Privacy by Design

8 min read

Privacy by Design

An architectural principle that requires privacy protections to be embedded into the design of systems and processes from the very beginning — not added as an afterthought or a compliance checkbox.

What is it?

Privacy by Design (PbD) is the idea that privacy should be a core architectural requirement, not a feature bolted on at the end. It was developed by Ann Cavoukian, then Information and Privacy Commissioner of Ontario, in the 1990s and later adopted as a legal requirement under GDPR Article 25 and Swiss nDSG Article 22.1

The principle challenges a common pattern in software development: build the feature first, then figure out how to make it compliant. PbD inverts this. You design for privacy before you write the first line of code, the same way you design for security, performance, or accessibility.

In practice, this means that every architectural decision — what data to collect, where to store it, how long to keep it, who can access it — should default to the most privacy-protective option. The user shouldn’t have to opt out of data collection. They should have to opt in.2

In plain terms

Privacy by Design is like building a house with locks on the doors from the start, rather than installing them after a break-in. The house is designed so that privacy is the default state — curtains come pre-installed, not sold as optional extras.

At a glance

How does it work?

The seven foundational principles

Ann Cavoukian defined seven principles that operationalise PbD. Each translates directly into architectural and design decisions.1

1. Proactive not reactive — preventative not remedial

Anticipate privacy risks before they occur. Don’t wait for a breach or a complaint to act.

Think of it like...

A doctor who recommends exercise and diet changes is proactive. A doctor who only treats heart attacks is reactive. PbD is preventive medicine for data.

2. Privacy as the default setting

The strictest privacy settings should apply automatically, without user action. If a user creates an account, their profile should be private by default, not public.

Developer rule of thumb

If the user does nothing, the maximum privacy should be in effect. Every relaxation of privacy requires an explicit, informed choice.

3. Privacy embedded into design

Privacy is not an add-on module. It’s woven into the architecture, the data model, the API design, and the business logic.

4. Full functionality — positive-sum, not zero-sum

Privacy and functionality are not opposites. A well-designed system can protect privacy and deliver full functionality. Don’t frame privacy as a trade-off.3

5. End-to-end security — full lifecycle protection

Data must be protected from the moment it’s collected to the moment it’s deleted. This covers encryption in transit, encryption at rest, access controls, and automated deletion.

6. Visibility and transparency

Users and regulators should be able to verify that privacy protections are actually in place. Open documentation, audit logs, and clear privacy notices serve this principle.

7. Respect for user privacy — keep it user-centric

Design with the user’s interests in mind, not your own convenience. Offer granular controls, understandable explanations, and meaningful choices.

From principles to architecture

PbD PrincipleArchitectural pattern
Privacy as defaultOpt-in data collection, no tracking without consent
Embedded into designPrivacy-aware data models (separate PII from analytics)
End-to-end securityEncryption at rest and in transit, field-level encryption for sensitive data
Data minimisationSchema design that only includes necessary fields
Purpose separationSeparate databases or schemas per processing purpose
Retention by designTTL (time-to-live) on records, automated deletion jobs
Right to erasureSoft-delete with hard-delete scheduler, cascading deletion across services

Privacy by Design in law

PbD is no longer just a best practice — it’s a legal requirement in multiple jurisdictions:2

LawArticleRequirement
GDPRArt. 25”Data protection by design and by default” — controllers must implement appropriate technical and organisational measures
Swiss nDSGArt. 22Privacy by design and default — technical precautions from planning stage
ISO 31700Full standardInternational standard for consumer privacy by design (published 2023)

Concept to explore

Privacy by Design often requires a data-protection-impact-assessment to identify which technical measures are “appropriate” for a given system. The DPIA is the formal tool that operationalises PbD.

Why do we use it?

Key reasons

1. It’s cheaper. Retrofitting privacy into an existing system costs 10-100x more than designing it in from the start. Re- architecting a database to support data deletion after launch is painful. Designing for it from day one is trivial.

2. It’s legally required. GDPR Article 25 and Swiss nDSG Article 22 make privacy by design a binding obligation, not a recommendation. Non-compliance is a regulatory risk.

3. It builds trust. Users increasingly choose products that respect their privacy. “Private by default” is a competitive advantage, not a constraint.

When do we use it?

  • When starting any new project that will process personal data
  • When designing database schemas and data models
  • When defining API contracts that expose or accept personal information
  • When choosing third-party services (analytics, hosting, payment) that will process user data
  • When adding new features to an existing system that change how data is collected or used
  • When conducting a DPIA (privacy by design is one of its core outputs)

Rule of thumb

If you’re about to create a database table, an API endpoint, or a form field — pause and ask: “What’s the most privacy-protective way to achieve this?” That pause is Privacy by Design in action.

How can I think about it?

The architect's blueprint analogy

An architect doesn’t design a building and then wonder where the toilets go. Plumbing, electrical, fire safety, and accessibility are part of the blueprint from the very first sketch. You don’t see them in the finished building — they’re embedded in the walls, the floors, the infrastructure.

Privacy by Design works the same way. Privacy protections should be as invisible and integral as plumbing — users benefit from them without thinking about them. And like plumbing, they’re almost impossible to retrofit once the concrete has set.

The camera phone analogy

Early camera phones had no indicator when the camera was active. People could be photographed without knowing. Later designs added a mandatory shutter sound and a visible LED — privacy was embedded into the hardware design.

  • Shutter sound = transparency (you know when data is collected)
  • LED indicator = visibility (you can verify the camera is off)
  • Mandatory, not optional = privacy as default (can’t be silenced)

Your application’s data collection should work the same way: visible, audible, and controlled by the user.

Concepts to explore next

ConceptWhat it coversStatus
personal-data-protectionThe legal principles PbD implementscomplete
data-protection-impact-assessmentThe formal process that operationalises PbDcomplete
re-identification-riskA key risk that PbD architecture must mitigatecomplete
algorithmic-transparencyTransparency requirements for AI systemscomplete

Some cards don't exist yet

A broken link is a placeholder for future learning, not an error.

Check your understanding

Where this concept fits

Position in the knowledge graph 

graph TD
    A[Data Governance] --> B[Privacy by Design]
    A --> C[Personal Data Protection]
    A --> D[DPIA]
    B --> E[Privacy-Enhancing Technologies]
    B --> F[Consent Management]
    B --> G[Data Retention Policies]
    style B fill:#4a9ede,color:#fff

Related concepts:

Sources

Further reading

Resources

Footnotes

  1. Cavoukian, A., as cited in StackGo. (2025). 7 Privacy by Design Principles Explained for GDPR Compliance. StackGo. 2

  2. Devisia AI. (2026). A Practical Guide to GDPR Privacy by Design for Engineering Leaders. Devisia. 2

  3. IEEE Digital Privacy. (2025). Architecting Privacy By Design: From Concept to Application. IEEE.

Graph View

Backlinks