Privacy by Design
Build privacy in from the start. Retrofit is always harder.
Overview
Article 25 of GDPR requires data protection by design and by default. This is not a checkbox β it is a fundamental shift in how organisations are expected to approach systems, processes, and products that handle personal data. Answer the five questions below with practical reasoning. The grader is looking for applied understanding, not a recitation of principles.
Read before you answer
Privacy by design is the principle that data protection should be embedded into systems, processes, and products from the outset β not added as an afterthought once a system is built and deployed. Article 25 of GDPR makes this a legal obligation: controllers must implement data protection by design and by default, taking into account the state of the art, the cost of implementation, the nature and purposes of processing, and the risks to individuals. "By default" means that, without any intervention by the data subject, only personal data that is necessary for each specific purpose is processed β the most privacy-protective settings should be the default, not an opt-in.
The practical implication is that privacy considerations must be part of the design process for any new system, application, or process that handles personal data. This means: limiting data collection to what is actually needed (data minimisation at the architecture level); applying pseudonymisation or encryption where appropriate from the beginning; designing access controls that reflect least-privilege principles; building retention and deletion mechanisms into the system rather than leaving them as manual processes; and considering what data would be exposed in the event of a breach and designing to limit that exposure. Retrofitting privacy controls after a system is built is typically more expensive, less effective, and harder to verify than building them in from the start.
Data Protection Impact Assessments (DPIAs) are required under Article 35 whenever processing is likely to result in a high risk to individuals β particularly for large-scale processing of special category data, systematic and extensive profiling, or large-scale monitoring of publicly accessible areas. A DPIA is not simply a form to be completed: it is a structured process of identifying the purpose and necessity of the processing, assessing the risks, and identifying measures to mitigate them. Where a DPIA concludes that risks cannot be adequately mitigated, the organisation must consult the supervisory authority before proceeding. The Data Protection Officer (DPO) β mandatory for public authorities, for organisations processing special category data at scale, and for those engaged in large-scale systematic monitoring β must be consulted in the DPIA process and must be independent, with direct access to senior management and protection from retaliation for performing their tasks.