GDPR's Privacy by Design – The 7 Foundational Principles

Privacy by design (PbD), a concept developed in the 90’s by Ann Cavoukian, aims to address the ever-growing and systemic effects of Information and Communication Technologies, and of large-scale networked data systems.

PbD advances the view that the future of privacy cannot be assured solely by compliance with regulatory frameworks; rather, privacy assurance must ideally become an organization’s default mode of operation.

Here are the 7 principles of PbD:

  1. Proactive not Reactive; Preventative not Remedial

This principle advises organizations to be proactive when it comes to anticipating future mishaps like data breaches. PbD advises being preventive - administering the necessary policies and procedures in place before anything happens - rather than taking remedial measures after the accident has occurred.

  1. Privacy as the Default Setting

This principle advises organizations to build security into their systems by default. By 'default,' we mean that individuals' data are automatically protected without them having to do anything since privacy has already been built into the system.

  1. Privacy Embedded into Design

This principle, which can be loosely considered as an extension of the 2nd principle, advises organizations to embed privacy into their systems. This means privacy should be integrated into the system from the get-go, and not later as an add-on. Organizations should also ensure the functionality of the system along with privacy -individuals' user-experience shouldn't be compromised for the sake of privacy.

  1. Full Functionality — Positive-Sum, not Zero-Sum.

This principle advises organizations to take into consideration all business objectives when it comes to privacy. They should achieve a win-win situation, full functionality, and not make unnecessary trade-offs. This principle demonstrates that you can build privacy while maintaining security and functionality without making any trade-offs.

  1. End-to-End Security — Full Lifecycle Protection

This principle advises organizations to secure data throughout its lifecycle – from start to finish. Hence, from sensitive data discovery, to data masking, data monitoring and minimization – data should be protected at each stage.

  1. Visibility and Transparency — Keep it Open

This principle advises organizations to be accountable for their security systems. The more visible and transparent they are about their processes and technology, the more accountability and trust they can build.

  1. Respect for User Privacy — Keep it User-Centric

In the final principle, PbD advises organizations to regard user privacy as their highest concern. Security systems should be designed keeping user-friendliness in mind and should be optimized to take care of all their data security needs.


Businesses need not wait for a data protection regulation to inform them that they need to follow best principles when it comes to securing their sensitive data. Going through PbD gives companies a good idea on how to build a robust data security platform. In this way, compliance isn’t a question at all.

How we can help you build a robust data security platform

The MENTIS platform comprises a comprehensive solution that protects sensitive data along its lifecycle in the customer’s systems -providingcapabilities from sensitive data discovery, masking, and monitoring to data retirement.Engineered with unique, scalable architecture and built-in separation of duties,itdeliverscomprehensive, consistent, and reliable data and application securityacrossvariousdata sources(mainframe, relational databases, unstructured data, big data, on-premise,and cloud).


Information and Privacy Commissioner of Ontario –

Privacy by Design: The 7 Foundational Principles