Privacy by Design and Privacy by Default are important principles of the General Data Protection Regulation (GDPR), which are intended to ensure the protection of personal data in the design and default settings of systems and technologies. However, very few people know about the meaning of the terms and the resulting obligations.
The terms Privacy by Design and Privacy by Default are both defined in Art. 25 GDPR. In this article, you will learn exactly what is behind them. We will also take a look at the benefits of these two concepts and provide you with a checklist that will help you take stock of the situation with regard to the GDPR.
Article 25(1) of the GDPR talks about Privacy by Design. Privacy by Design means that data protection aspects should already be taken into account in the design phase of systems and technologies. The aim is to ensure that personal data are only collected, processed and used if absolutely necessary for the intended purpose.
Privacy and security measures should be built into the architecture and functionality of a system to ensure compliance with data protection regulations from the outset.
Privacy by Design thus primarily concerns software development and can be implemented, for example, through appropriate technical and organizational measures (TOM) (such as pseudonymization or anonymization) as early as the development phase.
However, Privacy by Design is not limited to software development, but can also be relevant in the design of websites. A transparent privacy statement is particularly important in this context. To this end, the statement should contain links to further information and highlight important information. In addition, the privacy statement should be easily accessible, in that it can also be called up on sub-pages.
Website operators must also observe the principle of Privacy by Design when using cookies. To ensure data minimization, the website should use as few non-technically necessary cookies as possible.
The principle of data minimization also plays a role in the design of ordering processes in online stores. Store operators should only process data that is not necessary for the ordering process with the prior consent of the customer. In addition, the data should be marked as optional for the user.
Article 25 (2) of the General Data Protection Regulation deals with this term. Privacy by Default refers to the fact that the highest possible level of data protection should be set by default in a system or technology. This means, for example, that only those personal data that are necessary for the intended purpose should be collected and that the highest data protection standards should be set by default.
The idea is that the default settings of services, systems or devices (factory settings) should be implemented to be as privacy-friendly as possible. This also serves to protect users who are not particularly tech-savvy and therefore unable to change privacy settings to suit their own preferences.
Privacy by Default can be relevant in practice in various contexts. In an opt-in context, users should be able to decide for themselves whether to consent to data processing that is not necessary. It should be possible to confirm or reject processing purposes individually.
If social media platforms comply with data protection by default, users should not have to worry about their data protection after registration. Access to posts and profiles should be severely restricted in the default settings. In addition, platforms should automatically restrict app access to the user account or user profile.
Both principles aim to strengthen data protection and ensure that personal data is adequately protected, both by the architecture and functionality of the systems and by the preset privacy options.
The two principles of Privacy by Design and Privacy by Default are of great importance to businesses and organizations when it comes to collecting and managing data from data subjects in a responsible manner. When you choose to collect data, you can reap many benefits:
For privacy-friendly data collection, the following seven criteria for Privacy by Design and Privacy by Default are critical for both software developers and enterprises:
You want to rely on open source solutions to implement Privacy by Design or Privacy by Default in your company and process data transparent and GDPR compliant? Get in touch with us!
Easily and scale your IT infrastructure while deploying applications quickly and securely with our cloud native technology solutions.