Maritime surveillance is essential for creating maritime awareness. When open source intelligence (OSINT) is becoming a part of it, privacy in surveillance will be a special concern. However, processing of personal data in surveillance is regulated by the General Data Protection Regulation (GDPR) and/or by the Directive 2016/680 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data. In both of these regulations, Privacy by Design (PbD) approach is mandatory. GDPR encourages applying a Data Protection Impact Assessment (DPIA) to identify and minimize data protection risks as the initial step of any new project. This design science research shows how PbD and DPIA are adapted in the MARISA project and tries to be a step towards new meta-artifacts and useful methods for the design and validation of privacy requirements engineering approaches into maritime surveillance ICT systems.