Security Measures › Technical Measures

Privacy by Design and Privacy by Default: GDPR's Requirements for Data Protection

The best time to protect personal data is not after a data breach, but before data is collected at all. Learn what Privacy by Design and Privacy by Default mean in practice – and how to comply with Article 25 of the GDPR.

Book a Demo
Flat vector illustration featuring a large navy shield with a white padlock at the centre, surrounded by icons representing a gear, document, database and user avatar connected by teal lines, symbolising data protection built into systems by design. The headline

Table of Contents

    The best time to protect personal data is not after a data breach, but before personal data is collected at all.

    This is good practice, but with Article 25 of the GDPR, it is also a legal requirement. The requirement applies to all processing of personal data – meaning any processes and systems in your organisation where personal data is processed.

    Personal data is processed in almost every business process, which means you must comply with the requirements for Privacy by Design and Privacy by Default across all of them, in accordance with Article 25 of the GDPR.

    What is Privacy by Design?

    Privacy by Design is easy to understand, but can be difficult to implement. It is a concept rather than a checklist of rules to follow – as described by the ICO. Instead, it is about designing data protection into everything you do when processing personal data, whether you are developing a new system, starting a new project, or changing your workflows.

    Flat vector illustration showing six white rounded cards arranged in a vertical flow connected by teal dashed lines, each representing one of the Privacy by Design principles with a corresponding icon: proactive action, integrated protection, no compromise on functionality, end-to-end data protection, transparency and user control.

    The GDPR requirement for Privacy by Design was likely inspired by Ann Cavoukian's Privacy by Design: The 7 Foundational Principles, where the concept was originally defined. We walk through those principles below.

    1. Be proactive

    Be proactive in the processing of personal data and take action before problems arise.

    This can be done by mapping risks before processing begins, so that security can be built into the entire process or system, helping to prevent data breaches. This may involve higher costs in the short term and requires a clear mandate from leadership, but in the longer term it prevents data breaches and builds greater trust with the organisation's stakeholders.

    Principle two covers 'Privacy by Default', which is addressed in a separate section further down the page.

    3. Data protection must be integrated

    Data protection must be integrated into all systems and processes, which should be built with this in mind from the outset. Data protection should not be something added on afterwards.

    4. Do not compromise on functionality

    Many assume that Privacy by Design means having to limit the functionality of a system, but good data protection must not render a system unusable. This principle is about ensuring that you do not compromise on functionality when seeking to protect users' privacy.

    5. End-to-end data protection

    Data must be protected from start to finish.

    With Privacy by Design, your organisation must ensure confidentiality, integrity, and availability from cradle to grave – from the point at which personal data is collected through to its disposal. This can be achieved through encryption, access controls, logging, and secure disposal of personal data in line with industry standards.

    6. Transparency

    Give users information about the processing of their data so they can decide for themselves whether they want to share their data with your organisation. Be clear about which personal data is processed and for what purpose, and provide this information before collection takes place.

    7. Give users control

    Give users control over the processing of their personal data so they can tighten their own settings, delete data, accounts, and so on. This gives users the ability to act on their personal data protection if they lose trust in your organisation or no longer need to use your solution.

    Flexibility

    Privacy by Design does not mean you must implement it to the fullest extent in every situation, and you may take costs into account when deciding on a solution. Implementation should instead be based on a risk assessment, and you must then be able to document that you have complied with the principle in your data protection practices.

    Privacy by Default

    Privacy by Default is part of the Privacy by Design concept, but since it is specifically referenced in Article 25 of the GDPR, we look at it more closely in this section.

    What does Privacy by Default mean?

    Users must be protected from the moment they start using your systems or services, with default settings configured to protect their privacy. They should not have to enable privacy settings themselves – these should be on by default.

    This applies to both IT systems and organisational processes, and it applies every time personal data is processed within the organisation.

    In practice, this is unfortunately still not the norm, as many systems and processes are designed so that users must actively enable privacy settings themselves. That is precisely the problem Privacy by Default is intended to address.

    Examples of Privacy by Default

    Access to personal data

    Within a company, employees should only have access to the personal data that is strictly necessary. It is common to see employees with access to more information than they need to carry out their tasks. This should be changed by introducing access restrictions.

    As an example, a customer service employee should only have access to the minimum information about the customer needed to resolve the issue. If more information is required, the employee can request additional access to complete the task.

    Default settings in IT systems

    Imagine an email application with the following privacy settings:

    • Encryption of emails.
    • Blocking of external tracking pixels.
    • Disabling of read receipts.

    If the application supports these privacy settings, they should be enabled by default. Users can always choose to turn them off, but in practice this rarely happens, since most users want to protect their privacy. This is precisely why systems and processes should be designed to protect users' privacy from the outset – and why this was included in the GDPR.

    Flat vector illustration of a white email application settings panel displaying three privacy settings with teal toggle switches all enabled: email encryption, blocking of external tracking pixels, and disabling of read receipts — illustrating Privacy by Default in practice.

    Summary

    When working with personal data and Privacy by Design and Privacy by Default, you can regularly ask yourself the following questions:

    • How would I design this processing of personal data if it were my own personal information being processed? If you follow your own answer to that question, you are probably implementing Privacy by Design correctly.
    • Are users' settings still protected even if they do not change them? If the answer is yes, you have probably implemented Privacy by Default correctly.

    For all your processing activities and information assets, you should ensure that you have implemented Privacy by Design and Privacy by Default, and you can record this in your GDPR documentation using .legal's GDPR compliance software.

    Want to see how .legal can help you document and comply with your GDPR obligations? Book a demo and let us show you the platform.

    Frequently Asked Questions about Privacy by Design and Privacy by Default

    What is Privacy by Design?

    Privacy by Design is a concept focused on building data protection into systems and processes from the outset, rather than adding it on afterwards. It is a legal requirement under Article 25 of the GDPR and is based on 7 foundational principles formulated by Ann Cavoukian.

    What is Privacy by Default?

    Privacy by Default means that the default settings of systems and processes should automatically protect users' privacy. Users should not have to enable privacy settings themselves – they are on by default. This is a specific requirement under Article 25 of the GDPR.

    What does Article 25 of the GDPR require?

    Article 25 of the GDPR requires organisations to implement Privacy by Design and Privacy by Default across all processing of personal data. This means data protection must be built in from the start of systems and processes, and default settings must minimise the processing of personal data.

    What are the 7 principles of Privacy by Design?

    The 7 principles are: 1) Be proactive, 2) Privacy by Default, 3) Integrate data protection into systems and processes, 4) Do not compromise on functionality, 5) Protect data from end to end, 6) Be transparent with users, and 7) Give users control over their data.

    What is the difference between Privacy by Design and Privacy by Default?

    Privacy by Design is the overarching concept covering the integration of data protection into the design of systems and processes. Privacy by Default is one of the 7 principles and specifically requires that default settings always protect users' privacy without requiring any action from the user.

    Does Privacy by Design only apply to IT systems?

    No, Privacy by Design and Privacy by Default apply to all processing of personal data – both IT systems and organisational processes and workflows. The principles must be followed wherever personal data is processed within the organisation.

    What is an example of Privacy by Default?

    One example is an email application that has encryption, blocking of tracking pixels, and disabled read receipts enabled by default. Another example is access management, where employees are only given access by default to the personal data they need for their specific role.

    Must Privacy by Design be implemented fully in every process?

    Not necessarily. Implementation should be based on a risk assessment, and costs may be taken into account. The important thing is that you can document afterwards that you assessed the risks and put appropriate measures in place based on that assessment.

    How do you document compliance with Privacy by Design?

    For all processing activities and information assets, you should record whether Privacy by Design and Privacy by Default have been implemented. This can be done in your GDPR documentation using GDPR compliance software, which consolidates and structures your documentation in one place.

    What are the consequences of not complying with Privacy by Design?

    Failure to comply with Article 25 of the GDPR on Privacy by Design and Privacy by Default can result in fines from the supervisory authority. It also increases the risk of data breaches, since security has not been built into processes and systems from the outset.

    Processing activities

    .legal compliance platform Document Privacy by Design across your organisation

    Use .legal to record Privacy by Design and Privacy by Default for all your processing activities and information assets, and keep your GDPR documentation structured in one place.
    • Processing activity documentation
    • Privacy by Design tracking
    • Risk assessment integration
    • Complete GDPR compliance overview
    Get started free
    Book a Demo
    +400 companies use .legal
    Region Sjælland
    Aarhus Universitet
    aj_vaccines_logo
    Realdania
    Right People
    IO Gates
    PLO
    Finans Danmark
    geia-food
    Vestforbrænding
    Evida
    Klasselotteriet
    NRGI1
    BLUE WATER SHIPPING
    Karnov
    Ingvard Christensen
    VP Securities
    AH Industries
    Lægeforeningen
    InMobile
    AK Nygart
    ARP Hansen
    DEIF
    DMJX
    Axel logo
    qUINT Logo
    KAUFMANN (1)
    SMILfonden-logo
    kurhotel_skodsborg
    nemlig.com
    Molecule Consultancy
    Novicell
    Footer topswirl

    Info

    .legal A/S

    hello@dotlegal.com
    +45 7027 0127

    VAT-no: DK40888888

    Support

    support@dotlegal.com
    +45 7027 0127
    Need help?

     

    Office

    Aarhus

    Store Torv 14, 2.
    8000 Aarhus C

    We care about safety

    Download our declarations

    ISAE 3000

    ISAE 3402

    Modules

    Let me help you get started

    joa i blob
    Reach out to me on phone
    +45 7027 0127 and I'll get you started
    arrow-right-white Get a demo

    .legal is not a law firm and is therefore not under the supervision of the Bar Council.

    Footer bottomswirl