Privacy by Design – The 7 Foundational Principles

May 10, 2021

by Ito Onojeghuo | LLM, FIP

Privacy by Design – Recommendation or Requirement?

The GDPR incorporates Privacy by Design through articles 25(1) and 25(2) of the General Data Protection Regulation (GDPR), which outlines the obligations of data Controllers concerning ‘Data Protection by Design and Data Protection by Default’. The GDPR requires Controllers to put in place appropriate technical and organisational measures to implement the data protection principles effectively and safeguard individual rights.

This concepts of Data Protection by Design and Default although new under the GDPR is synonymous with Privacy by Design. Privacy by Design which was originally conceptualised by Dr. Ann Cavoukian. is an approach taken when creating new technologies and systems. This is when privacy is proactively incorporated into tech and systems, by default. It means a product is designed with privacy as a priority, along with whatever other purposes the system serves. Essentially technologists should make room for legal and privacy experts in product engineering processes.

Seven Foundational Principles

According to Dr. Cavoukian, seven Foundational Principles embody Privacy by Design:

#1 Proactive not Reactive; Preventative not Remedial

Proactive not Reactive; Preventative not Remedial:

  • Anticipates and aim to prevents privacy invasive events before they happen.

#2 Privacy as the Default Setting

Privacy as the Default Setting:

All privacy matters are built in to the system or are process driven.

  • Purpose specification
  • Collection limitation
  • Data minimisation
  • Use, retention, and disclosure limitation


If it is appropriate to offer a privacy setting, then the default position for each individual privacy setting should be ‘high privacy’.

In April 2021, Apple enhanced a privacy setting feature on iOS 14 and iPadOS 14. Third-party applications are now required to get users’ permission before tracking them or their devices across apps and websites owned by other companies for targeted ads or ad measurement purposes, or to share data with data brokers.

This ‘new’ feature has not exactly change the level of control offered to users, rather it has simply used a pre-existing but obscure feature in the phone settings and forced it centre stage. The aim is to ensure that the user is given an option and the requesting consent for specific processing is not by-passed. This is a good demonstration of Data Protection by Default.

#3 Privacy Embedded into Design

Privacy Embedded into Design:

  • Build privacy protections into the design and architecture
    of IT systems and business practices from the outset
  • Not “bolted on” or as an afterthought

The result is that:

  • Privacy becomes an essential component of the core functionality being delivered
  • Privacy is integral to the system, without diminishing

#4 Full Functionality – Positive-Sum, not Zero-Sum

Full Functionality – Positive-Sum, not Zero-Sum:

  • Privacy by Design seeks to accommodate all legitimate interests and objectives avoiding unnecessary trade-offs.
  • Designers should develop creative win-win solutions and avoid the
    pretence of false dichotomies (such as privacy vs. security), demonstrating that it is possible to have both.

#5 End-to-End Security – Full Lifecycle Protection

End-to-End Security – Full Lifecycle Protection:

  • Full Lifecycle Privacy Protection Privacy is built in design, before the system is set in motion, and it must be guaranteed throughout the life cycle of the data. Information security involves the confidentiality, integrity, availability and resilience of the systems that store it
  • Ensure cradle to grave, secure lifecycle management of information, end to end
  • Ensure that all data is securely retained, and then securely destroyed at the end of the process, in a timely fashion

#6 Visibility and Transparency – Keep it Open

Visibility and Transparency – Keep it Open:

(Accountability, Openness and Compliance)

  • Aim to assure all stakeholders that whatever the business practice or technology involved
  • Principle of “trust and verify” applies. Component parts and operations remain visible and transparent, to users and providers alike.
  • Operating according to the stated promises and objectives, subject to independent verification

Enforcement Action

The Information Commissioner’s Office (ICO) issued Equifax Ltd with a £500,000 fine for failing to protect the personal information of up to 15 million UK citizens during a cyber attack in 2017.

The ICO investigation found that, although the information systems in the US were compromised, Equifax Ltd was responsible for the personal information of its UK customers. The UK arm of the company failed to take appropriate steps to ensure its American parent Equifax Inc, which was processing the data on its behalf, was protecting the information.

According to the ICO, Equifax Ltd received the highest fine possible under the 1998 legislation because of the number of victims, the type of data at risk and because it had no excuse for failing to adhere to its own policies and controls as well as the law.

#7 Respect for User Privacy – Keep it User-Centric

Respect for User Privacy – Keep it User-Centric

Best user experience puts privacy first. This includes putting the power in the hands of the user to manage their own data, actively seeking their engagement in the process.

Privacy by Design requires architects and operators to protect the interests of the individual by offering such measures as strong privacy defaults, appropriate notice, and empowering user-friendly options. (Consent, Accuracy, Access, Compliance …)

Embracing Privacy

In April 2021, Apple enhanced the privacy settings on iOS 14 and iPadOS 14. Third-party applications are now required to get users’ permission before tracking them or their devices across apps and websites owned by other companies for targeted ads or ad measurement purposes, or to share data with data brokers.

The ‘new’ feature merely took an obscure feature deep in the phone’s settings and forced it to centre stage. This is a good demonstration of Data Protection by Default.

Good improvement by Apple but could they have better designed for privacy in the first place? Rather than react to inappropriate use of location data by Apps if Apple was so privacy inclined, they should have foreseen the possibility and provided better controls in the first place.

Regulatory Compliance

Data Protection by Design is a requirement not just a recommendation. Articles 25(1) and 25(2) of the GDPR outline obligations concerning data protection by design and by default. Therefore it is important for technologists to understand and apply the principles. Having legal and privacy experts involved from the start of projects can simplify the whole development process and ease compliance burden.