Understanding Privacy by Design
Privacy by design means applying privacy principles and controls throughout the entire lifecycle of a product or system.
Since the concept emerged in 1995 as a set of seven principles, versions of privacy by design have been adopted by the International Standards Organization (ISO) in its ISO 31700-1:2023 framework—and by the EU in its General Data Protection Regulation (GDPR).
With new privacy and data protection laws passing all over the world, forward-thinking companies are “baking in” privacy. Privacy by design can help reduce risk, enhance trust, and create sustainable, long-term growth.
Defining 'Privacy by Design' in a Technical Context
Privacy by design is, essentially, an approach to systems engineering. Privacy by design principles can help guide engineering and development teams as they build products and manage data.
In this context, “design” extends beyond the initial stages of building a product. Privacy by design applies at all stages, across all systems—from developing your company’s internal processes to providing ongoing product maintainance.
Each stage of the development lifecycle presents opportunities for applying privacy by design.
Here are a few examples in the software development context. Privacy by design can help you:
- Understand early on what types of personal data your product will collect and why. Personal data includes direct identifiers, such as the user’s name or email address, and indirect identifiers, such as device IDs, IP addresses, or phone numbers.
- Eliminate any unnecessary collection of personal data and ensure users can keep their personal data private by default. “Data minimization” is at the core of privacy by design.
- Fix data leaks by removing unnecessary third-party code and obtaining consent for data-sharing where appropriate. Throughout the product lifecycle, scan your code to understand how data flows from the user to third parties.
- Implement technical measures such as encryption and pseudonymization. Employ data mapping techniques to sort and separate sensitive data.
In January 2023, the world’s leading standards-setting body, ISO, adopted a privacy-by-design standard: ISO 31700-1:2023. This framework provides controls for implementing privacy by design across both technical and organizational contexts.
Principles of Privacy by Design
The original privacy by design model was developed by Canadian privacy champion Anne Cavoukian. This version of privacy by design centers around the following seven principles:
- Proactive, Not Reactive; Preventative, Not Remedial
- Privacy as Default
- Embedding Privacy into Design
- Full Functionality — Positive-Sum, Not Zero-Sum
- End-to-End Security — Full Lifecycle Protection
- Visibility and Transparency — Keep It Open
- Respect User Privacy — Keep It User-Centric
Later privacy-by-design models have changed and expanded these principles, but the seven original principles remain a great model for implementing privacy by design.
Let’s consider each privacy-by-design principle in turn, with examples of how they apply in practice.
Proactive, Not Reactive; Preventative, Not Remedial
Prevention is better than cure. Privacy by design means anticipating privacy issues and preventing them—not fixing problems once they arise.
Example: A company is developing a ticket-booking app that provides notifications for local concerts based on the user’s current city. Collecting precise geolocation information is particularly risky as it can reveal sensitive information about the user’s personal life.
Anticipating this, the developers collect coarse location data at the city level only, and provide an option for the user to enter their location manually. The information is deleted each session unless the user asks the app to remember their location.
Privacy as the Default Setting
You should always assume the user does not want you to collect or use their data. By default, a a product or service should only process personal data if necessary to deliver a service that the user has requested.
Example: An exercise tracking app runs in two modes: Private—where workout history and results are visible only to the user—and Public—where leaderboards show which users have the best running times across popular local routes.
The app should run in Private mode by default, with Public mode available for users who opt in.
Embedding Privacy into Design
Privacy should be at the core of every system, not bolted on as an afterthought. Make privacy a part of the conversation throughout the entire system development lifecycle, from planning to maintenance.
Example: A company is planning a local government project to analyze the number of cars passing through key areas of a city. From the outset, the company should consider how to minimize the project’s privacy impact.
For example, can the company distinguish individual cars without identifying drivers? How can the company notify the public about the data it collects? Can the company deidentify data once it’s collected? When and how will the company delete the data?
Full Functionality — Positive-Sum, Not Zero-Sum
The privacy-by-design philosophy treats privacy as a win-win. An organization should aim to leverage privacy to deliver its finished product—not expect trade-offs between privacy and useability.
Example: A company uses marketing cookies on its website, which require the company to obtain consent from users in certain jurisdictions.
The website has an intrusive cookie pop-up that prevents users from accessing the page unless they accept cookies. Employing the “full functionality” principle, the company replaced the pop-up with a non-intrusive cookie banner offering users a free choice.
The win-win: While the proportion of users accepting cookies goes down, the overall number of users accepting cookies goes up as more people visit and remain on the fully-functioning website.
End-to-End Security — Full Lifecycle Protection
Security and privacy overlap and intertwine. The “end-to-end security” principle means keeping personal data secure from collection to deletion and at every stage between.
Example: A marketplace app for selling used clothing allows users to message each other.
The company should consider preventing users from seeing unnecessary information about each other, securing its payment process, encrypting personal messages, storing personal data securely, and developing a breach notification policy, among other things.
Visibility and Transparency — Keep It Open
Be honest and open about your data processing practices. Transparency builds trust. If you’re worried about spooking your users, consider whether you’re using their personal data in a fair and ethical way.
Example: A banking app requests its customers’ date of birth for legitimate security and know-your-customer purposes. The bank implements a “just in time” notice alongside the web form, explaining why the bank requires the data and how it will be used.
Respect User Privacy — Keep It User-Centric
Privacy by design means keeping the user’s privacy and other rights in mind at all times. When assessing whether you need to collect or use personal data, approach the question from the user’s perspective.
Example: A productivity app lets users block time-wasting websites. The provider wants to understand its user base by analyzing which websites each user blocks. The marketing team says collecting this data will benefit users in the long term by helping to attract investment.
However, collecting this data is unnecessary from the user’s perspective and would go against many users’ reasonable expectations. Therefore, the company should consider different approaches to learning about its user base—or at least turn this functionality off by default.
Privacy by Design within GDPR's Framework
A version of privacy by design is a legal requirement under the GDPR, which applies across all countries in the European Economic Area (EEA) and the UK.
Here’s the full Article 25 of the GDPR, “Data protection by design and by default”:
This section of the GDPR requires “controllers” (who decide how and why to collect or use personal data) to implement “data protection by design” and “data protection by default”, which are similar to the classic “privacy by design” principles.
Privacy By Design Under the GDPR
The GDPR’s version of “privacy by design”—“data protection by design”—is all about taking “technical and organizational measures”: Safeguards, policies, and techniques designed to safeguard people’s privacy and other rights.
According to Article 25 (1) of the GDPR, you must implement appropriate technical and organizational measures both:
- When deciding how to process personal data, and
- When processing personal data.
These technical and organizational measures must:
- Effectively implement the GDPR’s principles of data protection, including data minimization, and
- Integrate any safeguards needed to comply with all relevant aspects of the GDPR.
When deciding which technical and organizational measures to employ, you must consider the following factors:
- The “state of the art” (the current level of technical development),
- How much they will cost to implement,
- The nature, scope, context, and purposes of the processing (this could include the types of data collected, the amount of data, the number of users, and your relationship with your users),
- The risks to individuals’ “rights and freedoms” (including privacy, freedom of expression, and any other relevant rights), both in terms of:
- How likely it is that risks will arise, and
- How serious the consequences would be if the risks arose.
The GDPR only gives one example of a “technical measure” for achieving data protection by design: “pseudonymization”, which involves removing identifiers from a dataset and storing them separately.
Privacy By Default Under the GDPR
The GDPR’s version of “privacy by default”—”data protection by default”—also revolves around technical and organizational measures. This time, such measures help give users more control over the amount of personal data controllers collect.
Under Article 25 (2) of the GDPR, you must implement appropriate technical and organizational measures to ensure that you only process the personal data necessary for a specific purpose.
The principle of data protection by default applies to:
- The amount of personal data you collect,
- The extent of the processing (i.e, what you do with the data),
- How long you store the data, and
- Who can access the data.
It’s particularly important to ensure that, by default, personal data is not made accessible to an “indefinite” number of people unless the user enables this.
Privacy by Design vs Privacy by Default
“Privacy by design” and “privacy by default” overlap. But it’s useful to understand how these two concepts differ. So let’s contrast them across some key areas.
Privacy by design | Privacy by default | |
Core definition | Integrating privacy into the core of your systems, products, and operations. | Applying the most privacy-protective settings by default. |
Practical application | Respecting users’ privacy at every stage of design, development, distribution, and maintenance. | Offering users real choices about how you collect, share, and use their personal data. |
Security | Selecting the highest appropriate security standards throughout the design process relative to factors such as the current state of technology, cost, user expectations, and risk. | Applying strong security by default across all areas of your systems, products, and operations. |
Access controls | Implementing access controls to ensure that people can only access personal data if it is necessary for them to do so. | Enabling the user to control which third parties have access to their personal data, where appropriate, and never making personal data public unless the user requests it. |
User experience | Designing your product so users can experience its full functionality while maintaining their privacy. | Ensuring that the product still functions correctly in its default, most privacy-protective state. |
Privacy-enhancing technologies (PETs) | Employing privacy-enhancing technologies (PETs) to protect personal data during collection, use, and sharing. | Only collecting the minimum personal data necessary for a specific purpose, regardless of any PETs applied after the data is collected. |
Transparency | Integrating openness and transparency into product design via “just-in-time” notices and pop-ups. | Ensuring that the user is not overwhelmed with notices and consent requests if they choose to maintain the default privacy settings. |
Conclusion
The “privacy by design” model has been helping organizations integrate privacy into their operations for nearly 30 years.
The principles of privacy by design require that you:
- Proactively anticipate and prevent privacy violations.
- Make “privacy” the default setting.
- Embed privacy throughout every stage of the design process.
- Ensure your product is fully functional even with privacy settings enabled.
- Employ end-to-end security controls.
- Act with openness and transparency at all times.
- Always consider the user’s perspective.
Remember: Privacy (or data protection) by design and by default is a legal requirement under the GDPR.
Further Reading and Technical Resources
- Anne Cavoukian: Privacy by Design: The 7 Foundational Principles
- International Standards Organization (ISO): ISO/DIS 31700 Consumer protection — Privacy by design for consumer goods and services
- European Data Protection Board (EDPB): Guidelines 4/2019 on Article 25 Data Protection by Design and by Default
FAQs
1. What does "privacy by design" mean?
- "Privacy by design" refers to the proactive integration of privacy considerations into all stages of product or system design and development.
2. What is "privacy by design"?
- It's an approach that emphasizes embedding privacy principles from the outset of any system, product, or process development, rather than adding them later.
3. How is "privacy by design" implemented?
- This can be done by following its foundational principles, such as proactively addressing potential issues, ensuring privacy defaults, and embedding privacy throughout the entire lifecycle of projects.
4. What are "privacy by design" and "privacy by default"?
- While "privacy by design" is about embedding privacy considerations throughout the design process, "privacy by default" ensures that the default settings of a product or service are the most privacy-friendly.
5. What is the GDPR's take on "privacy by design"?
- The GDPR mandates a similar approach called "Data protection by design and by default," legally requiring companies operating in the EU to integrate data protection principles into their processes.
6. What are the principles of "privacy by design"?
- The principles emphasize proactivity, privacy as a default setting, full lifecycle security, transparency, and always prioritizing the user's privacy.
7. When is "privacy by design" used?
- It should be used throughout the entire development and operational lifecycle of any product, system, or service that deals with personal data.
8. When should "privacy by design" be implemented?
- It should be implemented from the very beginning or outset of any system or product development and continued throughout its lifecycle.
9. Why should we care about "privacy by design"?
- It helps in anticipating and preventing privacy breaches, maintaining user trust, and meeting legal and ethical obligations.
10. How do "privacy by design" and "privacy engineering" operate together?
- While "privacy by design" offers a foundational framework and principles, "privacy engineering" provides the technical methodologies, tools, and practices to actualize and ensure those principles in real-world systems.
11. Which of these are foundational principles of "privacy by design"?
- The foundational principles include being proactive, ensuring privacy as a default setting, embedding privacy from the outset, end-to-end security, transparency, and always considering the user's perspective.
12. When should privacy by design be implemented?
- Privacy by design should be implemented at every stage of the systems development life cycle. You should apply the privacy by design principles from the first step of developing a product to the final step—and at each stage in between.
13. Why should we care about privacy by design?
- From your organization’s perspective, you should care about privacy by design because it can improve your development processes, increase efficiency, reduce risk, and enhance customer trust. Getting privacy right from the outset means making better products and growing a healthier business.
14. How do privacy by design and privacy engineering operate together?
- Privacy by design and privacy engineering go hand in hand—privacy engineering can help automate core privacy-by-design processes such as data minimization, storage limitation, and data security. Privacy by design requires that you consider privacy enhancements at every stage of development. Implementing privacy engineering techniques such as encryption, code scanning, and data flow modelling is vital to meet this requirement.
15. What are the foundation principles of privacy by design?
- The foundation principles of privacy by design are as follows:
- Proactive, Not Reactive; Preventative, Not Remedial
- Privacy as Default
- Embedding Privacy into Design
- Full Functionality — Positive-Sum, Not Zero-Sum
- End-to-End Security — Full Lifecycle Protection
- Visibility and Transparency — Keep It Open
- Respect User Privacy — Keep It User-Centric
Robert is a writer covering privacy, security, and AI. He is a respected voice on privacy and has covered and has been working in the field since 2017.