Privacy by Design

‘Privacy by design will help organisations build better processes, products, and services that consider individuals’ privacy interest as a design requirement. It is about how to build things that people can trust.’ – J Cronk Strategic Privacy by Design


Adopting privacy by design (PbD) is essential for almost every organisation. Any change project or product that involves data processing should be guided by PbD.

Privacy by design is an approach to building privacy and data protection up front, into the very DNA of technologies, business practices, products and services and physical infrastructure.  It is particularly important in the development of mobile applications, medical devices and other technologies that might involve the collection or processing of personal information. PbD also ensures that privacy is considered whenever there is any significant change to a business, such as mergers, acquisitions, doing business in a new jurisdiction, rolling out a new product or internationalising an existing one.

PbD is an important risk mitigation step and should be part of any Privacy Management Program.  For more information about Privacy Management Programs, including how we can help you develop yours – see Privacy Management Program.


How this Service Helps

Generally, PbD ensures that strong privacy practices are identified and implemented early and consistently. This helps ensure that all products, solutions and other processing activities within your organisation support commitment to the responsible and ethical use and protection of personal data.

Our PbD consulting services use tools like policies, privacy impact assessments and training to help get you there.  Our deep understanding of product development lifecycles means we can assist you to build PbD into your existing processes.

Our expertise includes:

  • Developing Privacy by Design policies and processes and other supporting collateral;
  • Designing a plan for the integration of PbD into your organisational processes;
  • Integrating PIAs into the design process;
  • Privacy by design training.

Implementation of PbD means that privacy is thought about early in any design initiative or other project, which provides opportunities to bake in privacy protections, rather than adding them as an afterthought.  It also means that the types of information and how they intend to be processed are considered at the design stage.


How this Service Works

We’ll tailor our response to meet your specific PbD needs and provide up-front costings.

You will be allocated a dedicated senior privacy consultant who will coordinate the delivery of the PbD service for you based on the detailed quote and scoping we will have included in our proposal.

Your dedicated privacy consultant can also call on the assistance of other members of our team including data governance, and information security experts.


What you Get

The outcome of your PbD project depends on the nature of your project and the terms of our engagement.  However, it may include:

  • Privacy review of a product or service including recommendations for the implementation of privacy controls as part of the design;
  • Development of privacy by design policies and processes;
  • Recommendations on work-flow design to support building PbD into existing organisational processes;
  • Guidance documents, training and other collateral for use by relevant stakeholders (e.g. technology, application developers, information security and business owners); and
  • PbD training and awareness materials.


What it Costs?

Privacy108 can provide a fixed price quote for your privacy by design initiative.  Our rates are competitive and will be supported by a detailed quote that specifies the work we will undertake and the deliverables you will receive as part of the project.

Privacy by Design FAQ’s

What are the foundational principles of PbD?

Privacy by design is based on seven “foundational principles”:

  1. Proactive not reactive; preventive not remedial
  2. Privacy as the default setting
  3. Privacy embedded into design
  4. Full functionality – positive-sum, not zero-sum
  5. End-to-end security – full lifecycle protection
  6. Visibility and transparency – keep it open
  7. Respect for user privacy – keep it user-centric

What is the history of PbD?

According to Jason Cronk in “Strategic Privacy by Design” – though usage of the term “privacy by design” originated some time in the early 1990s, Dr. Ann Cavoukian created the modern conceptualization in 2009, early in her role as information and privacy  commissioner of the province of Ontario, Canada.  Based on 7 foundational principles outlined above, PbD has been criticised as being too vague and general. However, the generality was intentional on Dr. Cavoukian’s part. She desired to give designers flexibility while still promoting the integration of privacy into system design. The lack of specificity, though, has somewhat hampered adoption by engineers and others who desired more guidance in how to meet the principles.

Are we required to follow PbD principles?

PbD was included in the GDPR which requires controllers to implement data protection by design and data protection by default.  The same requirements are included in the UK data protection legislation. PbD has also been recognised as key practice for protecting privacy by the US Federal Trade Commission.

There is no legal obligation to implement PbD in Australia, however it is an important privacy risk mitigation step.

Does the OAIC support PbD?

In Australia, the OAIC supports the adoption of PbD but it is not required in the Privacy Act 1988 (Cth). In the OAIC’s recommendations for a privacy management framework, organisations are encouraged to “adopt a ‘privacy by design’ approach. Ensure you consider the seven foundational principles of privacy by design in all your business projects and decisions that involve personal information.’

At a State level, the Commissioner for Privacy and Data Protection for the State of Victoria (CPDP) has formally adopted privacy by design as a core policy to underpin information privacy management in the Victorian public sector.

What's the difference between PbD and Privacy Engineering?

PbD and privacy engineering are often used interchangeably. More frequently used now, the term “privacy engineering” has come to encompass both the high-level concept of system design (or engineering) and the more specific tasks of incorporating privacy into various areas of technology.

Why choose Privacy 108?

Privacy108 are specialists in privacy and information security – it’s all we do!

We are familiar with the privacy and security issues commonly faced by organisations and have developed practical and cost-effective solutions for those issues.

Our team has invested in developing templates, questionnaires and guidance documents, using best practices and published standards, that help ensure that all our reports and other deliverables are targeted, practical and easy to understand.  We also keep up to date with all the latest changes to privacy law and practice so we can provide current and timely advice.

The team understands sophisticated technology, IT systems and concepts, complex relationships with service providers and the importance of developing the right organisational culture. We provide practical guidance and advice so organisations achieve their goals while meeting their compliance obligations.

Who are Privacy 108?

Privacy108 is owned and led by one of Australia’s leading security and privacy professionals, Dr Jodie Siganto. The Privacy108 team includes lawyers, consultants and trainers who between them hold many years of experience in delivering privacy and security solutions for Australian organisations.

We have worked as in-house counsel and senior executives, and understand the pressures faced by executives, CISOs, Chief Privacy Officers, procurement teams and in-house lawyers. Our team’s industry experience is complemented by extensive legal knowledge and a desire to assist our clients with high quality practical advice.

Contact Us

  • We collect and handle all personal information in accordance with our Privacy Policy.

  • This field is for validation purposes and should be left unchanged.