GDPR’s Privacy by Design – Data Protection by Design and by Default

The terms data protection by design and ‘data protection by default are not new. Introduced in Article 25 of the GDPR, these are key elements of the law, essentially the GDPR’s version of ‘Privacy by Design’. Ever soften, these terms are used interchangeably, but are entirely different concepts 

To define them, 

Article 25(1) specifies requirements for data protection by design as actions every company should take to ensure the secure processing of personal data by integrating data protection and privacy into the design or development of their products, software, and the like. 

Article 25(2) specifies requirements for data protection by default as actions every company should take, by default, to ensure that only personal data which are necessary for each specific purpose of the processing are processed. 

Let’s get into a bit more detail. 

What is Data Protection by Design? 

Data protection by design ensures that you consider data protection issues at the design phase of your system – your products, software, and services – all throughout its lifecycle. 

As expressed by the GDPR, it requires you to: 

  • put in place appropriate technical and organizational measures, such as pseudonymization, designed to implement the data protection principles, such as data minimization; and 
  • integrate safeguards into your processing so that you meet the GDPR's requirements and protect the individual rights. 

In essence, this means you have to integrate or ‘bake in’ data protection into your processing activities and business practices. 

As mentioned specifically by the act, techniques for data protection by design include 

pseudonymization and data minimization. These methods are the cornerstones to not only achieving, but also in sustaining privacy compliance 

Pseudonymization methods include data encryption and data masking, both powerful approaches to eliminate the risk of sensitive data exposure. Being knowledgeable about the various options of data protection helps you choose the right technique to fit your organization’s business and compliance objectives. For more information, read our blog on data encryption, data masking and tokenization. 

When it comes to data minimization, companies usually resort to archival or deletion. While archival moves the risk of sensitive data from one place to another, deletion impairs the business transactional value of data which is very much needed for auditing purposes and to comply to data retention policies. More importantly, deletion is not a viable option since the deleted data would’ve otherwise provided the company with a lot of actionable insights. Companies need to opt for a method that eliminates the drawbacks of archival and deletion and maintains the business transactional value of data while ensuring that there is no exposure of confidential information. Read our blog on data minimization to find out if you have implemented the right technique to minimize your risk due to inactive sensitive data. 

What is Data Protection by Default? 

Data protection by default ensures companies only process data as long as it is necessary to achieve their specific purposes. This means that by default personal data is not made accessible unless an individual intervenes. 

It links to the fundamental data protection principles of data minimization and purpose limitation. 

As expressed by the GDPR, it requires you to: 

  • adopt a ‘privacy-first’ approach with any default settings of systems and applications; 
  • ensure you do not provide an illusory choice to individuals relating to the data you will process; 
  • not process additional data unless the individual decides you can;
  • ensure that personal data is not automatically made publicly available to others unless the individual decides to make it so; and 
  • provide individuals with sufficient controls and options to exercise their rights. 


Introduced in the Data Protection Act of 1998, the principles of data protection by design and default have been around for quite some time now. 

What companies need to note is that whilst Privacy by Design was good practice under the 1998 act, it is a legal requirement under the GDPR. 

Hence, it is useful for organizations to embrace a privacy by design approach from the get-go to make sure they don’t breach compliance. 


ICO – Data protection by design and default