The Privacy by Design principle (Article 25 of the GDPR) requires that data protection be integrated from the design stage of systems.