What Does Data Protection by Design and Default Mean?

Under the GDPR (General Data Protection Regulation), organisations are required to adopt the principles of data protection by design and default.

These concepts are not new to the GDPR; they previously fell under the umbrella of ‘privacy by design’. The change with the GDPR is that the principles are now enshrined in law.

In this blog, we break down data protection by design and default to help you understand your compliance requirements.

What is data protection by design?

A data protection by design approach requires organisations to consider information security and privacy issues at the outset when developing a project, process or system.

It guarantees that information security is prioritised rather than being bolted on at the end for compliance purposes.

To achieve data protection by design, organisations must implement appropriate technical and organisational measures. They must also integrate safeguards into your processing activities so that you protect individuals’ rights.

Examples of data protection by design

An organisation that adopts data protection by design will:

  • Conduct a DPIA (data protection impact assessment) when considering a new system, service, product or process that involves personal information;
  • Implement technologies, processes and policies to mitigate the risks that are discovered in the DPIA;
  • Write privacy notices and data protection policies in simple, easy-to-understand language; and
  • Provide data subjects with the name and contact information of its DPO (data protection officer) or, if it hasn’t appointed one, the person responsible for data protection.

This is by no means an exhaustive list. Data protection by design is less a set of requirements as it is a general approach to GDPR compliance.

It urges organisations to look for ways to anticipate data protection and privacy issues, and prevent them.

You can find more information on this topic by downloading Privacy by Design – Step by step.

This free guide explains in more detail how organisations can ensure that data protection and privacy is prioritised.

It contains an eight-step guide that walks you through your compliance requirements. You’ll discover how to embed privacy in your processes and tools, beginning with a roadmap to compliance and building towards a selection of features to implement, test and launch your set-up.

What is data protection by default?

A data protection by default approach requires organisations to conduct data processing activities only if they are necessary to achieve a specific goal.

To achieve data protection by default, you must assume a ‘privacy-first’ stance with any default settings and applications.

As part of this, you must provide individuals with enough controls and options to exercise the rights enshrined to them under the GDPR.

You must also pay particularly close attention to the way you communicate with data subjects. Transparency is an essential component of data protection by default, with the framework promoting the concept of data minimisation and purpose limitation.

In other words, you should keep data processing activities to a minimum and ensure that individuals are aware of exactly how you are using their information.

Examples of data protection by default

What data protection by default looks like will vary based on the type of data processing the organisation conducts.

Let’s use voice recognition as an example. In this case, the organisation uses the technology to enable callers to identify themselves and be directed to the relevant person.

The system is beneficial to both customers and the organisation, as it reduces waiting times and doesn’t require the customer to have a password or other authentication details to hand.

However, the convenience of the system comes with a data protection cost. That is to say, to use the system, the organisation must collect a recording of customers’ voices, which is considered biometric (and therefore sensitive) personal data under the GDPR.

This doesn’t mean that the organisation cannot use a voice recognition system. It just cannot use it as a default option.

The organisation should instead use the most privacy-focused option as the default, and give customers the choice to sign up to a voice recognition service.

Similar issues can be seen in other data processing activities that aren’t essential to the service being provided.

For example, social media can do lots of different things with your personal data, but many of them are non-essential for their primary service.

The sites must therefore turn those options off automatically, and give users the choice to activate them.

The 7 principles of data protection by design and default

Although data protection by design and defaults expands on the previous concept of privacy by design, it is still built on the same ‘foundational principles’ as described by the ICO (Information Commissioner’s Office):

  • Proactive not reactive

The purpose of data protection by design and default is for organisations to anticipate data protection and privacy issues before they arise. When implementing systems, you should be aware of the problems that you might run into and develop controls before pushing ahead.

  • Privacy as the default setting

Any system, service, product or business practice should be designed to protect personal data automatically. Individuals should not have to take any action for their information to be secured.

  • Privacy embedded into design

Your systems should be built with data protection as a core component. Appropriate controls should be a basic function of the system and not something that can be added or removed.

  • Full functionality

Achieving privacy by design doesn’t mean you have to sacrifice other aspects of your system.

You should consider it a win–win scenario, which is possible if the actions you take to improve privacy lead to better products and services – and by extension, happier customers.

  • End-to-end security

An organisation’s security measures must protect information throughout its lifecycle. This covers the way the organisation obtains the information through to its disposal.

  • Visibility and transparency

You must ensure that systems and services operate according to its premises and objectives. If it veers from its original purpose, you jeopardise your customers’ trust and risk the possibility of invalidating the lawful basis for processing.

  • Respect for user privacy

Remember that data protection by design and default is in place to protect individuals. The extra steps you take to preserve their information is in their interests and helps build the relationship between them and your organisation.

Implementing data protection by design and default

The best place to start when implementing data protection by design and default is to develop a set of guidelines for your data processing activities.

The way you process and use personal data will differ depending on your practices, so you need to conduct separate risk assessments that identify the challenges you face and the controls you should implement to secure people’s personal data.

If you’re looking for help doing that, DQM GRC’s team of experts can help. We offer a specialised privacy by design consultancy package to support the implementation and maintenance of your compliance practices.

Our team can help you:

  • Write policies and procedures to ensure privacy is considered for process revisions and new projects;
  • Incorporate privacy by design into the culture of your organisation;
  • Work on specific projects to ensure all privacy concerns are addressed;
  • Train project management staff on how to consider privacy by design in all future projects; and;
  • Development training courses for staff and upper management.


  • Luke Irwin

    Luke Irwin is a former writer for DQM GRC. He has a master's degree in Critical Theory and Cultural Studies, specialising in aesthetics and technology.

Add a Comment

Your email address will not be published. Required fields are marked *