Privacy by design and default

An approach to systems development that requires data protection to be considered throughout the system development process.

The term privacy by design and default may have specific meanings in different jurisdictions. For example, the General Data Protection Regulation (GDPR) includes a requirement for privacy by design and privacy by default that requires a data controller to implement appropriate technical and organisational measures, such as pseudonymisation, when processing personal data to ensure compliance with data protection principles, including data minimisation (Article 25(1), GDPR; Guidelines 4/2019 on Article 25 Data Protection by Design and by Default).

Privacy by default requires that protection of personal data be a default for all an organisation's systems and services. The essence of this concept is that only personal data which are necessary for each specific purpose of the processing are processed and data controllers must structure their systems and processes to meet the concept of data minimisation (Article 25(2), GDPR).

For more information on privacy by design and default, see Practice note, Demonstrating Compliance with the GDPR: Data Protection by Design and by Default.