Which concept is fundamental to data privacy governance?

Data privacy governance is strongest when privacy protections are built into how systems are designed and how data is handled throughout its lifecycle. Privacy by design means embedding privacy into the architecture, processes, and controls from the start—think secure defaults, access restrictions, data segregation, and thoughtful data flows. Data minimization complements this by enforcing collecting only what is strictly necessary, processing only what’s needed, and retaining data no longer than required. Together, they cover both the design of systems and the scope of data within those systems, creating a robust governance foundation that reduces exposure and supports regulatory expectations. Relying on privacy by design alone can miss limiting the amount of data collected, while data minimization alone may not ensure that privacy protections are integrated into the system’s architecture and operations. Data retention policies are important, but they address how long data is kept rather than guiding overall privacy protections from the outset.