Privacy by design: a gateway to the GDPR? – Alexandra Tsvetkova

Александра ЦветковаEven though privacy by design was enshrined as a legal obligation with the GDPR, the idea of having fundamental rights enforced and ‘hard coded’ in technology dates back to the 1980s. Despite a few decades of heated discussions and the development of numerous technical measures, privacy by design remains largely a theoretical concept.

On the one hand, this is exacerbated by the fact that technical solutions, such as privacy enhancing techniques (PETs) often reduce the right to privacy to over simplistic and often naive explanations. On the other hand, the inherent vagueness of legal provisions, required to provide the law with the necessary flexibility to address a wide range of situations, creates further challenges before the proper implementation of privacy by design.

Privacy by design plays a central role in the GDPR.

It could be seen as a gateway obligation which ‘unlocks’ the potential of the regulation for data controllers. Temporally situated at the ‘design’ stage, the obligation of privacy by design is an emanation of the risk-based approach of the GDPR which runs through the very fabric of the regulation’s underlying principles enshrined in Article 5.

How should data controllers and processors approach this overarching obligation and why the ‘information security’ mindset cannot be applied here? What are the challenges and is privacy by design an attainable goal in the first place?

This session will look at the obligation of privacy by design as a gateway provision which unlocks the principles of data protection and provides a guidance on how to achieve compliance. It will look at the relationships and dependencies between privacy by design (Art. 25), data protection impact assessment (Art. 35) and the security of processing (Art. 32) as the key to understanding the rationale of the GDPR.

Register for the event


is an expert in IT and Technology-related Legal Issues, with a narrow focus in the areas of e-Governance, e-Justice, personal data protection and security. She holds a Master’s degree in Informatics with specialization in e-Business and e-Governance. Since 2008, she has been actively supporting the public and private sectors in making strategic decisions and management of current policies in the field of information technologies, and a number of strategic and legislative initiatives in these areas have been implemented with her participation.

Over the years, she has been responsible for the overall management and implementation of more than 75 projects, including projects tackling user-generated content, smart surveillance and security, privacy and data protection. As an expert, she has been involved in drafting legal and organizational analyses; conducting studies and consultations on IT legal and organizational restructuring and in drafting of legislative acts in the field of IT and the protection of personal data; and training on topics in the field of legal aspects of information technology and privacy.

Alexandra Tsvetkova / Expert in IT and Technology-related Legal Issues & Director at LIBRe Foundation