Data PrivacyGrey Areas (Part V): Privacy by Design

September 29, 20210


With the emergence of globalization, the organisations have recognised and acknowledged the need to safeguard and protect the Personal and Confidential Data of its users. Such protection of Personal Data of each and every user in the era of Big Data has become a challenging task for the organisations. Therefore, a risk-based approach would aid in efficiently safeguarding the Personal and Confidential data of the users.

This approach helps in proper risk anticipation as counter-measures are built into systems, which provide effective and efficient Protection by Design in multiple jurisdictions. The risk-based approach is necessary for proper compliance and bridging the privacy gaps. The organisations collecting data should ensure that their privacy practices comply with certain global privacy standards.

Privacy by Design (PbD) is one of the measures implemented by the organisations to safeguard and protect the Personal Data collected, stored and managed by them.  PbD is an approach which aims to ensure protection of Personal Data by acknowledging the potential privacy issues from the very inception of the business. Essentially, PbD means that any work undertaken by an organisation which involves Confidential or Personal Data must be done with privacy protection.

 Any organisation that deals with the processing, i.e., collection, storage and management of Personal Data of the client, must ensure that such data is duly safeguarded. Thus, the main purpose of PbD is to provide the utmost protection to the Confidential and Personal Data of the users by incorporating security measures in the system engineering of the organisations.


The concept of PbD traces way back to the 1970s when it was developed by Ann Cavoukian. However, PbD was formalized much later in 1995, by a joint team of the Information and Privacy Commissioner of Ontario (Canada), the Dutch Data Protection Authority and the Netherlands Organization for Applied Scientific Research in a joint report on Privacy-Enhancing Technologies.

The PbD Framework was published in 2009 and was thereafter adopted by the International Assembly of Privacy Commissioners and Data Protection Authorities in 2010.


The Information and Privacy Commissioner of Ontario developed seven foundational principles of PbD , which are enlisted hereunder: –

1. ‘Proactive not Reactive; Preventative not Remedial’

This is the first principle that explains the underlying concept of PbD. It states that Data Protection and Privacy must be prioritized since the commencement of the planning of the business.  The said principle asserts that one must do a proper anticipation and identification, in order to prevent invasive events and take actions prior to any potential data or security breach. Thus, the risks are anticipated beforehand, so that privacy is not breached and the organisations are protected from any kind of privacy issues that could have a negative impact on the goodwill of an organisation.

2. ‘Privacy as the Default Setting’ 

This principle stated that “privacy must be a default setting” of a business, i.e., it must be kept at the forefront of anything the organisation does. Data minimalization, automatically deleting previous data which is of no use, are some of the examples of this principle. The key objective of this principle is to ensure that the Personal Data is protected automatically and no other further actions are required. In other words, the principle states that the system containing the data should be secured in a manner that an individual is not required to take any additional steps for the protection of the data.

3. ‘Privacy Embedded into Design’ 

Data privacy measures should be integrated appropriately into the components of the system including architecture of the business practices and Information Technology (IT) systems of an organisation. An organisation should adopt an approach that is principled in order to embed privacy. Such approach should be based on accepted frameworks and standards. Privacy must be embedded in the system of an organisation in such a manner that the functionality of the system is not diminished with passage of time and detailed risk and impact assessments should be carried out. It is pertinent to note that user experiences should not be affected in order to integrate data protection mechanisms in the system and for the same, such integration should be executed in a holistic way.

4. ‘Full Functionality-Positive-Sum, not Zero-Sum’

The present principle states that there must be a balance between security and growth. It’s a ‘win-win’ approach to design legitimate data protection systems.  This principle essentially seeks to avoid trade-offs and instead, tries to encourage incorporation of all the required objectives while ensuring due compliance with the regulations.  The organisations who consider privacy in every design, are considered to be taking the positive-sum approach.

5. ‘End-to-End Security-Full Lifecycle Protection’

Data protection has to be done from the inception, i.e., when the data enters the system, till the end, i.e., when it is erased. General Data Protection Regulation (GDPR) compliant erasure methods shall be used in order to ensure  end-to-end protection. Such erasure methods assure that data shall be deleted or destructed when it is no more required. This principle talks about lifecycle protection, i.e., the privacy must be protected throughout the lifecycle of the data.

6. ‘Visibility and Transparency – Keep it Open’ 

The stakeholders need to be assured that their Personal Data is protected and the business is being performed as according to the said objectives. The data collected by organisations should be subject to independent verification and can be verified any time the stakeholders want. This principle aims at establishing accountability and trust of the users who submit their data to an organisation.  Proper emphasis must be placed upon openness, consent, compliance and accountability. Necessary steps must be taken by organisations to monitor, evaluate and verify the due compliances.

7. ‘Respect for User Privacy – Keep it User-Centric’

This principle states that a business should remember that even if it is in the possession of the data, it originally belongs to the person who is its actual owner and thus, everything shall be kept user-centric. The Data Subject, i.e., the user who is providing his Personal Data, has the right to withdraw or grant the data as and when he wants, but the organisation to which the data has been provided has no such power. The best PbD is the one that is designed keeping in mind the needs and interests of the individual user. The Data Subjects must be empowered to play an active role in the management of the data provided by them, to keep a check on the abuses and misuses of their Personal Data.


PbD holds key importance for an organisation or business when it comes under the purview of GDPR.  Article 25 of the GDPR namechecks and embraces the concept of PbD.  Article 25 stipulates that the data protection measures should be reasonable and the process of data collection that is used by a Data Controller and the data collected should be appropriate. It has been explicitly mentioned in Article 25(2) that only the required data, which is necessary, shall be collected, and any other Personal Data shall not be collected. It is pertinent to note that appropriate measures shall be used for collecting such data.

Article 42 of the GDPR has been referred under Article 25, which provides for certification measures providing clarity on compliance. GDPR requires that the cyber security risks should be mitigated apart from meeting the compliance requirements, which can be done only by following the seven foundational principles as mentioned hereinabove.

Data PbD can be achieved by conducting Data Protection Impact Assessments (DPIAs) whenever the organisations deal with a user’s Personal Data. Apart from that, the organisations must also prepare their privacy and data protection policies in a manner that can be easily understood by the users. It is necessary that the Data Subjects are provided with details like name and contact of the Data Collector in order to ensure utmost transparency.

The GDPR requires that in order to ensure data protection, an organisation should always give first priority to “privacy” as a default setting and only the necessary information shall be collected. The data shall be collected with the consent of the Data Subject and such data shall be kept confidential until the individual providing the data assents for the same.

Article 25 of the GDPR also provides that in order to achieve data protection, the organisations must take appropriate technical measures to protect an individual’s Personal Data. The organisation should also analyse the cost of implementation, the nature, scope and purpose of processing and also, the risks that might occur and its severity. Thus, the organisation should adopt measures after analysing the risk factor and the resources available. Technologies like Pseudonymisation which de-identifies personal data and Encryption wherein the data is converted into an encoded format, can be used for such purposes.

One of the key objectives of the GDPR is to give more rights to the Data Subjects over their Personal Data which can be implemented by providing PbD.  A flexible privacy policy gives the Data Subjects an option to control the data that is collected from them and they have an actual say over it. Thus, with its incorporation, PbD has helped in the implementation of data protection and privacy successfully in the processing of data.


The GDPR ensures bona fide protection of data both by design and by default, ensuring the Data Subject full confidentiality of his Personal Data. With the emergence of globalisation, digitization and increasing competition in the market, protection of data had become a challenging task.  In the light of such a scenario, the GDPR gives the due assurance and aims at giving first preference to safeguarding the privacy of the users and data protection as a whole.

PbD is a user-centric approach wherein no data can be collected or made public without the consent of the stakeholders. Thus, PbD and its seven foundational principles are an effective measure for maintaining privacy of an individual in an IT system architecture of any organization processing Personal Data.

– Team AMLEGALS, assisted by Ms. Mansi Jain (Intern)

For any queries or feedback, please feel free to connect with or

Leave a Reply

Your email address will not be published. Required fields are marked *

Current day month ye@r *

© 2020-21 AMLEGALS Law Firm in Ahmedabad, Mumbai, Kolkata, New Delhi, Bengaluru for IBC, GST, Arbitration, Contract, Due Diligence, Corporate Laws, IPR, White Collar Crime, Litigation & Startup Advisory, Legal Advisory.


Disclaimer & Confirmation As per the rules of the Bar Council of India, law firms are not permitted to solicit work and advertise. By clicking on the “I AGREE” button below, user acknowledges the following:
    • there has been no advertisements, personal communication, solicitation, invitation or inducement of any sort whatsoever from us or any of our members to solicit any work through this website;
    • user wishes to gain more information about AMLEGALS and its attorneys for his/her own information and use;
  • the information about us is provided to the user on his/her specific request and any information obtained or materials downloaded from this website is completely at their own volition and any transmission, receipt or use of this site does not create any lawyer-client relationship; and that
  • We are not responsible for any reliance that a user places on such information and shall not be liable for any loss or damage caused due to any inaccuracy in or exclusion of any information, or its interpretation thereof.
However, the user is advised to confirm the veracity of the same from independent and expert sources.