11.1 Privacy by Design

Imagine building a house where security is bolted on as an afterthought — locks fitted after the walls are up, alarms wired around existing rooms. Now imagine designing security into the blueprint from day one: reinforced doors, integrated alarm zones, sight lines that eliminate blind spots. Privacy by Design is the second approach applied to information systems.

The origin and the principles

Ann Cavoukian, then Information and Privacy Commissioner of Ontario, Canada, developed Privacy by Design in the 1990s as a response to the limitations of compliance-only privacy frameworks. The core insight: privacy cannot be ensured solely by regulation after the fact. It must be embedded into the technology and organisational practice from the start. In 2010, the International Assembly of Privacy Commissioners adopted Privacy by Design as an international standard, and in 2018, the European Union codified it into law through GDPR Article 25.

Cavoukian identified seven foundational principles:

1. Proactive not reactive; preventative not remedial — Anticipate and prevent privacy-invasive events before they happen rather than responding after the fact.
2. Privacy as the default setting — If a user takes no action, their privacy should remain protected. Maximum privacy should be automatic, not something users must opt into.
3. Privacy embedded into design — Privacy is integral to system architecture, not added as a feature. It shapes the data model, workflows, and interfaces.
4. Full functionality — positive-sum, not zero-sum — Privacy need not trade off against security or usability. Good design achieves both. "All-wins" rather than "all-or-nothing."
5. End-to-end security — Strong security protections applied throughout the entire data lifecycle: collection, processing, storage, retention, and deletion.
6. Visibility and transparency — Keep systems open to verification. Users and stakeholders can independently confirm that privacy commitments are actually being kept.
7. Respect for user privacy — Keep systems user-centric: offer strong privacy defaults, give users meaningful control, and design interfaces that respect their interests.

What this looks like in practice

A newsletter signup form built with Privacy by Design collects an email address — nothing else. Date of birth is not requested because it is not needed. The form uses HTTPS. Unsubscribers are deleted, not merely flagged inactive. Audit logs can confirm the deletion happened. By contrast, a compliance-only approach might collect everything a legal counsel thinks is defensible, then ask the privacy team to review it six months later.

GDPR Art. 25 — the legal obligation

GDPR Article 25 makes Privacy by Design and Privacy by Default legally binding for any organisation that processes data of EU residents. Data protection must be considered at the point of designing the processing — not retrofitted. Supervisory authorities can and do audit technical implementations; fines for Art. 25 failures compound with other violations.

Your takeaway

Privacy by Design reframes privacy from a cost (compliance paperwork) into a quality attribute of good engineering. An organisation that builds privacy in from the start reduces its breach surface, builds user trust, and is far better positioned when regulators or journalists come asking questions.