The General Data Protection Regulation (GDPR) suggests several ways for organizations to approach data protection. One of which is the legal approach called Privacy by Design, mentioned in Article 25.

What does Privacy by Design mean, why it is important for the GDPR, and how can you implement it? Read the blog to find out.

What Is Privacy by Design?

Privacy by Design was first mentioned in a 1990 report published by Ontario’s Information and Privacy Commissioner, Ann Cavoukian, defining Privacy by Design as the “philosophy and approach of embedding privacy into the design specifications of various technologies.”

Since then, it has become accepted as a best practice supported by data protection authorities worldwide.

Basically, Privacy by Design means incorporating data protection practices into projects, products, and technologies at the outset of the processes, and implementing a proactive approach to privacy.

Privacy By Design and the GDPR

Privacy By Design contains two approaches, referred to as “data protection by design” and “data protection by default,” both of which are related to Privacy by Design.

Article 25 of the GDPR states: “The controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organizational measures, such as pseudonymization, which are designed to implement data-protection principles, such as data minimization, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects”.

The Privacy by Design Approach of Different Jurisdictions

Many other privacy laws around the world generally follow the GDPR, also requiring implementing the Privacy by Design approach for personal data management. Quebec’s Law 25, South Korean PIPA, Switzerland’s FADP, Brazil’s LGPD, and other privacy laws require to built-in personal data protection system and/ or appointment of a person, responsible for the data protection.

Some jurisdictions expand the approach and call it privacy by design and by default or data protection by design and by default.

See the external links for the requirements of different authorities for privacy by design approach.

• European Union
  European Commission: The GDPR mandates data protection by design and by default under Article 25. 
  German Data Protection Authority: Data protection by design. 
  European Data Protection Supervisor: Preliminary Opinion on privacy by design.
• UK
  The UK Data Protection Authority: Data protection by design and default. 
• Canada
  Office of the Privacy Commissioner of Canada: Provides guidance on privacy rights and responsibilities, including resources on Privacy by Design.  
• United States
  Federal Trade Commission: Offers guidance on best practices for privacy and data security, including principles of Privacy by Design.
• Australia
  Office of the Australian Information Commissioner: Offers Privacy by Design recommendations. 
• International Standards
  The International Organization for Standardization (ISO) has developed ISO 31700, a standard titled "Consumer protection: privacy by design for consumer goods and services." This standard provides guidelines for integrating privacy by design and by default principles into consumer products and services. 

Why Should Companies Care about Privacy by Design?

First, the Privacy by Design principle is required by some data protection authorities.

For example, in November 2022, the Irish Data Protection Authority issued a €265 million fine against Meta, saying that Meta failed to comply with GDPR’s privacy by design and default.

Second, users are concerned about their data privacy and in most cases choose products or services based on the company’s attitude towards privacy.

2022 research by Google and Ipsos showed that neglecting users’ privacy is almost as unsatisfactory as that of a data breach. 43% of individuals said that they would switch their preferred brand to a new one if the latter proposed a better privacy experience.

Overall, the Privacy by Design approach could have many benefits for companies:

• Comply with data privacy laws.
• Avoid data breaches and fines by data protection authorities.
• Avoid risk to brand reputation.
• Build users’ trust and confidence, standing out from the competitors.

Implementing Privacy by Design requires embedding data privacy in your company’s culture.

CookieScript Consent Management Platform can help you to comply with all major privacy laws, including the GDPR, avoid data breaches and fines by data protection authorities, and build users’ trust and confidence by respecting user privacy. 

In 2024, users ranked CookieScript CMP on G2, a peer-reviewed website, as the best CMP for small and medium-sized companies.

The Seven Privacy by Design Principles

The concept of Privacy by Design is based on seven fundamental principles.

1. Proactive not reactive; preventative not remedial
   

   This privacy-first attitude required taking a proactive rather than reactive approach. Instead of reacting to privacy risks when they happen, companies should actively implement adequate procedures and implement secure practices to identify privacy risks and prevent data breaches before they happen.

2. Privacy as the default setting
   

   Companies are suggested to design their system with privacy-by-default features so that minimal effort is required to keep personal data safe, personal data is automatically protected, and there is little or no possibility for misuse of the data. Such privacy features could be data minimization, data encryption, anonymization, deletion of data when you no longer need it, etc.

3. Privacy embedded into design
   

   Companies should take a privacy-first approach, i.e. they should develop and implement a product, process, or system from the beginning, building privacy into design. For example, companies should use encryption and authentication, delete data when it is no longer needed, and regularly check for privacy risks.

4. Full functionality – positive-sum, not zero-sum
   

   Privacy should be a positive-sum goal, a “win-win” situation between the company and its customer, not a zero-sum goal. Companies shouldn’t trade off between privacy and other functionalities. They can have privacy, profit, and growth without sacrificing anyone of them. For example, it’s not a good practice to limit access to certain features for the exchange of their data.

5. End-to-end security – full lifecycle protection
   

   Strong security measures are essential to privacy from start to finish. Companies should ensure data security throughout the full lifecycle of data, starting from data collection to sharing it with third parties, and finishing with data deletion.

   For example, companies should only collect data that you need and for which you have a legitimate interest.

   Respectively, companies should sign corresponding contracts with third parties regarding personal data management. Companies should use only specific devices and secure company networks for data transfer, avoiding insecure public networks for the transfer of personal data to third parties. They can establish internal policies to ensure that all employees are trained and know how to manage personal data.

6. Visibility and transparency
   

   Privacy by Design requires documenting and communicating privacy-related actions clearly, consistently, and transparently. Being open with users about your privacy policies and procedures will build trust in the company. Communicate procedures consistently through privacy policies. All information should be information should be open and easy to understand. Companies should provide access to users’ data or any other request regarding data privacy through user-friendly platforms.

7. Respect for user privacy
   

   Companies should be user-centric, they should implement strong privacy-by-default safeguards, user-friendly choices, and communicate privacy-related actions clearly.

   For example, when they need to get user consent to process individual data, they should provide them with sufficient information, that is clearly written and easy-to understand, and should not prevent users from using services if the consent is not given or try to trick them into giving consent by other ways.

Checklists for Implementing Privacy by Design Approach

Read the comprehensive checklists for implementing Privacy by Design approach. They are organized according to the 7 foundational principles of Privacy by Design.

1. Proactive not reactive; preventative not remedial
   Identify privacy risks early, integrating privacy reviews in project planning.
   Conduct Privacy Impact Assessments (PIAs). Conduct PIAs at the design or concept stage.
   Establish data breach response plans.
   Schedule audits and regularly review system design.
   
2. Privacy as the Default Setting
   Collect minimal personal data.
   Implement opt-in consent model, not opt-out.
   Implement by default user anonymization or pseudonymization.
   Avoid pre-ticked checkboxes.
   
3. Privacy Embedded into Design
   Integrate privacy into product architecture.
   Encrypt data and ensure secure communication channels.
   Apply access controls.
   Monitor data usage to detect anomalies or breaches.
   
4. Full Functionality – Positive-Sum, Not Zero-Sum
   Design solutions that support both privacy and functionality.
   Implement privacy options that are user-friendly.
   
5. End-to-End Security – Lifecycle Protection
   Secure data from collection to deletion.
   Don’t keep data longer than necessary.
   Implement secure data sharing practices, such as secure APIs or encrypted data transfers.
   Test system security regularly.
   
6. Visibility and Transparency
   Publish a clear Privacy Policy and make it easily accessible.
   Use cookie notice to inform users about data collection and processing practices.
   Disclose third-party data sharing.
   Maintain documentation of data flows, processes, and decisions.
   
7. Respect for User Privacy – User-Centric Design
   Offer granular consent.
   Let users access, modify, and delete their data.
   Avoid dark patterns.

Use CookieScript CMP, a professional and trusted CMP, to implement Privacy by Design approach. It is a Google-certified CMP, recommended by Google to implement Google Consent Mode v2 and Google Tag Manager.

Frequently Asked Questions

What Is Privacy by Design?

Privacy by Design means incorporating data protection practices into projects, products, and technologies at the outset of the processes, and implementing a proactive approach to privacy. It is a good practice for GDPR compliance. Use CookieScript CMP to comply with the GDPR and other privacy laws.

Why should companies care about Privacy by Design?

First, the Privacy by Design principle is required by some data protection authorities like GDPR to comply with data privacy laws. Second, users are concerned about their data privacy and in most cases choose services based on the company’s attitude towards privacy. CookieScript CMP can help you to protect user privacy and comply with all major privacy laws.

Does GDPR require Privacy by Design?

Article 25 of the GDPR requires Privacy by Design. Specifically, it requires making privacy the default setting, taking a privacy-first approach, building privacy into the design, and using technical and organizational features to protect EU citizens’ privacy and comply with the GDPR, like data minimization, data encryption, anonymization, deletion of data when you no longer need it, etc. CookieScript CMP can help you to comply with the GDPR and other privacy laws.

What are the principles of Privacy by Design?

The concept of Privacy by Design is based on seven principles: proactive not reactive; privacy as the default setting; privacy embedded into the design; full functionality – positive-sum, not zero-sum; end-to-end security – full lifecycle protection; visibility and transparency; and respect for user privacy. Read CookieScript blog to be updated on privacy laws and new regulations.