Quiz Entry - updated: 2026.07.05
Privacy by Design sounds like a good idea. But is it actually a legal requirement? What does the GDPR say?
GDPR Article 25 makes Privacy by Design and Privacy by Default a binding legal obligation, defining five specific elements that organizations must implement.
The five elements of Article 25:
- Data minimization. Collect and process only what's strictly necessary for the stated purpose. If you don't need it, don't collect it.
- Pseudonymization. Replace identifying information with artificial identifiers. The real identity can only be restored with a separate key that's stored securely.
- Transparency. Make data processing activities clear and understandable to data subjects. No hidden data flows.
- Monitoring capability. Enable data subjects to oversee how their personal data is being processed. This means dashboards, export tools, and clear documentation.
- Security functions. Implement appropriate technical protections proportionate to the risk.
Two important qualifiers: First, implementation must be proportionate to the risk. A local bakery's website doesn't need the same measures as a health insurance platform. Second, certifications can serve as proof of compliance, giving organizations a structured way to demonstrate they meet the requirements.
Go deeper:
GDPR Art. 25 — Data protection by design and by default — the binding text.
Privacy by design (Wikipedia) — Cavoukian's origin and the seven principles.