Privacy by Design and Default Policy

The Privacy by Design and Default Policy defines how privacy requirements must be embedded into new and changed PII processing activities within the PIMS scope. It applies across projects, products, services, systems, applications, integrations, procurement activities and business process changes. The policy is written for controller, joint controller, processor and subprocessor contexts, including situations where the organization designs, configures, changes or operates processing on behalf of a customer, controller or upstream processor under documented instructions. Its core purpose is to ensure privacy requirements are identified, implemented and evidenced before PII processing begins or materially changes. The policy places particular emphasis on purpose, necessity, minimization and privacy-protective defaults. Process Owners and Business Owners must document minimum PII categories, PII principal categories, sources and purposes in REG02 and REG04 before collection or import design approval. System and Application Owners must configure default processing settings to the minimum PII collection and processing needed for the documented purpose and must record evidence in REG04 before go-live. Optional PII fields, optional processing choices, default-off settings, exposure settings for views and reports, and handling of temporary files, caches, logs or staging records are all treated as design-stage privacy obligations rather than after-the-fact operational corrections. Privacy risk and DPIA linkage are built into the design process without replacing the separate methodology defined in PII07. The Privacy Lead / PIMS Manager must confirm that privacy risk and DPIA screening is recorded in REG04 before design approval for new or materially changed PII processing. Privacy design treatment actions, owners and due dates must be recorded before review closure, and implementation evidence must be captured before go-live. For high-risk or materially changed controller processing, the policy also requires a post-implementation privacy design check in REG04 within 30 calendar days after go-live. Where design issues are missing, ineffective, overdue or bypassed, corrective action is opened in REG12. The policy also extends privacy by design into procurement and third-party relationships. Vendor and Procurement Owners must record privacy-by-design requirements for suppliers, processors, subprocessors, SaaS services, platforms or externally hosted systems in REG08 before procurement approval. Third-party PII necessity, purpose and minimum PII categories must be documented before external processing, data sharing or procurement approval. Supplier support for privacy-default settings, minimization and customer configuration needs must be recorded before onboarding, while unresolved supplier privacy design gaps are escalated to REG12 within five business days and before contract signature. Governance, monitoring, enforcement and maintenance are defined through recurring evidence and review cycles. The Privacy Lead / PIMS Manager submits quarterly privacy design status summaries in REG12, calculates completion and overdue-action metrics, and verifies that design evidence remains consolidated in REG02, REG04, REG08 and REG12 before internal audit. Top Management reviews high-impact exceptions, blocked go-live decisions and recurring findings during management review. Enforcement provisions require prevention of go-live where REG04 review is incomplete, prevention of onboarding where REG08 evidence is absent, and suspension of new or changed PII processing until REG04 review, REG02 updates and required REG12 exceptions are complete.