September 17, 2022

What Does the Phrase "Privacy by Design" Mean?

Modern data protection laws include a fundamental principle known as "Privacy by Design." It is recommended that innovative technologies adopt it in order to comply with data protection laws. This article explains where this concept came from, what it means, and how to apply it.

In the era of rapid technological advancements, where massive social media companies have access to the personal data of billions of users and data breaches are common, privacy has become a hotly debated topic. Laws are being enacted around the world to govern how personal data is collected and processed. These laws concentrate on the steps that businesses, including technology firms, must take to remain compliant. 

"Privacy by Design" is a key concept in some data protection laws. This concept has been around for a while, but it only recently gained popularity following the implementation of the EU's General Data Protection Regulation (GDPR)

The concept of "Privacy by Design" was introduced in the 1990s. The 32nd International Conference of Data Protection and Privacy Commissioners (now Global Privacy Assembly), a forum that has provided international leadership in data protection and privacy since 1979, made it an international standard in 2010. 

The rationale behind the Privacy by Design principle is that privacy cannot be guaranteed simply by adhering to regulatory frameworks. Instead, businesses should make privacy assurance their default mode of operation. A product or service user is not required to do anything to protect their privacy. In other words, data privacy and security should be proactive rather than reactive, and preventive rather than remedial. 

Privacy by Design in the GDPR

This principle is referred to as "data protection by design" in the GDPR. The phrase "data protection through technology design" implies the same meaning. This means that organizations must consider privacy and data protection concerns when designing and building products and services, rather than retroactively implementing these features after the products and services are in use. Privacy protection, according to this concept, should not be viewed as an afterthought, but should be prioritized from the start of developing products or services. 

GDPR expressly states that privacy by design is required. To comply with the regulation and protect the rights of data subjects, organizations must implement technical and organizational measures at the earliest stages of the design of processing operations that safeguard privacy and data protection principles from the start. The following steps can be taken to implement the Privacy by Design principle: 

  • Thinking about data protection before engaging in any data-related activity
  • Designing processes and products to minimize the use of personal data for the specific purpose 
  • Having data security as a top priority
  • Data minimization
  • The minimum necessary data retention period

Other technologies, such as cutting-edge encryption techniques, could achieve Privacy by Design given the available technology and implementation costs. Aside from technical measures, Privacy by Design necessitates the adoption and implementation of organizational measures. This could include performing a Data Processing Impact Assessment (DPIA) (see DPIA templates) and appointing a Data Protection Officer (DPO) at the outset of the processing operations' design. 

Privacy by Design in Other Privacy Laws

The GDPR included Privacy by Design, which was followed by other data protection laws, such as the Brazilian LGPD. The latter, on the other hand, does not use "Privacy by Design" or "data protection by design." According to the LGPD, "security, technical, and administrative measures to protect personal data must be implemented from the product or service's conception phase until its execution." 

Most data protection laws do not yet include provisions for privacy by design. Many countries, however, promote it as one of the most recommended practices for protecting online privacy. 

It has been recommended, for example, by the US Federal Trade Commission (FTC) and Canada's Privacy Commissioner. In its Final Commission Report on Protecting Consumer Privacy, the FTC urged businesses to implement best privacy practices, including Privacy by Design. 


Technology is advancing at an alarming rate. Businesses must consider implementing the Privacy by Design principle in order to comply with data protection laws and ensure data subjects' rights are protected. It will not only save businesses from large fines, but it will also foster trust between businesses and their customers.

Want to become certified in Data Privacy? Take our General Awareness Data Privacy Course and Become Certified Today.


Secure Privacy Academy, the leading data privacy training platform, empowers your team with the knowledge and skills to excel.