Privacy by design is both a broad concept and a specific requirement of the GDPR. In both cases, privacy by design means using organizational and technical methods to reduce the amount and scope of data processing to the minimum necessary.

If you don’t embrace privacy by design, you may make your Privacy Policy inaccurate, which will also breach the GDPR.

We’ll break down the practical steps you need to take to avoid these problems when complying with the GDPR and other privacy laws.

Background of Privacy by Design

The concept of privacy by design isn’t new. It was already covered in broad terms by European privacy regulation (and associated national laws) in the early 1990s, while many other data laws around the world shared similar principles.

The concept came to greater attention in a more formalised manner in 2009. Ann Cavoukian, at the time the Information and Privacy Commissioner of Ontario, presented a framework for “privacy by design” at an international conference for data regulators. Officials from around the world agreed to adopt the concept and build it into both the drafting and implementation of data privacy regulations wherever possible.

The most high profile incorporation of the framework came with the GDPR in 2018.

GDPR Requirements for Privacy by Design

GDPR Requirements for Privacy by Design

The GDPR affects any processing of personal data where the processor or the data subject (the person the data is about) is in a European Union country, or if the processing itself physically takes place in an EU country.

The GDPR includes two sets of requirements commonly referred to as “data protection by design” and “data protection by default.” While this terminology is different, these requirements are a clear implementation of the privacy by design concept.

Article 25 (1) covers data protection by design:

“Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.”

The key phrase here is “at the time of determination of the means for processing.” In simple terms, this means you have to consider data privacy when you design your systems and procedures for collecting and handling data. It’s too late to start thinking about it once you actually have the personal data.

Note that “pseudonymisation” and “data minimisation” are examples of practical measures rather than an exhaustive list of what you must do.

Article 25 (2) covers data protection by default:

“The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons.”

The key here is that it isn’t enough to simply have a policy to only collect the data that’s necessary for the relevant processing. Instead you need to have practical measures that make sure this happens.

Other Privacy Laws and Privacy by Design

Other Privacy Laws and Privacy by Design

The GDPR isn’t the only privacy law that incorporates at least some elements of the privacy by design principle.

For example, the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada requires businesses to have a specific staff member responsible for data handling; to limit the data they collect; and to have procedures for destroying data that’s no longer needed.

Meanwhile proposed or planned domestic laws in BrazilIndia and Switzerland all incorporate privacy by design in some format.

Privacy Policies and Privacy by Design

Privacy Policies and Privacy by Design

Having a Privacy Policy does not in itself achieve privacy by design. However, a Privacy Policy plays several key roles in following both the concept of privacy by design and the related requirements of the GDPR:

How to Create a Privacy Policy

The Seven Principles of Privacy by Design

The Seven Principles of Privacy by Design

Dr. Cavoukian’s framework for privacy by design is based on seven principles. Below we detail the key practical steps you must take to follow these principles and in turn comply with the GDPR’s requirement for data protection by design and data protection by default. We also detail the implications for your Privacy Policy.

Be Proactive, not Reactive; Preventative not Remedial

In simple terms this means making privacy a key objective that you follow at all times. It arguably means going beyond simply complying with the specific requirements of a privacy law.

The main practical step is that, before you design any system and process for handling data, you figure out what privacy risks your handling of the data will create. You can then decide what steps are needed to minimise or eliminate those risks and build these steps into the system.

Privacy as the Default

This sounds like a concept but is actually a key practical point. It doesn’t simply mean getting behind the idea of data privacy. Instead it means taking practical steps that reduce the possibilities of breaching privacy.

Examples include:

The Privacy Policy of Tollers Solicitors demonstrates that a specific, named individual is responsible for data protection:

Tollers Solicitors Privacy Policy: How to Contact us clause

There’s also a general clause with information about how users can complain to an authority officer:

Tollers Solicitors Privacy Policy: How to complain clause

Privacy Embedded into Design

This is the principle that you build privacy protections into your systems from the outset rather than try to bolt it on later. A key example would be a database of email addresses that you’ve collected in a variety of contexts such as people signing up to an email newsletter, placing an order for a product, or registering for a conference.

The wrong (or at least sub-optimal) way to handle this would be to create the database and then later on try to craft a query that can take the date the user provided the mail address, add on an appropriate timescale, flag up addresses that might no longer be needed for the original purpose, then manually review them to decide if you should delete them. This creates several possible points of failure when an address could fall between the gaps.

The correct (or at least optimal) way would be to create the database so that, at the time you add an address, it automatically generates an expiry date. When a record reaches this date it should automatically be deleted, or at least automatically blocked from future use until you manually review it.

This extract from AWeber’s Privacy Policy shows it recognises data collected in different contexts should be handled in different ways. It will have complied with privacy by design if it has built these differences into its data processing systems:

AWeber Privacy Policy: Newsletters, Service Related Emails and Customer clauses

Full Functionality: Positive-Sum, not Zero-Sum

This is one of the more conceptual principles and it’s more about attitude than specific actions. It’s effectively a reminder that you shouldn’t see privacy as a trade-off against other interests such as serving customers or boosting revenue. If you do find you are limiting the functionality of your site and service to accommodate privacy, it may be a sign you need to rethink your approach and find a better way to design your systems.

This principle doesn’t mean there won’t be consequences from the privacy choices the user makes.

For example, this Privacy Policy from The Audience Agency details how some services and functionality are only possible if the user provides personal data or accepts cookie use. This doesn’t breach privacy by design because these requirements are inherent to the relevant services and technology:

Audience Agency Privacy Policy: Cookies clause

End-to-End Security: Lifecycle Protection

This means keeping data secure at every point, from collecting it to using it to disclosing it to destroying it. (It’s a good reminder that the GDPR’s definition of “processing” covers all these activities.)

Some of the practical measures include:

It’s a good idea to detail your security measures in a Privacy Policy to inform both regulators and data subjects. However, it’s vital this information is accurate and not misleading otherwise you undermine the data subject’s ability to give informed, meaningful consent to data processing.

The Privacy Policy of Save the Elephants informs the data subject while managing expectations to keep them realistic:

Save the Elephants Privacy Policy: How do we protect personal information clause

Visibility and Transparency

This principle is based on the idea that keeping data subjects informed will not only win their trust but also helps ensure you are accountable for the way you handle data.

A Privacy Policy is key here and the GDPR sets out a range of points you must cover.

Remember that the GDPR specifically says that any information you give about your data processing must be in:

“A concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child.”

The Privacy Policy of Childline is appropriately clear without being patronizing:

Childline Privacy Policy: Personal information - Definition and Use clauses

Respect for User Privacy

This is something of a catch-all principle putting privacy at the center of everything you do. The most relevant part of the GDPR is the need for the data subject to give meaningful consent. This means they have the necessary information to make an informed decision.

It also means you get active consent so you are certain about the data subject’s intentions. You cannot rely on passive measures such as “browsewrap” (notices that the user consents to the Privacy Policy simply by using the site).

The data subject must take a positive action such as clicking a button, ticking a checkbox or switching a toggle to show they give consent. A recent court ruling means that if you use checkboxes or toggles, you cannot set them to be pre-ticked or set to on by default.

This example from Power to Change doesn’t simply rely on the user providing an email address and clicking submit. They also have to actively tick one or both checkboxes to specifically agree to their address being used for a particular purpose or purposes:

Power to Change email newsletter sign-up form


Let’s recap what you need to know about privacy by design and the GDPR.

2 Responses

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.