AI Privacy by Design Checklist

Embed privacy by design principles into AI system architecture

Evaluate your AI system design against all seven Privacy by Design principles — proactive, privacy as default, embedded, full functionality, end-to-end security, visibility, and user-centricity — with AI-specific implementation guidance for each. It runs free in your browser on Gera Tools, with nothing uploaded.

Last updated Source: Gera Tools

What are the seven Privacy by Design principles?

They are proactive not reactive, privacy as the default setting, privacy embedded into design, full functionality (positive-sum not zero-sum), end-to-end security, visibility and transparency, and respect for user privacy (user-centricity). The framework, developed by Ann Cavoukian, underpins the GDPR's data-protection-by-design requirement.

AI privacy by design

Privacy by Design is the principle — now embedded in the GDPR as “data protection by design and by default” — that privacy should be built into a system’s architecture from the start rather than patched on later. AI makes this harder: models can memorise personal data from training sets, inference is opaque, and the appetite for data pulls directly against minimisation. This checklist evaluates your AI system against all seven Privacy by Design principles, each with concrete, AI-specific implementation items, and scores how well you cover each one.

How it works

You jot down your system architecture to keep the assessment concrete, then work through seven sections — one per principle. Under “privacy as default” you confirm the least-privacy-invasive settings are the defaults and training opt-out is on by default; under “embedded” you confirm data minimisation in training and inference; under “end-to-end security” you confirm encryption and protection against model-inversion and membership-inference attacks; and so on. Each section shows its own completion score so you can see which principle is weakest, and you can export the full scored assessment into your data-protection-by-design record or DPIA.

How the seven principles apply specifically to AI systems

Proactive not reactive — in an AI context this means conducting a data protection impact assessment before training begins, not after a data incident. It also means including adversarial testing for privacy vulnerabilities as part of pre-launch evaluation.

Privacy as the default setting — the default should always be the most privacy-preserving option. If users can opt into having their interactions used for model training, opt-in should be the default (not opt-out). Feature toggles that increase data collection should be off unless users explicitly enable them.

Privacy embedded into design — data minimisation principles should apply at the training data stage, not just at the user input stage. A model trained on less personal data is inherently safer than one trained on more data with better access controls — both are necessary, but the training-data decision is made once at architecture time.

Full functionality (positive-sum) — the privacy-vs-functionality trade-off is often presented as inevitable, but good AI design challenges that assumption. A recommendation system can be useful without logging every interaction to a centralised personal profile. Differential privacy techniques can allow aggregate learning without memorising individual data. The checklist prompts you to consider whether each privacy cost is genuinely necessary for the function.

End-to-end security — AI systems face specific security attacks that general security checklists miss: model inversion (reconstructing training data from model outputs), membership inference (determining whether a specific person’s data was in the training set), and prompt injection (using user inputs to extract information the model was not intended to reveal). The security section of the checklist covers these AI-specific vectors in addition to standard encryption and access-control items.

Visibility and transparency — for AI systems this means disclosing what data trains the model, what decisions the model is used for, and how users can access or challenge those decisions. Under the EU AI Act and GDPR Article 22, automated decision-making in high-stakes contexts carries specific explanation and challenge rights that need to be surfaced in the user-facing interface.

Respect for user privacy — the user-centricity principle requires that users can actually exercise their data rights even when AI is involved. The right to erasure, for instance, is technically challenging when personal data is embedded in model weights. The checklist asks whether your system has a documented policy and technical approach for handling data-subject requests as they relate to model training.

Tips and notes

  • Start before you build. Privacy by Design is a pre-code discipline; the cheapest privacy fix is the one you never had to retrofit.
  • Minimise training data, not just inputs. A model that memorises personal data is a privacy liability long after the data was “deleted.”
  • Make automated decisions explainable. Visibility and user-centricity both demand that people can understand and contest AI decisions about them.
  • Default to opt-out of training. Privacy-as-default means a user should not have to act to keep their data out of your model.