Privacy by Design and Data Retention Policies
Apply privacy-by-design principles to system architecture and build data retention and destruction policies that reduce both liability and storage costs.
Introduction to Privacy by Design
Privacy by Design (PbD) is a framework developed by Ann Cavoukian in the 1990s that treats privacy as a foundational architectural requirement rather than an afterthought. Instead of bolting on privacy controls after a system is built, PbD integrates them from the first design decision. GDPR Article 25 formally codified PbD as a legal requirement for EU-facing systems, requiring data protection by design and by default — meaning the default settings must always be the most privacy-protective option available.
The 7 Foundational Principles of PbD
Cavoukian's seven principles are: Proactive not reactive — anticipate and prevent privacy events before they occur. Privacy as the default — no user action needed to protect privacy. Privacy embedded into design — not added as a layer. Full functionality — privacy does not require security or functionality tradeoffs. End-to-end security — lifecycle protection from collection to disposal. Visibility and transparency — operations open to independent verification. Respect for user privacy — user-centric controls and strong defaults.
All lessons in this course
- Data Classification: Public, Internal, Confidential, Restricted
- GDPR and Data Subject Rights
- HIPAA, PCI-DSS, and Sector-Specific Regulations
- Privacy by Design and Data Retention Policies