Data Protection by Design and by Default Explained

GDPR Article 25 appears in some of the largest regulatory fines issued by European data protection authorities — yet many organisations still treat privacy as a late-stage checklist. Data protection by design and by default changes that equation: it legally requires every system, product, and process to embed privacy before launch, not retrofit it afterward.

Quick Answer: Data protection by design means building privacy safeguards — such as pseudonymisation and encryption — into systems from the planning stage. Data protection by default means automatically applying the most privacy-protective settings so only the minimum necessary data is processed. Both have been mandatory under GDPR Article 25 since May 25, 2018, with fines of up to €20 million or 4% of global turnover for violations.

Data protection by design and by default is a legal obligation under GDPR Article 25 requiring data controllers to implement appropriate technical and organisational measures that integrate data protection principles — especially data minimisation — into processing activities from the outset, and to ensure that the most protective settings apply by default.

System blueprint showing privacy safeguards embedded into the design — data protection by design

What Is Data Protection by Design and by Default?

Data protection by design and by default is a mandatory requirement under GDPR Article 25 for any data controller operating in or targeting the European Economic Area. The obligation covers two timing dimensions: measures must be in place both at the time an organisation decides how to carry out processing and at the time the actual processing takes place.

The regulation's exact text:

"The controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects."

This obligation has roots in the 1970s and was formalised in European law through the 1995 Data Protection Directive (Directive 95/46/EC), which emphasised the necessity of technical and organisational measures at the planning stage of processing systems. The GDPR made it a directly enforceable duty, with all organisations required to comply from May 25, 2018.

Data Protection by Design vs. by Default: Key Differences

The two elements address different questions. Design asks how a system is built; default asks what state it ships in.

Data Protection by Design

Data protection by design requires privacy safeguards to be incorporated into system architecture from the planning stage. Organisations are encouraged to implement technical and organisational measures at the earliest stages of the design of processing operations to safeguard privacy principles from the start.

Recognised measures include:

Measure

What it does

Pseudonymisation

Replaces personally identifiable material with artificial identifiers, so data cannot be attributed to a specific individual without additional information

Encryption

Encodes data so only authorised parties can read it

Data minimisation by architecture

Systems designed to collect only the data fields genuinely needed for the stated purpose

Access restrictions

Limits sensitive data access to authorised personnel only

The GDPR does not prescribe exact measures — organisations determine the combination that demonstrably achieves the required data-protection outcome. Various protective measures such as encryption, pseudonymisation, and anonymisation are all valid, leaving it open for organisations to determine the exact approach.

Data Protection by Default

Data protection by default requires that the most privacy-protective settings are automatically applied. Personal data must not be made accessible without the individual's intervention to an indefinite number of persons.

A clear practical example: a social media platform that automatically sets users' profiles to a restricted audience rather than making them publicly visible by default. The user can loosen those settings, but privacy is the starting point — not something the user must opt into.

The UK Information Commissioner's Office (ICO) adds another dimension: for services likely to be accessed by children, organisations must take into account children's needs and incorporate suitable protective measures throughout the design and operational stages.

The Seven Principles of Privacy by Design

Privacy by design rests on seven fundamental principles first articulated in the paper Privacy by Design in Law, Policy and Practice and later endorsed by data protection regulators worldwide. GDPR Article 25 operationalises these principles as a legal duty.

  1. Proactive, Not Reactive — Address privacy risks before they materialise. Anticipate and prevent, rather than remediate breaches after the fact.

  2. Privacy as the Default Setting — Personal data must be automatically protected. Users should not need to take action to secure their privacy.

  3. Privacy Embedded into Design — Privacy is a core function of systems and processes from the beginning, not an add-on or afterthought.

  4. Full Functionality — Positive-Sum, Not Zero-Sum — Privacy and operational goals are both achievable. One does not need to be traded off against the other.

  5. End-to-End Security — Full lifecycle protection of personal data, from collection through to deletion or anonymisation.

  6. Visibility and Transparency — Organisations must provide users with clear information about data protection measures and allow them to manage their preferences, including Data Subject Access Requests (DSARs).

  7. Respect for User Privacy — Strong defaults and user-centric design ensure that privacy protections are comprehensive, not nominal.

How to Implement Data Protection by Design and by Default

Implementation is a continuous discipline across the development lifecycle, not a one-time sign-off.

At the design stage:

  • Conduct a privacy risk assessment before finalising technology choices

  • Ensure appropriate security controls are defined in the architecture specification

  • Design systems to collect only the data fields necessary for each stated purpose

  • Apply pseudonymisation or encryption wherever the use case permits

  • Implement access restrictions so only authorised personnel reach sensitive data

At the operational stage:

  • Provide clear information to data subjects about how their data is processed and their rights

  • Minimise personal data processing to what is strictly required by law or the stated purpose

  • Maintain privacy-friendly defaults across software updates — settings must not silently revert to data-hungry configurations after a release

  • Document every measure taken; this documentation is the primary evidence during a DPA investigation

Article 25 also allows organisations to use approved certification mechanisms under GDPR Article 42 to demonstrate compliance. Certification signals to regulators and business partners that statutory requirements have been met.

Beyond compliance, following data protection by design and by default can reduce long-term costs by avoiding expensive redesigns when privacy gaps surface late, build user trust, and facilitate partnerships with organisations that require robust information governance standards.

Regulatory Enforcement and Fine Exposure

Article 25 carries significant enforcement risk. A May 2023 Future of Privacy Forum report analysed over 92 DPA cases and court rulings across 16 EEA member states, the UK, and the EDPB. The headline finding: despite Article 25's relatively vague wording, it is frequently cited in some of the highest GDPR fines.

The report also reveals a divergence across European DPAs: some are reluctant to find Article 25 violations in isolated incidents, while others apply it preventively — meaning the enforcement landscape varies by jurisdiction.

For the most severe violations, fines reach €20 million or 4% of global annual turnover, whichever is higher. Treating data protection by design and by default as a checkbox exercise — rather than a genuine operational commitment — is the shortest route to those penalties.

Frequently Asked Questions

What is data protection by design and by default?

Data protection by design requires organisations to embed privacy safeguards — such as pseudonymisation, encryption, and data minimisation — into systems and processes from the earliest design stage. Data protection by default requires that the most privacy-protective settings be applied automatically, without requiring user action. Both are mandatory under GDPR Article 25.

What are the seven principles of privacy by design?

The seven principles are: (1) proactive, not reactive; (2) privacy as the default setting; (3) privacy embedded into design; (4) full functionality — positive-sum, not zero-sum; (5) end-to-end security across the full data lifecycle; (6) visibility and transparency; and (7) respect for user privacy with strong defaults and user-centric design.

What are practical examples of data protection by design and by default?

A practical example of data protection by design is applying pseudonymisation — replacing names with artificial identifiers — during the system build phase. A practical example of data protection by default is a social media platform that automatically sets users' profiles to a restricted audience, rather than making them publicly visible unless the user actively changes this.

What are the penalties for violating GDPR Article 25?

For severe violations, GDPR fines can reach €20 million or 4% of a company's global annual turnover, whichever is higher. Article 25 violations are frequently cited in some of the largest fines issued by European data protection authorities.

Can certification demonstrate GDPR Article 25 compliance?

Yes. Approved certification mechanisms under GDPR Article 42 can be used as an element to demonstrate compliance with Article 25. Certification signals to regulators and partners that the organisation has met statutory data protection requirements, though it does not confer automatic immunity from enforcement.

Conclusion

Data protection by design and by default is not a philosophical principle — it is an enforceable legal duty with a well-documented fine record. The practical steps are concrete: assess privacy risks before building, apply pseudonymisation and encryption where feasible, ship with the most restrictive defaults, and document every decision.

If you handle personal data for EU residents, start by mapping your current systems against the seven Privacy by Design principles. Where defaults lean toward data collection rather than data protection, that gap is your Article 25 exposure. Closing it systematically is both a legal obligation and a competitive advantage in an era where user trust is increasingly difficult to earn back once lost.