Privacy by Design under the GDPR