TÜV Rheinland Blog - Insights from Asia and Africa

The ‘Privacy by Design’ Framework - and How It Can Create More Organisational Value

Posted by TUV Rheinland on Jan 7, 2019 3:10:16 PM
TUV Rheinland

LinkedIn-TUV-7Jan-PrivacyByDesign copy

Back in the mid-90s, the former Canadian Information and Privacy Officer (Ontario), Ann Cavoukian, developed what has been called the Privacy by Design (“PbD”) Framework. The aim was to derive a set of proactive privacy considerations out of the existing common data protection (“DP”) foundations laid down among others in the Generally Accepted Privacy Principles (“GAPP”), the OECD Guidelines on the Protection of Privacy (1980), the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (Convention 108, 1981) and various national DP laws and regulations.


Privacy by Design: Making Privacy Processes More Efficient

The original framework comprised 7 core principles:

  1. Proactive not reactive; preventative not remedial
  2. Privacy as the default setting
  3. Privacy embedded into design
  4. Full functionality – positive-sum, not zero-sum
  5. End-to-end security – full lifecycle protection
  6. Visibility and transparency – keep it open
  7. Respect for user privacy – keep it user-centric


These principles represented the efficient implementation of privacy requirements and their processes within organisations. Over the years, this framework has influenced many DP laws worldwide and even was partially adopted into laws, for example into the German Telecommunications law TDDSG back in 1997.

A solid concept endures. As we can see by the renaissance of PbD in the EU General Data Protection Regulation (“EU GDPR”), which stipulates the requirement of implementing PbD in Article 25, the approach is more applicable today than ever. The EU GDPR is also applicable to companies outside the EU if they are targeting EU customers and markets (market principle).

This brings global attention to the requirement of PbD, and its positive side effects as described further in this article. Besides this, PbD is on its triumphal march through various international data protection jurisdictions.


Proper Implementation is What Unlocks the Full Benefits of PbD

Criticism of the concept of PbD often states that it is too vague when it comes to its application and implementation in technical environments, and that it is challenging to implement – compared to common ISO Standards like the 27000 family, there are no specific measures and/or control structures to be followed.

To counteract this, we’ve found that it’s important to assign responsibility for PbD to the correct people, train them in the concept and their role in its implementation, and ensure they keep informed of the latest news and changes involved in its application. Download our whitepaper to learn more about how to realise better value through proper implementation of PbD, and about our experience with past implementations for various international customer.


For more information, speak with our experts:

Contact us now

Topics: cybersecurity, ICT, AA19_D01_IOTPriv