Data protection by design and by default
Article 25 requires data protection by design and data protection by default - the technical and organisational measures a controller builds in to protect rights. By design means embedding data protection into the design of systems from the outset and across the whole life cycle (Ann Cavoukian's seven foundational principles of PbD). By default means that, by default, only personal data necessary for each specific purpose is processed - limiting amount collected, extent of processing, accessibility and storage period (e.g. strictest privacy settings on by default). The duty falls on controllers, not processors, though processors are 'key enablers'. Controllers weigh state of the art, cost, and nature/scope/context/purposes and risks; an approved certification can help demonstrate compliance.
Data protection by design is about building in protection from the start. Former Ontario Commissioner Ann Cavoukian developed Privacy by Design (PbD) with seven foundational principles, advocating embedding data protection into the design specifications of new systems and technologies. It applies not just at planning/execution but across the entire life cycle of the data.
Data protection by default is the separate obligation that, by default, only the personal data necessary for each specific purpose is processed. This limits the amount collected, the extent of processing, how accessible the data is, and the storage period - e.g. the strictest privacy settings apply automatically once a customer acquires a product. Unlike the Directive's general 'don't process excessive data' rule, Article 25 imposes an explicit obligation to implement measures to deliver this.
| Dimension | Data protection BY DESIGN | Data protection BY DEFAULT |
|---|---|---|
| Core idea | Build protection INTO the design of systems/processes from the outset | By DEFAULT, only data necessary for each specific purpose is processed |
| Focus | How systems are conceived, developed and run across the life cycle | The default settings/extent - amount, processing, accessibility, retention |
| Typical example | IT designs a product so controllers can fulfil all GDPR obligations | Strictest privacy settings switched on automatically; auto-deletion after a set period |
| Origin | Cavoukian's seven foundational PbD principles | Explicit GDPR obligation building on the Directive's anti-excess rule |
The Article 25 obligation falls on the controller, not the processor. The EDPB still calls processors key enablers - they support by embedding protection into their solutions - but the legal duty is the controller's.
- Technical measures named: minimising the amount of personal data; pseudonymisation; giving individuals greater control and visibility; applying appropriate security standards
- Factors to weigh: state of the art, cost of implementation, and the nature, scope, context and purposes plus the risks of varying likelihood and severity to rights and freedoms
- An approved certification mechanism (Article 42) may be used as an element to demonstrate compliance - though in practice these remained largely theoretical