Article 25 of GDPR has been on the books since 2018. It requires organisations to implement data protection by design and by default — building privacy into systems, processes, and products from the outset, not retrofitting it after the fact. Five years on, it remains one of the least-evidenced requirements in European privacy practice.

Organisations routinely claim to apply privacy by design. Very few can demonstrate it in a way that satisfies a regulator or a sophisticated client. The gap between saying “we consider privacy in our product development” and having documented evidence of how that consideration was applied — and what it produced — is wide, and it is exactly the kind of gap that enforcement actions expose.

ISO 27701:2019 provides the operational framework for closing that gap. This post explains how.

What Privacy by Design Actually Requires

GDPR Article 25 contains two distinct obligations that are often conflated:

Data protection by design: Technical and organisational measures must be implemented — at the time of determining the means of processing and at the time of the processing itself — that are designed to implement data protection principles (such as data minimisation) and protect data subjects’ rights. This obligation applies before a system is built or a process is designed, not after it goes live.

Data protection by default: By default, only personal data that is necessary for each specific purpose is processed. This applies to the amount of data collected, the extent of processing, the storage period, and the accessibility of the data. Default settings must be privacy-protective — users should not have to opt out of data collection; they should have to opt in.

Together, these obligations mean that privacy must be designed into systems before they are deployed. That requires a process: a defined point in the product development or procurement lifecycle where privacy implications are assessed, controls are specified, and decisions are documented.

How ISO 27701 Operationalises Privacy by Design

ISO 27701’s controls for PII Controllers include specific requirements for privacy by design and by default (Section 7.4). These controls require organisations to:

The key word in that last point is “document.” ISO 27701 does not just require privacy by design to be applied — it requires it to be evidenced. The documentation of privacy design decisions is the audit trail that demonstrates the obligation is being met in practice, not just in aspiration.

What This Looks Like in Practice

A software company building a new product feature that collects user location data should, under ISO 27701’s privacy by design requirement, be able to produce documentation showing:

This is not a bureaucratic exercise for its own sake. It is a documented decision-making process that forces the product team to think through privacy implications before they become problems — and that creates a record that can be presented to a regulator, a client, or an auditor as evidence that privacy was genuinely considered.

Where Most Organisations Fall Short

The most common failure mode is informal practice without documentation. A privacy-aware product team may genuinely consider privacy implications during development discussions. They may make sensible decisions about data minimisation and access control. But if those discussions are not documented — if there is no written record of the privacy assessment that was performed and the controls that were specified — they leave no evidence.

Regulators do not credit good intentions. When the ICO or CNIL investigates an incident or complaint, they ask for documents. “We always consider privacy in our development process” is not a document. A completed privacy impact screening template, dated, with the product owner and DPO sign-off, is a document.

ISO 27701 solves this by requiring the documentation. Once the requirement to document privacy design decisions is embedded in your development lifecycle — as a PIMS control with an audit trail — the documentation happens naturally as part of the process, not as a retrospective exercise.

The Integration With Your Development Lifecycle

For ISO 27701’s privacy by design controls to work in practice, they need to be integrated into your existing product development or procurement process — not run as a parallel privacy review that the product team can bypass. This typically means:

When these are embedded in your PIMS as documented controls with clear ownership and evidence requirements, privacy by design moves from aspiration to operational reality.

At Bitsecura, we design PIMS implementations that embed privacy by design into your actual development and procurement processes — not as a parallel governance exercise, but as an integrated control with documentation that satisfies both ISO 27701 auditors and data protection regulators.

If you want to understand how to make privacy by design operational and evidenced in your organisation, talk to us here. No commitment, no sales pitch.


Bitsecura provides ISO 27701 PIMS implementation, internal audit, and privacy gap assessment services. Learn more about our ISO 27701 services.