Data Protection by Design and by Default
Plain English Translation
GDPR Article 25 requires organizations to integrate data protection principles directly into the design of their business processes and technical systems from the very beginning. This concept, known as 'privacy by design', ensures that appropriate safeguards are built-in rather than added as an afterthought. Additionally, 'privacy by default' dictates that strict data limitation settings apply automatically, meaning systems must only collect, process, and store the absolute minimum amount of personal data necessary for a specific purpose.
Technical Implementation
Use the tabs below to select your organization size.
Required Actions (startup)
- Define baseline data minimization rules to prevent the over-collection of user data.
- Set application defaults to the most privacy-restrictive settings, such as keeping user profiles private initially.
Required Actions (scaleup)
- Incorporate privacy checkpoints and threat modeling into the software development life cycle (SDLC).
- Implement pseudonymisation and strict access controls on internal databases by default.
Required Actions (enterprise)
- Automate privacy-by-design checks within CI/CD pipelines to block deployments lacking proper data safeguards.
- Require a formal DPIA for all new product features and architectural changes before development begins.
GDPR Article 25 mandates that organizations integrate privacy by design GDPR principles into their systems from inception. It requires implementing technical and organisational measures for GDPR Article 25 to ensure only necessary data is processed by default.
The data controller is ultimately responsible for ensuring what is GDPR data protection by design and by default is met. Processors and developers must also build systems that allow controllers to fulfill these operational and technical obligations.
Article 25(1) focuses on privacy by design, requiring safeguards like pseudonymisation to be built into the system design. Article 25(2) focuses on privacy by default settings GDPR examples, ensuring that the strictest data minimization and access settings apply automatically without user intervention.
Good default privacy settings for web apps GDPR compliance include keeping user profiles private initially, disabling location tracking until explicitly enabled by the user, and leaving optional marketing consent boxes unchecked.
To implement GDPR data minimisation by default configuration, organizations should configure databases to drop unnecessary fields, enforce strict automated retention periods, and restrict data access to only those components necessary for the immediate purpose.
Expected technical and organisational measures for GDPR Article 25 include pseudonymisation, encryption, strict access controls, data minimization protocols, and incorporating formal privacy checkpoints within the SDLC and development pipelines.
To prove how to prove GDPR Article 25 compliance to auditors, organizations must maintain thorough GDPR privacy by design documentation and evidence such as architecture diagrams, formal DPIAs, secure development policies, and system configuration logs. Tools like WatchDog Security's Compliance Center can help map required evidence to this control, collect it consistently, and show gaps when artifacts or approvals are missing.
When comparing data protection by design vs DPIA (GDPR Article 35), a DPIA is specifically required for high-risk processing activities to assess impact, whereas Article 25 is a broader mandate applied continuously. The DPIA acts as a crucial tool to document and execute privacy by design choices.
When considering how to implement privacy by design in software development, engineering teams must integrate privacy reviews, threat modeling, and data minimization checks directly into their Agile or DevOps workflows before code is deployed.
Common failures include collecting excessive user data 'just in case' and exposing user profiles publicly by default. Following a comprehensive GDPR Article 25 requirements checklist ensures these pitfalls are avoided by forcing restrictive defaults from the start.
Data protection by design requires repeatable checkpoints and evidence across the SDLC, not ad-hoc reviews. Tools like WatchDog Security's Policy Management can standardize secure-by-design and privacy-by-default requirements, track developer acceptance, and maintain versioned approvals for audit-ready proof.
Privacy by default must be demonstrated through measurable configuration states, access rules, and deployment outcomes over time. Tools like WatchDog Security's Compliance Center can map Article 25 expectations to controls, centralize evidence collection (e.g., SDLC checklists, configuration snapshots), and highlight gaps when required proofs are missing.
"1. Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects. 2. The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility."
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2026-02-23 | WatchDog Security GRC Team | Initial publication |
