Skip to content

Business glossary

Privacy by Design

A GDPR principle (Article 25) requiring data protection to be integrated into the design of products, services, systems, and processes from the outset, rather than retrofitted after development. It includes privacy by default, which mandates that the most privacy-protective settings apply without user intervention.

Digital

What is Privacy by Design

Privacy by Design (PbD) is a framework developed by Dr. Ann Cavoukian in the 1990s and codified as a legal obligation under Article 25 of the GDPR. It requires data controllers to implement appropriate technical and organisational measures — such as data minimisation and pseudonymisation — both at the time of determining the means of processing and at the time of the processing itself.

The seven foundational principles

  1. Proactive not reactive: anticipate and prevent privacy risks before they occur
  2. Privacy as the default setting: without any user action, the most protective configuration must apply
  3. Privacy embedded into design: privacy is an integral part of system architecture, not an add-on
  4. Full functionality (positive-sum): privacy and business objectives are not zero-sum trade-offs
  5. End-to-end security: data protection throughout the entire data lifecycle
  6. Visibility and transparency: processes must be verifiable and auditable
  7. Respect for user privacy: user interests are paramount

Legal obligations under Article 25

Article 25 GDPR creates a binding obligation for controllers to apply data protection by design and by default. This includes implementing measures proportionate to the nature, scope, context, and purposes of processing, as well as the risks to individuals. Regulators have begun enforcing this — companies that launch products without privacy considerations face both fines and orders to redesign.

Practical implementation

For development teams, PbD means conducting DPIAs before launching new features, applying data minimisation in forms and databases, implementing automatic retention schedules, using pseudonymisation and encryption, and documenting privacy-related design decisions. In agile environments, privacy reviews should be integrated into each sprint cycle.

Frequently asked questions

Is Privacy by Design a legal obligation in Spain?
Yes. Article 25 of the GDPR creates a binding obligation for data controllers to implement privacy by design and by default. Spain's LOPD-GDD reinforces this requirement. The AEPD has the authority to fine companies that launch products or services without adequate privacy measures built in from the design stage.
What does privacy by default mean in practice?
Privacy by default means that, without any user action, the most privacy-protective settings must apply automatically. For example, a new social network account should be set to private by default, not public. Only the data strictly necessary for the specified purpose should be processed without requiring users to take additional steps.
When does Privacy by Design require a Data Protection Impact Assessment (DPIA)?
A DPIA is required under GDPR Article 35 when processing is likely to result in a high risk to individuals' rights and freedoms — such as large-scale profiling, processing sensitive data, or systematic monitoring. For new products or services involving such processing, the DPIA must be conducted before the processing begins, as part of the privacy by design process.
How does Privacy by Design apply in agile software development?
In agile environments, privacy reviews should be integrated into each sprint or development cycle rather than treated as a final pre-launch check. This means conducting DPIAs for new features, applying data minimisation principles in database design, implementing retention schedules from the outset, and documenting privacy-related architectural decisions as part of normal development workflows.

Related service

Legal

Discover our services in this area

Related sectors

Technology & Startups Agriculture, Farming & Fisheries

Related terms

GDPR in Spain (LOPD-GDD) Data Protection Impact Assessment (DPIA) Data Protection Officer (DPO)

Related Articles

Jan 2024

Annual Legal Report 2023: Whistleblower Act, Housing Act and Maturation of Corporate Compliance

Back to glossary

Request a personalized consultation

Our experts are ready to analyze your situation and provide tailored solutions.

Free consultation
Call Contact