Privacy by Design originated in the work of Ann Cavoukian, then Ontario's Information and Privacy Commissioner, in the 1990s. It was codified into binding law by Article 25 of the GDPR ("Data Protection by Design and by Default"). The principle is straightforward: privacy and data protection requirements should be embedded into systems, products, and processes from the start, not bolted on after launch.
In engineering practice, this means default settings that minimize data collection, technical controls (encryption, access restriction, pseudonymization) chosen at design time rather than retrofitted, data flows mapped before code ships rather than after, and lawful bases identified during product specification rather than at a privacy-review gate. The opposite — Privacy by Patch — produces compliance theatre and operational debt that compounds over time.
Privacy by Design is not just a regulatory checkbox. It is a software engineering discipline that closely resembles security-by-design: the cheapest time to fix a flaw is before it ships. Organizations that build with it produce data architectures where DSARs, erasures, and audits are routine API calls — not multi-team firefighting exercises.