“Privacy by Design” is a concept implemented to ensure data protection in the European Union, and it provides some valuable guidance to ensuring that you comply effectively and efficiently.

It is a concept that states that organisations must consider privacy concerns at the outset of data processing practices, rather than applying features retroactively. This means that data protection is already integrated into a system or procedure when it is created.

There are 7 fundamental principles to this:


The approach is characterized by proactive rather than reactive measures. It anticipates and acts to prevent compromise before this happens, for example, preventing data breaches from happening in the first place.

This should be applied to information technologies as well as organisational practices, early and consistently. You should recognize poor designs, anticipate poor practices and outcomes, and correct any failures, well before they occur in a pro-active, systematic, and innovative way.

For this approach to be effectively applied, it must be supported by a clear commitment at the highest levels and throughout the organisation to set and enforce the standards in a culture of continuous improvement.


The approach aims to deliver the maximum degree of security by ensuring that personal information is automatically protected in any given IT system or business practice. The design ensures that no action will be required to protect the information, as this will be built in by default.


The idea is that security is embedded into the architecture of your IT systems and business practices. The result is that the appropriate level of security becomes an essential component of the core functionality, is integral to the system, and does not diminish functionality.


Privacy by Design should seek to satisfy all of your organization’s legitimate objectives, and not just data security. When embedding this into a given technology, process, or system, it should be done in such a way that full functionality is not impaired, and the organisation’s requirements are optimised.

To achieve this, objectives must be clearly identified, desired functions articulated, metrics agreed upon and applied, and trade-offs rejected as often being unnecessary, in favour of finding a solution that enables multi-functionality.


The approach extends throughout the entire lifecycle of the data involved. This ensures secure lifecycle management of information, end-to-end. There should be no gaps in either protection or accountability. Standards should provide assurance of confidentiality, integrity and availability of personal data throughout its lifecycle.


Visibility and transparency are essential to establishing accountability and trust. Openness and transparency are key to accountability. Privacy by Design seeks to assure all stakeholders that whatever the business practice or technology involved, it is in fact, operating according to the stated promises and objectives, subject to independent verification.


You should keep the interests of the data subject uppermost by offering measures such as strong privacy defaults, appropriate notice, and empowering user-friendly options. Furthermore, where you are able to empower data subjects to play an active role in managing their own personal information, aside from addressing the requirements of consent, accuracy, and access, this may also be an extremely effective control against abuses and misuses of privacy and personal data.