Insight: A Brief History of Data Protection by Design

Winners Consulting Services Co. Ltd. (積穗科研股份有限公司), Taiwan's expert in Privacy Information Management System (PIMS), brings a critical insight to the attention of Taiwanese business leaders: Data Protection by Design is not a concept invented by the GDPR in 2018 — it has roots stretching back decades into the software engineering community, and understanding that history is the difference between building a genuine ISO 27701-compliant PIMS and merely checking compliance boxes. A 2024 academic study traces the full intellectual lineage of this foundational privacy principle, with direct implications for how Taiwanese enterprises approach GDPR compliance, DPIA implementation, and personal data protection under Taiwan's Personal Data Protection Act (PDPA).

About the Author and This Research

This analysis is based on research by Pierre Dewitte, published in 2024 in the OpenAlex Privacy Information Management journal. Dewitte works at the intersection of privacy law and technology, with a cumulative citation count of 20 and an h-index of 1 — positioning him as an emerging but substantive voice in the field of privacy regulation scholarship. This particular paper has already received 1 citation since its publication, a meaningful indicator for a recently released work in a specialized domain.

What makes Dewitte's research particularly valuable is its methodological choice: rather than explaining what GDPR Article 25 requires, it asks where the concept of Data Protection by Design actually came from. This historical and retrospective approach is rare in privacy compliance literature, where most publications focus on current obligations. For Taiwanese business executives and PIMS practitioners, this provides something more valuable than another checklist — it provides the conceptual foundation needed to implement privacy protections that are genuinely effective, not merely formally compliant.

The Historical Roots of Data Protection by Design: Decades Before GDPR

The central finding of Dewitte's 2024 research is a significant correction to a widespread assumption in the corporate compliance world: Data Protection by Design did not originate with GDPR. Its intellectual roots were solidly established in the software engineering community long before the GDPR was drafted, and several binding legislative instruments incorporated this obligation before the GDPR entered into force on May 25, 2018.

Core Finding One: Privacy by Design Is a Technical Discipline, Not a Legal Invention

The research demonstrates that the idea of designing systems with privacy protections built in from the ground up — rather than added as an afterthought — emerged from engineering practice, not legal mandate. This has a profound implication for ISO 27701 implementation: the standard's requirements in Section 7.4 on "Privacy by Design and by Default" are not arbitrary regulatory demands but reflect engineering principles that have decades of practical validation behind them. Taiwanese technology companies, particularly those in the semiconductor, electronics manufacturing, and SaaS sectors, are already familiar with design-stage quality controls; applying the same discipline to personal data protection is a natural extension, not a foreign imposition.

Core Finding Two: GDPR Article 25 Had Legislative Predecessors

Dewitte's historical analysis identifies national and EU-level legislative initiatives that incorporated Data Protection by Design obligations before GDPR Article 25 became binding law in 2018. This finding reframes how Taiwanese enterprises should think about their compliance obligations. Taiwan's Personal Data Protection Act (PDPA), particularly Articles 6, 18, and 27, which require "appropriate security measures" for personal data processing, reflects the same legislative tradition. These are not isolated domestic requirements — they are part of a global regulatory convergence that has been building for decades. Understanding this convergence helps Taiwanese enterprises avoid the common mistake of treating GDPR, PDPA, and ISO 27701 as three separate and disconnected compliance exercises, when they are in fact manifestations of a single underlying principle.

Core Finding Three: Historical Understanding Determines Compliance Depth

The paper argues that understanding the history of Data Protection by Design is necessary to properly understand its current scope and implications under GDPR. For Taiwanese compliance professionals, this translates directly: enterprises that implement ISO 27701 without understanding why the standard requires what it requires are more likely to implement it superficially, satisfy auditors while leaving genuine privacy risks unaddressed, and struggle to adapt when regulations evolve. A DPIA process built on genuine understanding of privacy risk principles will be more robust than one built on template-filling.

Implications for Taiwan's PIMS Practice: What Business Leaders Must Act On Now

For Taiwanese enterprises navigating the intersection of ISO 27701, GDPR, and Taiwan's PDPA, Dewitte's research crystallizes three actionable priorities that go beyond surface-level compliance.

First: Integrate technical teams into PIMS design from the beginning. Because Data Protection by Design originated in engineering, ISO 27701 implementation cannot be left solely to legal or compliance departments. Section 7.4 of ISO 27701 requires that privacy protections be embedded in system architecture, data flows, and default settings. This requires software engineers, IT architects, and product managers to be active participants in PIMS design — not passive recipients of policies handed down from the compliance team. Taiwanese technology manufacturers supplying global OEM/ODM customers face increasing contractual pressure to demonstrate this capability.

Second: Reassess GDPR applicability with full seriousness. GDPR Article 25 applies to any enterprise processing personal data of EU residents, regardless of where that enterprise is incorporated. Taiwanese e-commerce platforms, cloud service providers, and enterprises serving European B2B customers are all potentially within scope. The DPIA requirement under GDPR Article 35 — triggered by high-risk processing activities — is specifically linked to the design-stage privacy assessment that Dewitte's research shows has deep historical and technical grounding. Enterprises that have not conducted a formal GDPR applicability assessment face both legal and reputational risk.

Third: Align Taiwan PDPA obligations with ISO 27701 as a unified framework. Taiwan's PDPA Article 27 requires non-government agencies to establish "appropriate security maintenance measures." Read through the lens of Data Protection by Design — as Dewitte's research encourages — this obligation demands proactive, design-stage privacy protection, not reactive security patching. ISO 27701 provides the management system framework to operationalize this obligation at scale, covering both data controller (Annex A) and data processor (Annex B) responsibilities.

How Winners Consulting Services Co. Ltd. Helps Taiwanese Enterprises Implement Privacy by Design

Winners Consulting Services Co. Ltd. (積穗科研股份有限公司) provides end-to-end ISO 27701 implementation support, GDPR compliance advisory, DPIA execution, and Taiwan PDPA alignment services. Our approach is grounded in exactly the principle that Dewitte's research validates: privacy protection must be designed in, not bolted on.

1. Privacy by Design Readiness Assessment: We evaluate your existing system development lifecycle, data architecture, and default privacy settings against ISO 27701 Section 7.4 requirements. We identify where privacy protections are currently reactive rather than proactive, and provide a prioritized remediation roadmap that addresses both technical and governance gaps simultaneously.
2. DPIA Framework Implementation: We design and embed a DPIA process into your project management and product development workflows, ensuring that high-risk data processing activities — as defined under GDPR Article 35 and ISO 27701 — are assessed at the design stage, before systems go live. This protects your enterprise from enforcement risk and demonstrates accountability to European data protection authorities and enterprise customers.
3. ISO 27701 Certification Pathway: We provide a structured 90-day implementation program for enterprises with existing ISO 27001 foundations, covering gap analysis, control design, documentation, internal audit, and certification audit preparation. For enterprises without ISO 27001, we offer an integrated 6-to-12-month program. In both cases, our goal is not merely to achieve certification but to ensure that the resulting PIMS genuinely embodies the privacy-by-design principles that Dewitte's research traces back to engineering best practice.

Frequently Asked Questions

What does "Data Protection by Design" actually mean in practice, and where should a Taiwanese company start?

Data Protection by Design means embedding privacy protections into systems and processes at the design stage, before they are built — not patching them in afterward. In practice, this means asking privacy questions during requirements analysis: What personal data is actually necessary? What is the default access level? When will data be deleted? ISO 27701 Section 7.4 provides a structured framework of controls for implementing this principle. Taiwan's PDPA Article 27 supports the same approach by requiring proactive security measures. The practical starting point is auditing your new product development lifecycle to identify where privacy considerations currently enter the process — and systematically moving that entry point to the earliest possible stage.

Does GDPR apply to Taiwanese companies with no physical presence in Europe?

Yes, in many common business scenarios. GDPR's territorial scope under Article 3 covers any enterprise that processes personal data of EU residents in the context of offering goods or services to them, or monitoring their behavior — regardless of where the enterprise is established. This applies to Taiwanese e-commerce merchants shipping to Europe, SaaS providers with European users, OEM/ODM manufacturers whose European clients share employee or customer data, and service providers acting as Data Processors under European data controller contracts. GDPR Article 25's Data Protection by Design requirement and Article 35's DPIA obligation apply in all these scenarios. Enterprises should conduct a formal territorial scope assessment to determine their specific obligations before assuming non-applicability.

What is the relationship between ISO 27701 certification and GDPR compliance?

ISO 27701 and GDPR are complementary but not equivalent. ISO 27701 is an international management system standard specifying requirements for a Privacy Information Management System (PIMS); GDPR is binding EU law imposing specific obligations on personal data processing. Achieving ISO 27701 certification demonstrates that an organization has implemented a structured, audited privacy management framework, which can serve as evidence of accountability under GDPR — particularly relevant under GDPR Article 42's certification mechanism framework. However, ISO 27701 certification does not automatically constitute GDPR compliance, as GDPR includes specific legal obligations (such as data subject rights response timelines and mandatory breach notification within 72 hours) that require additional legal implementation beyond the management system. Winners Consulting recommends using ISO 27701 as the management foundation and conducting a parallel GDPR gap analysis to address regulation-specific requirements, including Taiwan PDPA Article 27 alignment.

How long does ISO 27701 implementation take for a typical Taiwanese enterprise?

Implementation timeline depends primarily on whether the enterprise already has ISO 27001 certification. For ISO 27001-certified enterprises, ISO 27701 extends the existing Information Security Management System (ISMS) with privacy-specific controls; a realistic implementation timeline is 90 to 120 days. For enterprises without ISO 27001, the integrated implementation of both standards typically requires 6 to 12 months. A typical 90-day accelerated program for ISO 27001-certified enterprises follows these milestones: Weeks 1-4, current state gap analysis against ISO 27701 Annex A and B controls; Weeks 5-10, privacy control design and documentation development; Weeks 11-16, internal audit and management review; Weeks 17-20, external certification audit preparation and submission. Winners Consulting's 90-day program is specifically designed for enterprises with an existing ISO 27001 foundation looking to achieve ISO 27701 readiness efficiently.

Why choose Winners Consulting Services Co. Ltd. for Privacy Information Management (PIMS) support?

Winners Consulting Services Co. Ltd. (積穗科研股份有限公司) is Taiwan's dedicated Privacy Information Management specialist, with integrated expertise spanning ISO 27701 implementation, GDPR compliance advisory, DPIA execution, and Taiwan PDPA alignment. Our distinguishing strength is the ability to bridge the technical and legal dimensions of privacy compliance — ensuring that ISO 27701 controls are implemented not just in documentation but in system architecture and development processes, exactly as the historical foundations of Data Protection by Design demand. We serve clients across manufacturing, technology, financial services, and healthcare sectors, providing industry-specific compliance pathways rather than generic templates. Our commitment: ISO 27701-ready PIMS implementation within 90 days for ISO 27001-certified enterprises, with measurable compliance outcomes and sustainable management practices that scale with your business.

Related Services & Further Reading

Related Services

▶Privacy Information Management📋ISO 27701 PIMS