Since the introduction of the General Data Protection RegulationGDPR), Privacy by Design has become an all the more essential principle for all structures handling personal data.

Now more than ever, it's crucial to integrate this principle into every service, product or system. This approach prevents risks right from the development stage, guaranteeing not only compliance with GDPR requirements, but also data security throughout its lifecycle.

1. By definition, what is " Privacy by Design" or, in other words, " data protection by design "?

Privacy by Design is one of the main principles governed by the GDPR. As a reminder, this European Regulation was introduced to strengthen the protection of personal data within the European Union.

What does this principle involve? It involves the Data Controller taking a proactive approach and applying personal data protection measures and rules, right from the design phase of new personal data processing operations.

This approach makes it possible to anticipate and plan for ways of ensuring the security of personal data, prior to the implementation of a new processing project.

2. Where does Privacy by Design come from?

This concept is not new, having been developed in the late 90s by the former Information and Privacy Commissioner of Ontario, Canada.

The pillars of privacy by design?

• Proactive rather than reactive measures
• Ensuring implicit privacy protection
• Integrate privacy protection into the design of systems and practices
• Ensuring full functionality in a positive-sum rather than zero-sum paradigm

3. What's the difference between Privacy by Design and Privacy by Default?

On the contrary, they complement each other and share the same objective: to strengthen the protection of personal data. However, they differ in their approaches.

Aspect	Privacy by Design	Privacy by Default
Application?	Design and development phase	Use phase
Objective?	Integrate and take into account data protection right from the design stage of a new processing operation	Ensuring that default privacy settings respect the privacy of data subjects

4. What is the objective? Protecting the rights and freedoms of individuals

The aim of Privacy by Design is to protect the fundamental Rights and Freedoms of individuals, in particular their right to privacy.

It ensures that their rights are respected and protected right from the start of the project, integrating confidentiality and security into every stage of design and development.

This must be a priority and concern shared by all controllers, designers and developers of products, services or systems.

The aim is to find the least "risky" solution for the Rights and Freedoms of the people concerned.

5. Is this an obligation for all companies? Who is responsible? What does it apply to?

Yes, Privacy by Design is mandatory for all companies handling personal data. This includes both large companies and SMEs, as well as public bodies. Accountability for its implementation lies primarily with data controllers , often designated as the companies themselves, and with the Data Protection Officer (DPO) if appointed.

Privacy by Design applies to all services, systems or products dealing with personal data. Whether in healthcare, finance, e-commerce or online services, every company that collects, stores or processes personal data must integrate this principle into its design processes.

6. The risks of a project launched without Privacy by Design?

It is essential to make companies understand the necessity of this principle in order to avoid numerous risks.

Financial risks

Privacy by Design plays a major strategic role for companies. Integrating data protection into the design of a service, product or system prevents it from becoming an obstacle after launch. This preventive approach reduces the risk of non-compliance and its consequences.

Example 1: Imagine you're creating a mobile app with brand-new features, but you forget to think about GDPR compliance right from the start.

Once launched, you realize that you have to start all over again: rework or redesign certain pages or even remove functions that do not comply with the applicable rules regarding personal data.

The result: a waste of time and money.

Example 2: You start a new business, implement a great strategy, invest in tools and teams, but neglect the GDPR aspects. In the end, you discover that your project isn't feasible as it stands, or worse, that it's blocked by the regulations.

The risks of a project launched without GDPR compliance

When Privacy by Design is not integrated, the consequences can go far beyond simple adjustments. Launching a non-compliant project exposes you to major technical, legal and reputational risks.

Non-compliant processing can lead to security incidents or personal data breaches, resulting in loss, leakage or unauthorized exposure of personal data. On the one hand, these situations are often costly to rectify, and on the other, they can affect the trust of the people concerned.

Legal sanctions are also a major risk. Regulatory bodies such as the CNIL (National Commission for Information Technology and Civil Liberties)) can impose significant fines, which weigh heavily on a company's finances and credibility.

Indeed, visible non-compliance, which is often relayed, can tarnish a company's image, reduce clients confidence and make it more difficult to acquire new users.

B. How do you put it into practice?

1. The role of the Data Protection Officer (DPO)

The Data Protection Officer (DPO) plays a central role in the application of Privacy by Design, acting as a true guarantor of compliance and data protection within structures. His scope of action is vast and covers the key points that help integrate the principles of the GDPR.

The DPO's duties will include:

• To advise: the DPO guides the organization on the measures to be put in place to ensure that future data processing is GDPR.
• Assess the risks associated with future processing: It identifies the risks associated with future data processing and, if necessary, carries out a Data Protection Impact Assessment (DPIA).
• Training and raising awareness: The DPO trains teams in data protection best practices and raises awareness of confidentiality issues among all employees.
• Audit the planned processors : The DPO verifies that the planned processors also comply with data protection rules.

2. Identify data to be protected and determine risks

The integration of Privacy by Design must be considered from the earliest design stages of a service or product. It's crucial not to wait until the product or service is already in operation before integrating data protection measures, as this could lead to costly adjustments or risks of non-compliance.

Raising team awareness of data protection issues

Raising employee awareness of data protection is a key element of Privacy by Design. This includes regular training of teams on best practices in security and personal data management.

The success of Privacy by Design depends on the commitment of everyone in the organization.

3. Data minimization: collect only the data you need

Data minimization means collecting and processing only the data that is strictly necessary to achieve the predefined purposes.

This approach limits the risks associated with the use of personal data.

Before collecting personal data, it is essential to ask yourself the right questions: why is this data necessary?

What's their role?

Do I have the right to collect them?

Another essential aspect of minimization concerns the deletion of data, which must be planned in advance and correspond to a period strictly necessary to achieve the set purposes. Once this retention period has elapsed, the data must be deleted or anonymized in order to reduce the risk of misuse or non-compliance.

4. Enable the implementation of adequate technical and organizational security measures

Privacy by Design requires the implementation of both technicale.g encryption, access management systems, etc.) and organizationale.g procedures, awareness-raising, etc.) security measures sufficient to ensure end-to-end security, throughout the entire Data retention period. These measures can be defined and tested prior to future processing.

With this in mind, adopting Privacy by Design enables us to anticipate these security challenges upstream and design optimal solutions from the outset, rather than adding corrective measures after the fact.

Example of measurement: pseudonymization is a method used to protect personal data by replacing identifying information with pseudonyms.

Although this does not guarantee total protection, pseudonymization considerably reduces the risks in the event of a data breach, and facilitates compliance with the Privacy by Design principle.

5. Ensure a certain level of transparency and inform those concerned

Adopting a Privacy by Design approach not only guarantees the protection of personal data, but also provides essential transparency for those concerned by the processing of their data.

In this way, the data controller can put in place the necessary documentation, such as a clear, up-to-date privacy policy on its website or platform.

On the one hand, this practice makes it possible to meet the legal obligation to inform users, by specifying how their data is collected, used and protected.

On the other hand, it reinforces users' trust, giving them visibility into how their personal information is handled and showing that the company respects their privacy.

Examples: AI and mobile applications

Are you planning to design an artificial intelligence or mobile application?

• Mobile app -> the CNIL (National Commission for Information Technology and Civil Liberties) recently reminded us that it's important for apps to achieve privacy by design = many features need to be thought through or revised in some way to ensure GDPR compliance. For example, if you're designing an app that allows people to personalize gifts = you shouldn't be able to access their photos or videos without their consent, or let them choose what content to implement on the app.
• AI -> . With the rise of emerging technologies such as artificial intelligence (AI) and mobile applications, new data protection challenges are emerging. Privacy by Design must adapt to these new realities, anticipating the risks associated with the massive use of data and ensuring that privacy principles are always respected in these complex contexts.

e.g : AI system design