Data Protection by Design (also known as Privacy by Design) is a legal obligation under GDPR Article 25 requiring organisations to integrate data protection safeguards into the design and architecture of systems, processes and products from the very earliest stages of development. This includes measures such as pseudonymisation, access controls, data minimisation defaults and encryption, rather than bolting privacy features on after the fact.
Adopting this approach significantly reduces the cost and effort of achieving compliance, since retrofitting privacy controls into existing systems is typically far more expensive and error-prone. It also helps organisations build more trustworthy products, avoid regulatory action and demonstrate to auditors and supervisory authorities that privacy is embedded in the organisational culture rather than treated as an afterthought.