Privacy requirements are formulated before the design stage based on general privacy principles and the PIA. Business and legal requirements are elicited with privacy in mind, privacy-violating requirements are discarded.

All privacy and security requirements are collected and validated for technical soundness and implementation viability. Adherence of the system to the requirements is verified during validation through pre-formulated requirement constraints and tests.

Stakeholders are extensively involved in the formulation of privacy goals and the identification of privacy requirements. Elicited privacy requirements are related to specific threats or principles to guarantee traceability and accountability. The privacy office documents and tracks the requirements and considers privacy risks in the design phase for all processes and systems.

Advice from ethical experts is gained regarding requirements for sensitive personal data.

A privacy architecture viewpoint is included in the project architecture for new initiatives. The privacy architecture maps privacy requirements onto the project architecture, translates privacy design strategies to tactics, and models data sets, processing purposes, lawful grounds, actors, legal roles, and personal data types.

The data flows for all processing activities are modelled in a data flow diagram and documented as part of the enterprise architecture. The privacy architecture viewpoints document the relationships between existing and new elements.

Architecture models are verified for completeness and soundness. The architecture and models are validated to confirm that privacy requirements are implemented correctly. Selected privacy tactics are integrated by means of available privacy design patterns and PETs.

Processing activities and related information elements are exhaustively modelled and traceable through all layers of architecture. Privacy design patterns and PETs are selected from a centralised catalogue in a structured manner.

Privacy requirements are incorporated in low-level design. Acceptance testing is used to ensure that the system meets the privacy and security requirements.

Privacy and data protection activities are integrated in the methods and workflows of the software development lifecycle. Operational behaviour is checked against applicable privacy policies and procedures.

Privacy-by-design is applied and documented within change management procedures. A process is in place to ensure that updates to privacy notices are considered for every significant change in the organisations processing activities.

Establish a catalogue of privacy patterns with relevant code excerpts to enable reusable design. Information systems are designed with automated privacy controls where possible.

Privacy policies are embedded in system design and are automatically enforced.

Purpose-based access is used to limit access to personal data so that it can only be accessed for legitimate processing activities. Personal data is encrypted in transit.

Privacy enhancing technologies (PETs) are selected, developed, and used to implement privacy design patterns.

The selected privacy enhancing technologies are assessed for effectiveness and added value to the provided degree of privacy, unnecessary PETs are removed. New and existing PETs are catalogued.

Enforcement of privacy policies is embedded in the technical design where suitable. The problem expressed by a privacy design pattern is mapped to a PET which is selected from a PETs catalogue while taking into account the quantitative and qualitative costs and benefits. The privacy protection technology is continuously monitored, optimised, and upgraded.

Revocable privacy is implemented through privacy-by-architecture, including PETs, limiting personal data access unless pre-established conditions are met that necessitate lawful access to the data.

A PIA is performed in a methodical manner for new projects and is updated whenever there are relevant changes in the project. It considers legal, technical security, and privacy requirements and documents how these have been implemented.

A preliminary threshold analysis is performed to determine the necessity of a PIA when launching new initiatives or modifying existing projects. The PIA process starts in the early planning phase and carries on throughout the project's life.

The logistics of the PIA process are formalised and documented: the relevant roles, responsibilities, approval process, and needed resources are assigned, and the scope and scale of each PIA is determined. A privacy control selection process is implemented which evaluates the proportionality of selected measures.

The PIA process and the PIA reporting activities are decoupled. PIAs reference PIA reports from the centralised registry ensuring that subsequent changes build upon previous analysis. Privacy controls are methodically assessed using metrics. The design of the physical environment is included.

A formalised stakeholder consultation plan is created, involving stakeholders in identifying and evaluating privacy risks. Privacy risks are identified continuously during the project and processing activity lifecycles. A senior executive is held accountable for the quality and adequacy of a PIA.

A PIA covers not only information privacy issues, but all privacy issues and involves an assessment of positive and negative privacy impacts. There is more focus on applying privacy-by-architecture through the formulation of privacy targets in system design. The existing PIAs and the overall PIA process are constantly reviewed as part of a continuous improvement effort.

The PIA report is reviewed and is tied to budget submissions for new projects.

PIA reports are stored in a centralised registry in order to create a body of knowledge that can be consulted for future projects. A mechanism is implemented for updating PIA reports and publishing PIA reports to the general public whenever significant changes are made to processing activities.

Reporting adheres to its own periodic reporting cycle independent of the PIA process and reports are submitted for audit to an independent third-party.

Different PIA reports can exist per PIA process, these reports are adapted to their intended audience in both content and form.

Privacy-by-design and the privacy impact assessment are part of a formally defined risk management approach. A privacy risk analysis framework is employed that includes privacy risk modelling, risk prioritisation and formulating mitigation measures. Residual risks are identified and documented.

Privacy risks are kept in an inventory, linked to specific vulnerabilities or failures, and mapped to data-flow elements. Data controllers have a complete overview of documented privacy risks and produce a control implementation plan that describes risk mitigation and the feasibility of controls through a cost-benefit analysis. Feared events are identified and their impact and severity are determined.

The entity has implemented documented policies and procedures to monitor and to optimise privacy risk management and control. These policies are improved by feeding back audit results into a change control process. The data lifecycle is adopted as a basis for the contextual analysis to anticipate privacy invasive events and to identify system harmful activities and risks.

Data risks are automatically identified, and early warnings are provided for high-risk operations by employing predictive analytics. Continuous risk assessment is supported by a privacy risk & compliance dashboard that provides a continuous view on the system.

A set of standard processing principles are applied to all processing activities (e.g., GDPR processing principles).

The processing principles are documented, applied in a structured and methodical manner, and are periodically evaluated.

Data past the retention period gets flagged or deleted automatically when no legal hold has been specified. Purpose limitation is supported by role concepts with graduated access rights. The data protection officer has a dashboard that provides an up-to-date view of the lawfulness of personal data processing activities.

Compliance with the processing principles is proactively managed to deliver deliberate process optimisation. Issues of non-compliance are identified and remedial action is taken to ensure compliance in a timely fashion. Automated controls prevent the deletion of personal data that would violate legal retention requirements.

Requests related to the exercise of data subject rights are recorded, monitored, and reported. Consent management including related notices, policies, and procedures are defined and implemented.

Data subject rights are facilitated through automated technical mechanisms such as self-service dashboards. Consent processes are periodically reviewed, improvements are made where necessary. Automated processes are followed to test consent prior to use of personal information.

Policies and procedures related to subject rights facilitation are reviewed regularly. The data protection officer has a dashboard that provides an up-to-date view of data access requests and responses.

User-driven control of personal data is employed. Data subjects that do not consent to provide personal data are offered equitable conditions. Consent items are automatically updated in all affected processing systems whenever a change occurs.

Privacy policies are publicly available in clear and comprehensible language and contain contact information of the individuals responsible for privacy and security. Privacy policy revision meetings are conducted, feedback on the readability and content of the privacy policy is analysed and incorporated. Historical versions of policy are archived and accessible.

Policy communications are routine and semi-automated. Individual's general level of privacy policy understanding is assessed and feedback is used to improve communication methods. Procedures have been implemented that uniformly and consistently obtain consent for additional processing activities in the collection phase.

Privacy policy is defined together with data subjects who are provided information about policies, procedures, controls, and tools that allow them to determine how personal data is used and whether policies are being properly enforced.

Summaries of PIAs, TRAs, and independent third-party audit results are published.

A privacy risk assessment for third parties is completed before any contract under which personal data is made available is granted. Existing contracts and agreements involving personal data provided to third parties are reviewed to ensure the appropriate information has been communicated.

Documented procedures exist and are consistently applied to ensure that third parties have appropriate safeguards in place prior to transferring personal data. New instances of sharing personal data with third parties are assessed to determine authorisation, additional notice, and possible updates to existing agreements. Exception reports are used to record inappropriate, unacceptable, or misuse activities by third parties and to monitor the status of remedial activities.

A privacy level agreement is made as part of a service level agreement, that addresses the level of privacy protection a service provider commits to undertake and maintain. Changes in a third-party environment are monitored to ensure the processor can continue to meet its obligations. Management monitors compliance with privacy policies relating to disclosure to third parties.

Stakeholders, roles, and responsibilities related to privacy activities are identified and assigned.

The management of privacy related roles and responsibilities is formalised in a role/functionality matrix to ensure accountability. A chief privacy officer is appointed.

The trust relationship between the stakeholders is defined. Data processing responsibilities are assigned to appropriate stakeholders including accompanying monitoring activities. A technical privacy officer is assigned to support operational privacy-by-design activities.

Appoint a central entity responsible for privacy related issues such as a privacy committee.

The organisation is aware of the basic principles of privacy-by-design and management is committed to applying them.

Different target groups involved in privacy-by-design are identified and receive training for raising awareness as well as transmitting knowledge relevant to their specialisation.

Resources are provided, such as manuals, guides, and handbooks, to support consistent implementation of privacy policies, procedures, and standards, as required and appropriate.

The organisation participates in learning from and contributing to the available body of knowledge amassed by the privacy community. Staff and management are comfortable identifying areas for improving privacy practices and discuss/raise these freely and proactively.

An assurance process is in place, supporting the checking and demonstration of compliance with regulation, this includes overseeing the execution of cybersecurity and privacy controls. Systems should have functional audit logs and usage reports without disclosing identity information.

Log events during all processing activities. Privacy-related Key Performance Indicators are used to periodically track, measure, and monitor the performance of the privacy function. Performance is regularly reported to management and metrics are regularly reviewed.

Management continuously monitors compliance with privacy policies, regulations, and procedures related to personal data processing. The approach to privacy-by-design is continually reviewed and updated based on both internal review and external developments in best practice.

Periodic reviews and audits are performed on processing activities to ensure personal information uses are appropriate and lawful.

Systematic and independent audit examinations of logs, procedures, processes, and hardware and software specifications are performed. Audit and log systems are compliant with other privacy principles and track user activity to identify illegal processing.