IAPP Training · Module 10 - BoK IV.B

Module 10 · Data protection by design and by default (Article 25)

Article 25 sets two linked duties. Data protection by design begins before processing and bakes data protection into the planning/design phase. Data protection by default sustains that during processing - by default, only the personal data necessary for each specific purpose is collected, processed, stored and made accessible (data minimisation by default).

By design vs by default (Article 25)
	Data protection by design	Data protection by default
When it applies	Before processing, at the planning/design phase	During processing
What it requires	Bake data protection into the design of systems and processes	By default, only data necessary for each specific purpose is collected, processed, stored and accessible (data minimisation by default)

Exam trap

The distinguishing word is the timing: by design = before/at planning; by default = during processing. Mixing those up is a common exam mistake.

Key terms - quick answers

What is “Data protection by design”?

Building data protection into the planning and design phase, before processing begins.

What is “Data protection by default”?

Ensuring that, by default, only personal data necessary for each specific purpose is collected, processed, stored and made accessible.

← Module 10 · Accountability defined (Article 24)Module 10 · Data protection impact assessment (DPIA, Articles 35 and 36) →