Back to blog

Privacy by design under the GDPR

Data privacy & security GDPR

Written by

Published August 2, 2018 · Updated March 12, 2021

Privacy by design under the GDPR

We live in an age where collecting tons of data on a daily basis is perfectly normal. It’s just ho-hum, day-to-day reality. But because it often involves processing massive amounts of personal information, the whole process calls for special measures to safeguard user privacy. Unfortunately, not every company treats this issue seriously enough to apply the necessary procedures.

In 2017 alone, 47% of people fell prey to data fraud. And in just March and April this year, the ICO received about 400 reports of personal data breaches. In June this number reached almost 1,750.

The rise in reports is a result of GDPR coming into effect. The question is how many breaches had been ignored or covered up before the regulation became law.

So, to fight crime and prevent data breaches, GDPR was implemented. With its provision of data protection by design and default, inspired by the privacy by design concept, the Regulation advocates making data security and privacy the starting point of every software development process.

Privacy by design & GDPR

GDPR is a new actor on the digital landscape, as it just came into force on May 25 this year. That said, its key assumption – privacy by design – is a slightly older concept. The term was coined in the 1990s by Dr. Ann Cavoukian, then the Information and Privacy Commissioner of Ontario. It holds that privacy must be guaranteed not solely by compliance with legislation and legal frameworks, but should be assured by the way organizations operate.

“Privacy knows no borders: we have to protect privacy globally or we protect it nowhere!” by Dr. Ann Cavoukian

In other words, organizations must take privacy into consideration at the design stage of every project and throughout its entire lifecycle. This approach aims to design and build systems where data is naturally safeguarded, with emphasis on the importance of proactive solutions.

GDPR has made privacy by design more than just an approved practice – it’s a legal obligation. However, data protection by design and privacy by design are not exactly the same thing. The latter was adopted by the Regulation, which has shifted focus more to personal data.

What is data protection by design?

According to the GDPR, data protection by design means that you should adopt both technical and organizational measures at the initial phases of design of processing operations so that privacy and data protection principles are guarded from the beginning.

Also, you need to incorporate safeguards into data processing in order to fulfill GDPR requirements and respect individuals’ rights.

As to the exact requirements, Article 25(1) states:

Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.

Some of the practical applications of data protection by design are:

  • Pseudonymization – a procedure that replaces or removes information within a data set that enables identification of a specific person, e.g.encrytption, masking, tokenization
  • Anonymization – a process of removing personally identifiable information from a data set to make it impossible or at least harder to identify a particular person.
  • Monitoring of data processing
  • Adding new privacy features and improving the existing ones

Furthermore, if you want to build privacy into your products and services from the ground up, this also means that your employees need to have knowledge about privacy. That’s why you need clear guidelines, policies, and instructions.

All in all, data protection should be deeply ingrained in your processing activities and business procedures.

What is data protection by default?

Under data protection by default, you only process data that is indispensable for a particular purpose, unless the user agrees you can process additional data.

Overview and scoring of how websites have adapted to data privacy regulations

Download FREE Report

Also, by default you need to ensure data is kept for a short period, meaning only as long as it’s needed for a specified purpose. This approach is taken from the principles of data minimisation and purpose limitation.

It’s quite different from pre-GDPR practices where companies were sucking up every piece of data they could, and then kept it for as long as possible just in case they wanted it later. So at the beginning of every project you need to ask some questions like:

  • Why do I need this data?
  • What kind of data do I need?
  • How much data is necessary?
When it comes to specific requirements, Article 25(2) of GDPR says:

The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons.

What’s more, you need to specify what kind of data you’re collecting before you start collecting it, and your users must be informed about everything. Last but not least, any data you gather needs to have limited accessibility, meaning only authorized people can have access to it.

But there are also other ways to ensure data protection by design. All settings of your applications and systems should be created with the principle of “privacy first” in mind.

This means that users don’t need to make additional adjustments and their data is protected by default. You also grant users enough control and options so they can effectively exercise their rights.

The significance of DPIA in data protection by design and default

Once we understand the theory behind data protection by design and by default, we can consider how to make it benefit you. There are many ways to implement data protection into your organization, but a lot depends on the processing context and your business’s needs.

However, one golden rule to stick to in every company is applying elements of a Data Protection Impact Assessment (DPIA) to every process and project.

What, exactly, is DPIA? It’s a distinct process mandated by GDPR. It has been “designed to help organizations consistently analyze, identify”, and ultimately minimize the data protection risks of their business endeavors. It’s also a flexible and scalable instrument that can easily be employed in various sectors and undertakings.

DPIA is a legal obligation for any kind of processing, including specific types of processing that can involve a high risk to the rights and freedoms of individuals. If a company fails to conduct a DPIA in such instances, it may be subjected to legal proceedings against it and a fine of up €10 million or 2% global annual turnover, whichever is higher.

Naturally, it won’t eliminate all risk. But a proper DPIA lets you minimize and assess if the level of risk in particular circumstances is acceptable when compared against the benefits of what you want to accomplish. You will be able to evaluate if your databases, software, and other tools are all compliant with GDPR.

Moreover, having a DPIA in place helps to bring more awareness of privacy and data protection issues to your organization. It also lets you establish data protection compliance by default and by design from the start of every project.

However, DPIA is not solely dedicated to new plans or projects. As a good practice in your company it should be conducted at the implementation of every new functionality, product, service, or upgrade. This is especially true when they involve major changes to personal data processing, whether it concerns data volumes or the manner it’s handled.

It allows you to evaluate whether you can manage potential threats to data protection and the related costs. That’s also a way to exercise data protection by default.

Let’s have a look at some specific examples. You collect a wealth of data for your marketing initiatives. As you want to remain legally compliant, you must keep in mind that compliance involves respecting user rights.

In other words, you need to evaluate if you are able to correct, delete, and encrypt personal data your company collects and processes. Under GDPR you’re obliged to do so. But these tasks should be done when you’re devising your strategy, long before you begin doing any data collection.

The internal DPIA helps your company in better estimating the potential consequences of a particular project, as well as in assessing both the costs of implementation and the resources needed if something goes awry.

For instance, if your company is based in the EU and transfers personal data to the US because of your corporate group’s structure, you should be aware of possible data leakage. So, before you actually start such transfers, you can assess if you are ready to manage the risk.

Data protection by design and by default – a checklist

Incorporating data protection by design and by default into a general business strategy is a complex and demanding task. Taking into consideration that demands, needs, and resources vary across organizations, we recommend making life easier on yourself by focusing on some key aspects from a checklist proposed by the Information Commissioner’s Office (ICO) of the United Kingdom:

  • We consider data protection issues as part of the design and implementation of systems, services, products and business practices.
  • We make data protection an essential component of the core functionality of our processing systems and services.
  • We ensure that personal data is automatically protected in any IT system, service, product, and/or business practice, so that individuals should not have to take any specific action to protect their privacy.
  • We only use data processors that provide sufficient guarantees of their technical and organisational measures for data protection by design.
  • We provide individuals with tools so they can determine how we are using their personal data, and whether our policies are being properly enforced.

Here you can find the complete checklist written by the ICO.

Overview and scoring of how websites have adapted to data privacy regulations

Download FREE Report

Final thoughts

The provisions of data protection by design and by default introduced in GDPR were created to help businesses safeguard users’ privacy and rights in a more efficient way. Proactive methodology stressing that all safety measures should be included at the beginning of implementations of every new project makes it possible to detect problems early and fix them right away.

That also reduces the time and effort demands placed on IT departments. With data automatically protected, organizations build trust among users and minimize the risk of breaches and possible fines.

We hope that this post has given you some useful information. We know that you might still have some questions, and if this is the case please don’t hesitate to …

Contact us


Karolina Matuszewska

Senior Content Marketer

Writer and content marketer. Transforms technical jargon into engaging and informative articles.

See more posts by this author

Core – a new plan for Piwik PRO Analytics Suite

Privacy-compliant analytics, built-in consent management and EU hosting. For free.

Sign up for free