Describe "privacy by design" and how a TA would implement it in systems development.

Privacy by design means incorporating privacy into every step of product development so privacy controls are built into the system from the start, not added after the fact. For a TA, putting this into practice in systems development means treating privacy as a design constraint across the whole lifecycle. In the requirements phase, you define privacy goals, specify exactly what data is needed, and set purpose limitations and retention periods. You map data flows to see where data enters, how it moves, where it’s stored, who can access it, and how long it stays, so you can limit exposure from the outset. In the architecture and design stages, you embed data minimization by collecting only what’s necessary, use pseudonymization or anonymization where feasible, and set defaults to be privacy-protective—for example, least-privilege access, encryption by default, and configurations that do not enable extra data sharing unless the user explicitly opts in. During implementation and testing, you enforce privacy controls in code, verify default settings, and rigorously test for data exposure paths, consent handling, and retention enforcement. In deployment and ongoing maintenance, you continuously monitor for new privacy risks, perform ongoing privacy risk assessments or DPIAs as the system evolves, and update protections in response to changes in laws, threats, or business needs. This approach ensures privacy is actively managed and preserved throughout the system’s life. Adding privacy features after deployment, focusing only on policy documentation without changing the architecture, or skipping risk assessments and audits would miss the proactive, integrated nature of privacy by design.