July 31, 2020

How to correctly implement privacy by design

Privacy by design principles are overlooked by conventional engineering methodologies when developing the products.

# Insights

Privacy by Design (PbD) intends to make sure that privacy is respected and counted prior to, at the beginning of, and during the course of the development and implementation of projects that entail the collection and processing of PII.

 PbD is a technical approach for handling a social challenge. Apparently, technology cannot assist with all associated facets. In particular, in the area of privacy, which includes several fundamental human right areas, such as freedom of expression and press, or protection against discrimination, matters need to be handled through a broader plan by the community as a whole. Dr Ann Cavoukian diligently endorsed PbD that led up to the global fascination in it. The undisputed acknowledgement and adoption of PbD, by the International Conference of Data Protection and Privacy Commissioners was not possible without her efforts. PbD is called as a prerequisite in data protection. Unluckily, the 7 Foundational Principles of PbD have a weakness in their own strength1. She deliberately made them powerful and flexible to enable companies to discover their own techniques to accomplish them. This flexibility has gone wrong in some cases.

We noted that PbD principles, for the most part, are overlooked by conventional engineering methodologies when developing the products. This unfamiliarity is primarily due to the lack of awareness and knowledge of developers and data controllers as well as deficient tools to achieve PbD3. The challenge is that some companies categorize what they do, as PbD, but it certainly isn’t. Most of them, only tackle a narrow set of controls, such as encryption, access controls, ambiguous data deletion processes and notice and consent. They don’t adequately link risks to the individuals and to the existing organisational and technical controls. They simply claim to have privacy embedded into the design of their products by encrypting data at rest, encrypting data at transit, providing notice to individuals before processing, giving individuals the choices and publishing baffling statements around data deletion. This is such a restricted view of the PbD. The outcome is that companies implement some encryption, add some opt-out buttons, and there you are, they assert they’ve embedded privacy into the design of their product. A thorough PbD approach covers so much more, and companies have to grasp the notions prior to making any claim.


  1. https://www.linkedin.com/pulse/strategic-privacy-design-interview-jason-cronk-daniel-solove/

  2. https://iapp.org/media/pdf/resource_center/pbd_implement_7found_principles.pdf

  3. ENISA, 2014, Privacy and Data Protection by Design – from policy to engineering

Data Zoo makes it easy to onboard and verify customers quickly

Get in touch and let us know how we can help