To work with Privacy & Security by Design, the company has to make an initial assessment of the risks and needs that need to be considered. When the company has established this, it has to choose the Privacy by Design strategy or strategies (6.2.1 – 6.2.3) that can be usefully applied and the level of security to be incorporated into the design of the solution.

6.1.1 Risk assessment
6.1.2 Assess the level of privacy and security

Privacy by Design (PbD) means that the company thinks about and builds data protection and privacy safeguards into products and services from the earliest stages of development and throughout their lifecycle.
Source: ENISA

Embedding personal data protection into its activities will allow the company to work proactively on the risks associated with its processing of personal data, rather than simply reacting when an event actually occurs.
Source: White Paper on Data Ethics

The aim is to ensure that the company’s products and services protect users’ privacy and personal data from the moment they are deployed.

6.2.1 Minimise and limit
6.2.2 Separate and hide
6.2.3 Aggregate
6.2.4 Privacy by default (in-built protection of personal data)
6.2.5 Full functionality and protection of personal data

The basic principle behind Security by Design (SbD) is that security should be considered and built into products and services from the earliest stages of development and throughout their lifecycle.

The aim is to ensure that the company’s products and services are secure from the moment they are deployed.

6.3.1 Minimise attack surface area
6.3.2 Establish secure defaults
6.3.3 Implement The Principle of Least Privilege (POLP)
6.3.4 Review of own and third-party code

The company shall ensure that requirements for PbD and SbD are incorporated into its development of products and services.

6.4.1 Implementation through the development lifecycle