data protection principles effectively.

The concept was originally developed by the Canadian Information and Privacy Commissioner Ann Cavoukian in the 1990s. The GDPR made it a binding legal requirement in 2018.

In practice, it means you must consider data protection from the start of any project, system or process that involves personal data. It is cheaper and more effective to build correctly from the beginning than to repair afterwards.

Privacy by default

Article 25(2) supplements with privacy by default (data protection by default). This means that the default settings in your systems must be the most privacy-protective:

Only the personal data necessary for the specific purpose is processed by default (data minimisation)
Data is not shared with an unlimited number of persons by default
Data is not retained longer than necessary by default
Data is not publicly accessible by default

A practical example: when a user creates a profile, the privacy settings must default to "private", not "public". The user can then choose to open up.

The foundational principles

Privacy by design is built on seven foundational principles that you can use as a checklist:

Proactive, not reactive: Anticipate and prevent privacy problems before they occur.
Privacy as the default: Maximum protection without user action.
Embedded into design: Privacy protection is part of the system's core, not an add-on.
Full functionality: Privacy protection must not come at the expense of functionality.
End-to-end security: Protection throughout the entire data lifecycle.
Visibility and transparency: Let stakeholders verify that privacy protection has been implemented.
Respect for the user: Place the user's interests at the centre.

Implementation in practice

Concrete steps for implementing privacy by design:

Involve your DPO early in new projects and system procurements
Carry out a data protection impact assessment (DPIA) for new systems that process personal data
Implement data minimisation in all forms and data collection points
Apply pseudonymisation and encryption as standard measures
Build automatic deletion routines in from the outset
Ensure access control with the "need-to-know" principle
Document your design choices in your record of processing activities

Privacy by design directly supports processing security and reduces the risk of data breaches. It also makes it easier to comply with data subject rights, because the systems are designed for it from the start.

Frequently Asked Questions about Privacy by Design

What is privacy by design?

Privacy by design is the principle of integrating data protection into the design and architecture of systems and processes from the outset. It is a legal requirement under GDPR Article 25, requiring data controllers to implement appropriate technical and organisational measures at the design stage.

What is the difference between privacy by design and privacy by default?

Privacy by design is about building data protection in from the start of the design process. Privacy by default is about ensuring that the default settings are always the most privacy-protective. Only the data necessary for the specific purpose should be processed by default.

Is privacy by design a legal requirement?

Yes. GDPR Article 25 makes privacy by design and privacy by default legal requirements. Data controllers must implement appropriate technical and organisational measures designed to implement data protection principles effectively.

How do you implement privacy by design?

Start by integrating data protection into your project process. Involve your DPO early, carry out data protection impact assessments for new systems, implement data minimisation and pseudonymisation, and ensure that default settings are privacy-protective.