The Constraint That Decides for You
Most teams treat privacy as a gate at the end of the pipeline: build the system, then ask whether it is lawful to ship. Article 25 of the GDPR inverts this. "Data protection by design and by default" is not a quality bar applied after the fact; it is a legal duty that attaches at the moment of "determining the means for processing" — that is, at the architecture meeting, before a line of code exists. The EU AI Act layers a second, parallel obligation: high-risk systems must be engineered for data governance, traceability, and human oversight from inception, and the conformity assessment looks backward at the design record. The practical consequence is that the most expensive privacy decisions are the ones made silently and early, when no lawyer is in the room.
This reframes the lawyer's role. The Legal Lens is not the reviewer who says no at launch; it is the discipline that converts a regulatory text into a design input the engineer can act on before the schema is frozen. A constraint named at the whiteboard costs an afternoon. The same constraint discovered at the audit costs a re-architecture.
Purpose Limitation as an Architectural Decision
The mechanism that does the most work, and is most often deferred, is purpose limitation. Under Article 5(1)(b), data collected for one stated purpose may not be freely repurposed; under the AI Act, training data must be relevant and appropriately governed for the specific system. This sounds like a policy question. It is in fact a schema question. The decision to store a raw email address rather than a salted hash, to retain full event logs rather than aggregates, to key a table by user identity rather than by session — each of these is a purpose-limitation choice disguised as a default. Once the lake is full of identifiable records gathered "to be safe," every downstream use inherits a legal basis you never established and cannot reconstruct.
The trade-off is real and should be stated plainly: privacy by design trades present optionality for future defensibility. Minimized data forecloses analyses you have not yet imagined. Teams resist this because optionality feels free and the regulatory bill arrives later. But the optionality is an illusion — data held without a lawful purpose is not an asset, it is an unbooked liability that a breach or a subject-access request will mark to market.
The Failure Mode: Compliance Theater
The characteristic failure is not the absence of privacy work but its misplacement in time. A team bolts on a consent banner, writes a retention policy nobody enforces, and commissions a Data Protection Impact Assessment after the model is trained. The DPIA, which Article 35 intends as a steering instrument that can stop a design, becomes a document that ratifies one. This is compliance theater: the artifacts exist, but none of them changed a decision. Regulators have grown adept at reading this. The fines that land hardest are not for missing paperwork; they are for processing that the paperwork was supposed to prevent and instead merely described.
The Decision Implication
The board-level implication is to move the privacy decision upstream and give it teeth, which means changing who is in the room and when. Concretely:
- Treat the DPIA as a precondition for the design review, not a deliverable that trails it — a system whose impact assessment can no longer alter its architecture has skipped the only step that mattered.
- Make data minimization the default schema and require an affirmative, documented case for every additional field retained, so that breadth of collection becomes a decision someone owns rather than an accident of convenience.
- Record the purpose and lawful basis at the point of collection, because a basis that cannot be reconstructed later cannot be defended to a regulator or a court.
None of this slows a disciplined team; it front-loads the friction that an undisciplined one pays with interest. Privacy by design is, in the end, a claim about when a decision is cheapest to make. The law has simply priced the alternative — and the price is paid in the one currency a mature organization cannot print, which is trust already spent.