Presentation on Privacy by Design at conference organized by

Presentation on Privacy by Design at conference organized by President of the Personal Data Protection Office

At a conference organized by the President of the Personal Data Protection Office (PDPO), I presented a topic on data protection by design from the perspective of the data controller.

Data Protection and Privacy

Feb. 5, 2025

Piotr Siemieniak, PhD 8 minutes read

Privacy by Design (PbD) is an approach asserting that privacy and personal data protection should be considered from the earliest phases of designing systems, processes, and services. The concept was developed in Canada and later incorporated into the European legal framework as Data Protection by Design & Default (Article 25 of the GDPR). In practice, this means that every data controller must account for data protection and security from the moment a new solution is first conceived, rather than waiting until after it has been deployed.

Introduction to the Idea of Privacy by Design

Privacy by Design is rooted in the work of Dr. Ann Cavoukian, who proposed seven straightforward principles. They share a core belief that effective data protection cannot be just a final add-on; it must be the starting point for the entire life cycle of a product or service. In the European Union, this philosophy was recognized and incorporated into the GDPR, which in practice compels data controllers to implement technical and organizational measures right from the project’s conceptual stage.

Why Privacy by Design Is Important

In public discourse, we often encounter various myths regarding privacy. Statements like “If you have nothing to hide, you have nothing to fear” are sometimes repeated almost as a mantra. However, this kind of thinking is flawed and frequently leads to the degradation of citizens’ rights and freedoms. Careless collection of personal data and excessive data processing can result in genuine risks—ranging from marketing abuses to security breaches and identity theft.

That is why Article 25 of the GDPR requires that data protection principles be taken into account from the earliest stages of developing any new data processing procedure. The data controller is responsible for adopting appropriate technical measures and for creating internal processes that support personal data protection.

Differences Between Privacy by Design and Data Protection by Design & Default

While these two concepts are closely related, they are not identical. Privacy by Design is a broader idea, essentially a set of principles or best practices that can be implemented in projects. Data Protection by Design & Default, by contrast, is a legal obligation anchored in Article 25 of the GDPR. This latter concept imposes an explicit requirement to comply, meaning that failure to follow these rules can lead to legal liability and administrative penalties.

Privacy Enhancing Technologies vs. Privacy Invading Technologies

Privacy by Design emphasizes the importance of selecting appropriate technological solutions. Privacy Enhancing Technologies (PET), such as encryption, pseudonymization, or anonymization, are intended to strengthen privacy and give users control over their data. In contrast, Privacy Invading Technologies (PIT) are designed, often intentionally, to capture or misuse information. One example is so-called Dark Patterns—website or app interfaces that manipulate users into giving certain permissions or disclosing personal data.

In practice, choosing the right tools and solutions from the outset can greatly reduce the risk of privacy violations and the ensuing legal consequences. Therefore, a solid understanding and skillful adoption of privacy-enhancing technologies is one of the cornerstones for meeting the requirements of Article 25 of the GDPR.

Although Article 25 of the GDPR is relatively short, it has far-reaching implications. It obligates data controllers to implement technical and organizational measures that consider the risk of infringing on the rights and freedoms of individuals. These obligations are both continuous and dynamic—one cannot simply conduct a single risk analysis or audit and then consider the matter closed. Instead, it is necessary to regularly review whether the measures in place remain adequate.

This approach also requires interdisciplinary knowledge—spanning law, technology, and management. Its successful implementation involves addressing both process-level considerations (policies, regulations, guidelines) and technology-level elements (system configurations, encryption, anonymization). Only such a multi-layered strategy offers a realistic chance to build an organization where privacy is treated as a priority from the design phase onward.

Practical Challenges and Limitations

While it may seem straightforward for the law to mandate data protection by design, reality shows that there are numerous difficulties. The regulations provide significant flexibility, which can be beneficial but also makes it challenging for data controllers to achieve certainty and clarity in their compliance efforts. Certification mechanisms and codes of conduct—tools that could potentially help demonstrate accountability—are not yet fully established or widely accessible.

Scale also plays a major role. Larger organizations with more resources and robust legal or technical departments are better positioned to implement best practices. Smaller companies and startups often lack the specialized personnel needed to effectively merge legal requirements with the technological safeguards that assure a high level of data protection. This raises costs and extends the time needed to develop GDPR-compliant solutions.

Future Outlook and Recommendations

The complexity of privacy protection is increasing, especially with the advent of advanced technologies like artificial intelligence. A promising approach would be to extend the “by Design” principle to other areas, not solely limited to the direct processing of personal data. IoT solutions, smart devices, and “smart” toys, for example, can significantly affect privacy—even if they do not obviously collect personal data.

Education is crucial in this regard. Many organizations still lack access to qualified experts who can guide them in implementing the principles of data protection by design, a process that requires the involvement of legal professionals, engineers, and managers alike. Training sessions, conferences, and materials that offer structured, comprehensive insights could lower the barriers to entry for smaller entities and startups, which frequently bring innovative products to market.

Conclusion

Data Protection by Design—taking data protection into account from the design stage—is an interdisciplinary challenge linking legal, engineering, and management perspectives. Although Article 25 of the GDPR is concise, effectively putting its guidelines into practice demands thorough risk assessment, a well-considered selection of technical and organizational measures, and ongoing reviews to ensure existing safeguards remain up to date.

Difficulties arise from the limited availability of certification mechanisms and the lack of specialized expertise combining legal and technological knowledge. In the long run, however, data protection by design exerts a positive influence on cultivating a culture of data protection, encouraging ethical system design, and raising awareness of privacy’s importance in a digital society. For it to become a common standard, continuous effort is needed in education, practical guidance, and organizational support for achieving GDPR compliance from the very inception of new solutions.

Całe nagranie dostępne na YouTube:

Turn Challenges into Opportunities
Discuss Your Needs with Us

We turn complex technical and legal problems into straightforward solutions.
Get in touch to leverage our expertise into your business.