Privacy by Design
Data protection by design — Article 25 GDPR
Practitioner's note: This article is practice-oriented compliance documentation, not legal advice. We are a compliance specialist, not a law firm. For legally binding information please consult a licensed lawyer.
TL;DR
Privacy by Design (Article 25(1) GDPR) is the obligation to integrate data protection principles (data minimisation, purpose limitation, transparency) already at the design stage of systems and processes — not retrospectively.
What is Privacy by Design?
Article 25 GDPR distinguishes two levels:
- Privacy by Design: data protection embedded in system architecture (pseudonymisation, encryption, access restriction)
- Privacy by Default: privacy-friendly default settings (e.g. profile = private rather than public)
Both apply cumulatively. Breaches fall under Article 83(4)(a) — up to EUR 10 million or 2% of global group turnover.
Practical example
SaaS provider X plans a new HR tool. Privacy by Design requires: 1) data minimisation in input forms (only what is genuinely necessary), 2) pseudonymisation in reports, 3) access restriction by role, 4) default = only the direct line manager sees performance data, not everyone.
Frequently asked questions
Who is liable for Privacy by Design breaches?
The controller (Article 24 GDPR). Processor manufacturers can be co-obligated under Article 28.
When does the obligation begin?
Before any new development or substantial modification. For existing systems: at the next modification.
Is a DPIA sufficient?
A DPIA (Article 35) is part of Privacy by Design, but not the whole. PbD is broader.