Home Data Protection by Design and by Default

What is data protection by design and by default?

Data protection by design and by default – also known as privacy by design – is an approach that ensures appropriate security measures are embedded in data processes rather than simply added on.

It means you must evaluate data protection and information security risks from the beginning of each project, and implement measures to mitigate those risks as part of your planning.

The seven foundational principles of privacy by design

Privacy by design was originally developed as a systems engineering concept, based on seven foundational principles:

1. Proactive not reactive; preventative not remedial

Privacy by design anticipates and prevents events rather than resolving them once they have occurred.

2. Privacy as the default setting

Privacy is built into the system – even if an individual does nothing, their personal data is automatically protected.

3. Privacy embedded into design

Privacy is an integral part of the system, not an add-on.

4. Full functionality – positive sum, not zero sum

Security does not come at the expense of functionality – both are possible.

5. End-to-end security – full lifecycle protection

Because security measures are embedded, data is secure throughout the lifecycle – from collection to secure destruction.

6. Visibility and transparency – keep it open

All practices and technology should be operated according to their stated objectives and should be transparent to both providers and users.

7. Respect for user privacy – keep it user-centric

The interests of individuals should be at the centre of all processes.

Who is responsible for complying with data protection by design and by default?

Data protection by design and by default is a legal requirement under the DPA (Data Protection Act) 2018 and UK GDPR (General Data Protection Regulation):

  • Data controllers must implement appropriate technical and organisational measures designed to follow the GDPR’s data protection principles. Safeguards should be integrated into the processing to meet the Regulation’s other requirements and protect data subjects’ rights.
  • To help comply with the principle of purpose limitation, data controllers should also implement appropriate technical and organisational measures to ensure that only the personal data that is necessary for each processing purpose is collected, stored and accessible.

Benefits of data protection by design and by default

Data protection by design and by default will embed secure practices in your organisation at all levels, so security becomes second nature to everyone.

This will help ensure that your organisation meets its data privacy objectives and complies with laws such as the GDPR and DPA 2018.

Considering data protection at all stages of the project lifecycle significantly reduces the risk of data breaches and regulatory action, and makes your processes more efficient.

Implementing data protection by design and by default

Implementing data protection by design and by default includes:

  • Conducting DPIAs (data protection impact assessments) in the preliminary stages of creating new processes, products or services that involve personal information;
  • Implementing appropriate technical security measures to mitigate the risks identified by the DPIA;
  • Creating appropriate documentation, such as policies and work instructions, so that everyone using the new processes, products or services will know how to do so safely and securely; and
  • Creating privacy notices to provide appropriate information to the data subjects whose personal information you are processing, in accordance with articles 13 and 14 of the GDPR.
Privacy by Design – Step by step

Free guide: Privacy by Design – Step by step

Download our free guide Privacy by Design – Step by Step to learn more about implementing privacy by design in your organisation.

Download now

Privacy by design consultancy support

Implementing privacy by design across your organisation can be a challenge, but we have all the support you need.

Privacy by design training

  • Certified Privacy by Design Foundation qualification

    This one-day course is designed to give project managers and privacy professionals a grounding in the fundamentals of privacy by design.

    Participants will learn how to incorporate privacy requirements into a project plan, and receive an IBITGQ-accredited certificate on passing the exam.

  • Certified Privacy by Design Practitioner qualification

    This four-day course is designed to give developers and privacy professionals an understanding of the main privacy risks associated with different types of project.

    Participants will learn how to control those risks and will receive an IBITGQ-accredited certificate on passing the exam.

  • Certificate in Privacy Essentials for Marketers qualification

    This one-day course is designed to give marketers and privacy professionals an understanding of how to incorporate privacy requirements into specific types of marketing activities.

    Participants will learn how to create and execute compliant and effective digital marketing campaigns and will receive an IBITGQ-accredited certificate on passing the exam.

  • Bespoke privacy by design training

    We are experienced in delivering bespoke solutions to help integrate privacy by design into organisations. We have developed bespoke in-house privacy by design courses for face-to-face delivery in clients’ offices around the world; for Live Online presentation; and as an interactive multimedia experience combining interactive e-learning modules with Live Online instructor-led group work.

    Our in-house privacy by design training courses can be tailored to your organisation and projects. We typically cover:

    • The reasons data protection is important;
    • Privacy requirements associated with the GDPR and other key laws;
    • The seven key concepts of privacy by design;
    • How teams such as marketing, HR, finance, development, privacy and legal contribute to privacy by design;
    • How privacy by design tools and techniques improve project outcomes;
    • DPIAs and screening questionnaires;
    • How to incorporate privacy within the project lifecycle; and
    • Breaches and incidents.

Privacy by design consultancy

After your training course, our consultants can work with your project teams to ensure they are effectively incorporating the learning into their projects. We can provide practical hands-on support, subject matter expertise for project teams, and project assurance.

You may also wish to consider an ongoing refresher training programme to remind your teams of their responsibilities and train them on any policy and practice updates.

Our consultants can provide ongoing privacy by design support, or help you through specific projects by working with your team for an extended period. We can support you with any of the following:

  • Writing policies and procedures to ensure privacy is considered for process revisions and new projects.
  • Advising on how to incorporate privacy by design into the culture of your organisation.
  • Working on specific projects to ensure all privacy concerns are addressed.
  • Educating project management staff on how to consider privacy by design in all future projects.
  • Project managing the development of training for all levels of staff including upper management.

Learn more about our privacy by design services

Learn more