Although its been around for a while, Privacy by Design and by Default has really come to the fore in Article 25 of the GDPR. This concept puts forward that if you are designing a process, technology, or any other item in a business, it should be designed to be secure and private by default. You need to adhere to the principles of privacy laws and regulations, and also implement appropriate means in both the organisation and in your technology to keep information private and to a minimum.

What does this mean?

Well, the law doesn’t really state how you’re supposed to go about this, and as such there have been some hot debates around it. In some cases, design documents of up to 17 pages have been used, where in others, a simple 1-pager questionnaire has been put in play. The fact is, you need to have some form of tangible evidence that you have taken privacy into account when designing things within your business. Some of the key examples of these are in projects, business processes, and software development.


When onboarding a new project, you should be very cognizant of what information you will be taking in during your project process, and how you are going to be treating it. Does your intake of information adhere to the Privacy Policy that you have advertised to your clients? Do you need to update your Privacy Policy? And are there perhaps additional security measures that need to be taken during a project in order to maintain compliance?

For every project that you take on board, do yourself a favour and request information in terms of the principles of privacy. Make sure you’re only taking what is necessary, make sure you’re transparent about it, and make sure you are providing the necessary security safeguards to ensure that your project is secure and private from the start.

Business Process

Within many business processes, there are likely to be transfers of personal information. If you have multiple branches, you need to ask questions around transferring this data across borders. Does the country that you’re transferring to have adequate laws? If not, are there binding corporate rules in place? When dealing with employee records, are you dealing with sensitive information such as race and political affiliation? Should you be taking extra precautions in storing this data?

When designing a business process, we recommend doing so in a Standard Operating Procedure where you can see the flow of data. If you can see the flow of data, you know what is coming in and how you should be asking questions to the relevant stakeholders.

Software Development

This is probably one of the most profound places where Privacy by Design and Default comes in, which is building privacy into your technology as a default state. You need to ensure that any feature you are developing takes privacy into consideration and incorporates mitigations in risky areas. If you’re storing special information, you should add additional encryption and security measures. If you’re developing something that is exposed to the web, it needs to be secure. You need to ensure your questions cover development holistically to avoid any pitfalls.

How can we get this in place?

These are all valuable questions that should be asked, and make up a small portion of the assessment you will need to make. It will be, at this stage, up to you as a company to define how you apply this within your business. Do you go for the very verbose route, and risk the exercise becoming a checklist process without enough thought, or do you ask meaningful questions in a shorter format for buy in? At Ross G Saunders Consulting, we offer a number of templates and solutions to assist in employing Privacy by Design and Default into your processes. Why not reach out to us or book a free online service enquiry below and find out about our “Privacy-in-a-Box” templates to help start you on your journey.

Share This

Share this post with your friends!