Skip main navigation

Privacy by Design

An article about the Privacy-by-Design notion and its essence.
Ann Cavoukian
© Wikimedia

Starting from scratch, just like various technical solutions including social networking servers are built up, we need to comprehend how the rights to privacy and data protection can be implemented in practice. In order to have a good understanding of the GDPR and the obligations those who handle personal data have, it is essential to consider Privacy by Design and explain what it means at an early stage. In Week 3, we will touch upon the notion of data protection by design and by default that is related to the Privacy by Design concept and entails important duties that should be taken into account by those who are involved in the processing of personal data.

Privacy by Design is a significant notion contributing to the implementation of the rights to privacy and data protection. This is especially relevant in the age when numerous systems are designed to process personal data and are deployed on a large scale. It has been introduced by the Canadian Information and Privacy Commissioner Ann Cavoukian and seeks to promote the idea that these rights can and should be protected not merely by regulatory measures but by implementing certain principles by design and by default by organisations in the systems that process personal data. In this regard, 7 principles of Privacy by Design are of importance:

  1. The Privacy by Design approach must adopt a proactive rather than reactive stance and aim at preventing privacy risks and not at addressing them after they occur;
  2. Privacy is to be used as a default setting;
  3. Privacy must be embedded into design;
  4. Privacy by Design ensures full functionality and seeks to achieve both privacy and security;
  5. Security must be made an integral part of the systems throughout their whole lifecycle;
  6. It seeks to achieve visibility and transparency;
  7. Systems are to be kept user-centric and users interests and needs must be taken into account.

In Article 25 of the GDPR, a reference is made to the data protection by design and by default that constitutes a more specific notion given the nature of this legislative act and focuses on the obligations of controllers that will be discussed in the coming weeks.

© University of Groningen
This article is from the free online

Understanding the GDPR

Created by
FutureLearn - Learning For Life

Reach your personal and professional goals

Unlock access to hundreds of expert online courses and degrees from top universities and educators to gain accredited qualifications and professional CV-building certificates.

Join over 18 million learners to launch, switch or build upon your career, all at your own pace, across a wide range of topic areas.

Start Learning now