The European Data Protection Regulation (GDPR) requires data controllers to take appropriate technical and organisational measures to protect data from unlawful processing. Article 25, in particular, introduces the principle of privacy by design, an innovative conceptual approach that obliges companies to initiate a project by foreseeing, from the outset, the right tools and approaches to protect personal data.
The principles governing the system are as follows:
prevent not correct, i.e. problems must be assessed in the design phase, and the application must prevent risks from occurring;
privacy as a default setting (e.g. it should not be compulsory to fill in a form field whose provision of data is optional);
privacy built into the design (e.g. use of pseudonymisation or data minimisation techniques);
maximum functionality, so as to meet all needs (rejecting false dichotomies such as more privacy = less security);
security throughout the product or service cycle;
visibility and transparency of processing, i.e. all operational steps must be transparent so that data protection can be verified;
user-centricity, i.e. respect for users' rights, timely and clear responses to their requests for access.
In short, the personal data protection system must place the user at the centre, thus obliging the data controller to provide actual protection from a substantive point of view, not just a formal one, i.e. it is not enough for the design of the systems to comply with the standard if the user is then not protected.