Privacy by Design: assessment and certification

Privacy by Design

A risk management solution

Sylvia Kingsmill

Global Cyber Privacy Leader, Partner, Risk Consulting

KPMG in Canada


Related content

Privacy by Design: asessment and certification

Regulators, business leaders, and technologists all agree – an organization's privacy efforts cannot be solely assured by compliance with regulations; privacy must become the default mode of an operation.

Privacy by Design: a risk management solution

Privacy by Design builds on the premise that privacy should be embedded into the design, operation, and management of IT systems, networks, and business practices in order to prevent privacy vulnerabilities and the potential for irreparable financial and reputational harm.

Originally developed by Dr. Ann Cavoukian, Privacy by Design is now law under the EU's General Data Protection Regulation (GDPR) and a globally recognized ISO standard (ISO 31700, Consumer Protection: Privacy by Design for Consumer Goods and Services).

Privacy by Design is structured around 7 Foundational Principles, which exist as a baseline for robust data protection.

  1. Proactive not Reactive: Privacy by Design anticipates risks and prevents privacy invasive events before they happen to build customer trust.
  2. Privacy as the Default Setting: Personal data should be automatically protected – no action is needed by the user to protect their privacy – it is built into the system.
  3. Privacy Embedded into Design: Privacy is embedded into the design and architecture of IT systems, and becomes part of the product, service or processes' core functionality.
  4. Positive Sum, Not Zero Sum: Privacy by Design avoids the false idea of trade-offs between privacy and security, showcasing that it is possible to have both.
  5. End-to End Security: Privacy by Design embeds security into the system from the start, which works to ensure a secure lifestyle management of information.
  6. Visibility and Transparency: Privacy by Design ensures operational execution aligns with policies. The end-user should know which data is collected, and for what purpose.
  7. Respect for User Privacy: Privacy by Design develops trust by choosing user-centric measures - strong privacy defaults, appropriate notice, and empowering user- friendly options.

Compliance with Privacy by Design allows an organization to achieve a "defensible" position. A Privacy by Design Certification demonstrates an organization's proactive, risk-based approach to achieving compliance, as well as earning customers' trust while building a true due-diligence defence in the event of a privacy breach, investigation and/or complaint.

Read more in our PDF guide.

You may also be interested in learning about Canada's recent Digital Charter Implementation Act:

© 2021 KPMG LLP, an Ontario limited liability partnership and a member firm of the KPMG global organization of independent member firms affiliated with KPMG International Limited, a private English company limited by guarantee. All rights reserved.

For more detail about the structure of the KPMG global organization please visit

Connect with us


Want to do business with KPMG?


loading image Request for proposal

Stay up to date with what matters to you

Gain access to personalized content based on your interests by signing up today

Sign up today