Privacy by design is the principle of building data protection into a system from the start, rather than bolting it on afterwards — and under GDPR Article 25 ("data protection by design and by default") it is a legal obligation, not just good practice. For surveillance it means the privacy-protective choice is the default: the system collects the minimum, retains the least, restricts access tightest, and exposes the fewest people, unless there is a justified reason to do otherwise.
In practice it shapes concrete design decisions before any camera is mounted. It drives camera placement and field of view (don't capture what you don't need), privacy zones to exclude sensitive areas, recording modes and retention set to the purpose, role-based access so only the right people see footage, encryption in transit and at rest, and audit logging by default. The DPIA is where these choices are reasoned through; privacy by design is the mindset that the DPIA operationalises.
The pitfall is retrofitting privacy onto a system designed only for coverage. Adding masking, access controls, and retention limits to a system already recording everything, kept forever, viewable by all, is far harder and weaker than designing those constraints in from the outset — and "by default" means the safe setting must be the out-of-the-box state, not an option an administrator has to remember to enable. Treat privacy as a first-class design requirement alongside coverage and reliability, and make the protective configuration the default. This is engineering guidance, not legal advice — confirm specifics with qualified counsel.
