blogs & Things

Privacy By Design – What You Need To Know

Privacy First

Privacy-By-Design… We can hear you groaning already!

If you have absolutely anything to do with handling private data in your organisation then we’re sure the 25th May 2018, the day GDPR came into force, has been indelibly burned into your mind.

Companies, organisations and businesses were scrambling to secure their data to comply with the new regulations (and you’d be surprised how many still are), but it didn’t have to be that difficult.

That’s where Privacy-By-Design steps in to help…

What Is Privacy-By-Design?

Privacy-By-Design is an approach to creating a system that empowers data protection, privacy compliance and an individual’s right to privacy from the get-go.

Under Privacy-By-Design, protecting and anonymising data isn’t something that’s just bolted on at the very end of a project (if at all). Instead it becomes an integral part of both the current project and your organisation’s culture going forwards.

It’s worth noting here that although Privacy-By-Design isn’t specifically called for under GDPR, the benefits to its implementation within your organisation will be immeasurable when conforming to Data Privacy legislation (we’ll come back to this point at the end of this article).


Problems with Privacy-By-Design come when attempting to implement it with older, less secure systems.

Many organisations still struggle with legacy issues when introducing the principals of Privacy-By-Design and that’s where the experience of a privacy specialist partner can prove invaluable (*cough, shameless cloudThing plug, cough).

The reason organisations struggle is that a lot of older systems can’t enable or support modern data security best practices which help maintain confidentiality, integrity and the availability of data.

The solution then becomes one of trying to add patch over patch to make it work or stepping back and seeking a way to integrate it into those same legacy systems that mitigates data breaches and keep your organisation compliant with GDPR (or whichever legislation is applicable to your region).

Privacy-By-Design’s Foundational Principles

Privacy-By-Design can, perhaps, best be defined by looking deeper into each of its seven foundational principles…


  • Proactive Not Reactive; Preventive Not Remedial – Any approach to Privacy-By-Design should be proactive, not reactive. Rather than responding to privacy concerns as they occur, a Privacy-By-Design enabled system should try to anticipate and then prevent any invasive practises before they occur. It’s not there to help you respond to risks or breaches once they’ve occurred, its purpose is to make sure they don’t occur in the first place.
  • Privacy As A Default Setting – A Privacy-By-Design system should put an individual’s privacy first (the clues in the name!). If an individual does nothing, their privacy should still remain intact without having to sign in, opt out, re-register or unsubscribe. The individual’s privacy needs should come first, by default, never as an afterthought.
  • Privacy Embedded Into Design – Privacy-By-Design shouldn’t just be a cultural goal for your organisation. It should be embedded into the very design and Business Architecture of your IT systems and entire organisation. It should never be seen as a nuisance or a reactive protocol but instead a core component of all your Business and IT architecture.
  • Full functionality; Positive Sum, Not Zero-Sum – Any Privacy-By-Design system that you implement into your organisation, should, by default, seek to support all legitimate interests and goals your organisation has in a positive-sum (or win-win) manner. Conversations should never be held about trade-offs regarding goals, functionality or privacy (a zero-sum approach.) Privacy-By-Design skips over any seemingly contradictory goals, such as privacy vs security, instead making sure both are possible to achieve in a complimentary fashion.
  • End-To-End Security: Full Lifecycle Protection – Privacy-By-Design isn’t a one-time thing that an organisation can just ‘do’ then move on. It’s something that should extend throughout the lifecycle of the data you hold and the systems you hold it on. It should ensure that your systems are compliant for the entire lifecycle of the data you hold, erasing it in a timely fashion as well as ensuring your system stays private and secure with any future updates you might implement.
  • Visibility & Transparency, Keep It Open – Privacy-By-Design should give an organisation confidence in their business practises, technology and culture. Confidence that they’re being operated in a way that aligns them with the organisation’s goals whilst providing complete transparency to both staff and end users alike.
  • Respect For User Privacy, Maintain A User-Centric Perspective – Before anything else though, Privacy-By-Design should require all Business Architects involved with an organisation (both internal and external) and system operators to keep the interests of the end-user at the forefront of their mind.

Why Is Privacy-By-Design So Important?

As we’ve already mentioned, Privacy-By-Design isn’t (yet) necessary to be GDPR compliant.

However, implementing a Privacy-By-Design culture within your organisation will help you both be, and stay, compliant much more successfully than any other method.

It’s a powerful tool in both mitigating potential GDPR breaches and building trust with the public.

Creating a Privacy-By-Design system that places privacy above all else has multiple benefits, including…


  • It helps identify privacy risks early, allowing developers to adapt to and change your systems to address issues before they become organisation wide (and thus much more costly to fix).
  • It will increase awareness of data protection, GDPR and privacy in general across your organisation, helping with brand reputation.
  • It will have immeasurable benefit in showcasing how your organisation has met its legal obligations should you be called upon to demonstrate them, either by the ICO after a Data Breach or by a potential new client undertaking due diligence.


Ultimately GDPR will continue to evolve (and more and more countries will adopt similar legislation if they haven’t already).

Privacy is going to be the key issue that concerns consumers in the coming years.


Instead of adapting to new regulations as and when they become law, Privacy-By-Design allows your organisation to get ahead of that and focus on more important goals by future proofing your business now, something we at cloudThing refer to as Build Future.


We talk a lot about Big Data, Machine Learning, Deep Learning and Artificial Intelligence and in the coming years those terms will become standard for most sectors and industries but are going to open an organisation up to a world of hurt if they haven’t yet sorted out protecting an individual’s right to privacy.

That’s why Privacy-By-Design is the solution you need; if not now, then soon.

More blogs & Things

More blogs & Things

James Crossland in NonProfit

AI + Automation: Reducing Donor Churn & Maintaining Sponsor Interest

Churn management is a vital element of any marketing strategy, and the NonProfit sector is no exception. Knowing what to track and having a joined up view of all your donations data is vital for getting this right, and also opens the door to building innovative data-driven campaigns.   At our recent DataScience and Transformation in Charities […]

James Crossland in NonProfit

Dynamics 365 In NonProfit’s

Charities have unique funding concerns, and an obligation to spend as much as possible on their chosen cause. However, an investment in technology can offer ROI in the form of more than just improved fundraising. Dynamics 365 can help rework complex business processes, ensure compliance with stringent safeguarding and financial regulations, as well as consolidate […]

James Crossland in Tech

8 Ways Your Business Can Increase Turnover With Big Data

Understand how Big Data and Data Science can transform your business…   Big Data is the phrase that’s used to categorise any data that’s too large, complex, cumbersome or complicated to be managed and processed by conventional technology. To put that into a relatable context; being able to recommend your customers content, products or offers based […]

James Crossland in NonProfit

How To Reduce Donor Churn In NonProfits

Reducing Donor Churn doesn’t have to be a big task but does need to be a fundamental part of a NonProfit’s day to day processes   What Is Donor Churn? Donor Churn is the likelihood of an individual stopping their donations to a charitable cause for a variety of different reasons resulting in the non-profit organisation […]

James Crossland in Tech

Agile: Cutting Costs, Improving Quality & Accessing Talent

After using Agile to develop software products for several years, we thought we’d share the challenges we encountered at the start, what we did to change and the results we saw (which were ultimately uplifts in quality and efficiency)…   My development team has been using Agile to develop software product since 2007. Personally, I’ve seen many […]

James Crossland in Tech


What’s the difference between UI and UX?   Simply put UI (or User Interface) are the pages, screens, buttons, icons and any other visual aspects of a website or App that let you interact with it… or to expand on that into the non-virtual world… UI is how you experience using something – For instance in opening a fridge, […]