Privacy by design checklist

Taking a privacy by design approach minimises privacy risks and build trust.

Designing projects, processes, products or systems with privacy in mind at the outset also enhances culture of proactive data management and improves communication. 

While the concept of privacy by design is by no means new, it's now an explicit requirement for compliance with the General Data Protection Regulation. 

We asked Kate Armitage, Head of Quality Assurance and GDPR consultant at Qualsys to share a checklist of requirements for Privacy by Design. 

A free copy of this privacy by design checklist can be downloaded from our GDPR toolkit. 

 privacy by design checklist [GDPR checklist example]


Privacy by design should happen when making significant changes to systems for use within organisation or by data processors or products and services for the use of individuals or other organisations.

For example, when you are building new IT systems for storing or accessing personal data; developing legislation, policy or strategies that have privacy implications; embarking on a data sharing initiative; or using data for new purposes. 

For Qualsys, privacy by design is a fundamental part of our change management process for all operational and business change. 

It is an integral part of the development lifecycle, first being considered at the initial requirements and user story stage. It is then continued through the development cycle and reviewed by the TD and QA before sign-off.

                                          - Kate Armitage, Head of Quality Assurance


Key principles of Privacy by Design  Description
Proactive not reactive 


Anticipate and prevent privacy invasive events before they happen.


Privacy as the default 


Deliver the maximum degree of privacy by ensuring that personal data are automatically protected in any given IT system or business practice.


Privacy is embedded


Privacy is embedded into the design and architecture of IT systems and business practices. It is not bolted on as an add-on. The result is that privacy becomes an essential component of the core functionality being delivered. Privacy is integral to the system, without diminishing functionality.


Full functionality 


Privacy by design seeks to accommodate all legitimate interests and objectives in a positive-sum “win-win” manner, not through a dated, zero-sum approach, where unnecessary trade-offs are made. Privacy by Design avoids the pretence of false dichotomies, such as privacy vs. security, demonstrating that it is possible, and far more desirable, to have both.


Visibility and transparency 


Privacy by design seeks to assure all stakeholders that whatever the business practice or technology involved, it is in fact, operating according to the stated promises and objectives, subject to independent verification.


Respect for users


Keep the interests of the individual uppermost by offering such measures as strong privacy defaults.



Download the GDPR toolkit: 


GDPR toolkit


Topics: ISO 27001, GDPR, Tools

Share your thoughts on this article