Privacy by Design and Privacy by Default

Privacy by Design and Privacy by Default are important principles of the General Data Protection Regulation (GDPR), which are intended to ensure the protection of personal data in the design and default settings of systems and technologies. However, very few people know about the meaning of the terms and the resulting obligations.

The terms Privacy by Design and Privacy by Default are both defined in Art. 25 GDPR. In this article, you will learn exactly what is behind them. We will also take a look at the benefits of these two concepts and provide you with a checklist that will help you take stock of the situation with regard to the GDPR.

What does Privacy by Design mean?

Article 25(1) of the GDPR talks about Privacy by Design. Privacy by Design means that data protection aspects should already be taken into account in the design phase of systems and technologies. The aim is to ensure that personal data are only collected, processed and used if absolutely necessary for the intended purpose.

Privacy and security measures should be built into the architecture and functionality of a system to ensure compliance with data protection regulations from the outset.

Examples of Privacy by Design

Privacy by Design thus primarily concerns software development and can be implemented, for example, through appropriate technical and organizational measures (TOM) (such as pseudonymization or anonymization) as early as the development phase.

However, Privacy by Design is not limited to software development, but can also be relevant in the design of websites. A transparent privacy statement is particularly important in this context. To this end, the statement should contain links to further information and highlight important information. In addition, the privacy statement should be easily accessible, in that it can also be called up on sub-pages.

Website operators must also observe the principle of Privacy by Design when using cookies. To ensure data minimization, the website should use as few non-technically necessary cookies as possible.

The principle of data minimization also plays a role in the design of ordering processes in online stores. Store operators should only process data that is not necessary for the ordering process with the prior consent of the customer. In addition, the data should be marked as optional for the user.

What does Privacy by Default mean?

Article 25 (2) of the General Data Protection Regulation deals with this term. Privacy by Default refers to the fact that the highest possible level of data protection should be set by default in a system or technology. This means, for example, that only those personal data that are necessary for the intended purpose should be collected and that the highest data protection standards should be set by default.

The idea is that the default settings of services, systems or devices (factory settings) should be implemented to be as privacy-friendly as possible. This also serves to protect users who are not particularly tech-savvy and therefore unable to change privacy settings to suit their own preferences.

Privacy by Default examples

Privacy by Default can be relevant in practice in various contexts. In an opt-in context, users should be able to decide for themselves whether to consent to data processing that is not necessary. It should be possible to confirm or reject processing purposes individually.

If social media platforms comply with data protection by default, users should not have to worry about their data protection after registration. Access to posts and profiles should be severely restricted in the default settings. In addition, platforms should automatically restrict app access to the user account or user profile.

Both principles aim to strengthen data protection and ensure that personal data is adequately protected, both by the architecture and functionality of the systems and by the preset privacy options.

Benefits for your company

The two principles of Privacy by Design and Privacy by Default are of great importance to businesses and organizations when it comes to collecting and managing data from data subjects in a responsible manner. When you choose to collect data, you can reap many benefits:

You identify potential data privacy issues early and can more easily respond to them.
You increase awareness of data privacy and data security in your company.
You do not have to anonymize the data afterwards, which saves your IT department manual and time-consuming work.

Checklist for Privacy by Design and Privacy by Default

For privacy-friendly data collection, the following seven criteria for Privacy by Design and Privacy by Default are critical for both software developers and enterprises:

Proactive, not reactive: identify potential privacy risks early and take appropriate steps to mitigate them.
Privacy by default: Ensure that personal data is automatically protected in all IT systems and avoid corrective action. This is the principle of "privacy by default".
Data protection as a concept: Plan data protection into the strategy of your company or software. This is the principle of Privacy by Design.
End-to-end security: Protect personal data throughout its lifecycle and give users the right to erasure.
Data whereabouts: ensure that your visitors' data remains in the country where you collect it.
Transparency: only process data that serves your business objectives, and make sure your processes stand up to independent scrutiny.
Respect privacy: support your users' individual privacy interests through privacy policies and standards.

You want to rely on open source solutions to implement Privacy by Design or Privacy by Default in your company and process data transparent and GDPR compliant? Get in touch with us!