"Privacy by design" is one of those phrases you read everywhere and rarely understand. It is often treated as a document to attach to a project, a box to tick before going live. In reality it is not a piece of paperwork: it is the way software is conceived and built from the very first line, so that it protects people's data without anyone having to remember to do so afterwards.
What the GDPR actually says
The principle is written plainly in Article 25 of the GDPR, which speaks of "data protection by design and by default". These are two distinct things. Protection by design concerns the choices made while the system is being built. Protection by default concerns how the system behaves the moment it is switched on, before anyone touches a single setting.
The law does not mandate a specific technology. It asks for an outcome: that data protection be built into the system, proportionate to the risks, and not bolted on afterwards as a patch. It is a difference of substance, not of form. A well-designed system does not have to chase compliance: it already has it inside.
It is not a document, it is an architecture








