Privacy by design
Privacy by design is the practice of building data protection into products and processes from the very start, rather than bolting it on afterward.
Privacy by design — a framework developed in Ontario by former commissioner Ann Cavoukian — holds that privacy should be the *default*, embedded into the architecture of systems and business practices, not a feature you add later. Core ideas include being proactive not reactive, collecting the minimum data needed, securing it end-to-end, and keeping practices transparent.
The concept is now baked into law. Quebec’s Law 25 requires that any technology product or service with privacy settings provide the highest level of confidentiality by default — privacy by *default* — without any action from the user. The EU GDPR codifies the same principle in Article 25.
Operationally it connects to the rest of your program: run a PIA early, minimize and de-identify data, document flows in your ROPA, and set defaults that protect users unless they knowingly choose otherwise.