GDPR8 min read
Privacy by Design and Default: Building Privacy In
Privacy by Design and Default is a core GDPR requirement that shifts privacy from an afterthought to a fundamental consideration in how systems and processes are built. Rather than retrofitting privacy controls, organizations should embed them from the earliest design stages.
Key Takeaways
| Point | Summary |
|---|---|
| Legal requirement | GDPR Article 25 makes privacy by design and default mandatory |
| Design phase | Privacy considerations must be integrated from the start of any project |
| Default settings | Systems should be configured to maximize privacy by default |
| Ongoing obligation | Applies throughout the entire data processing lifecycle |
| Documentation | Organizations should document how they implement these principles |
Quick Answer: Privacy by Design means building privacy protections into systems from the start—not adding them later. Privacy by Default means systems should automatically apply the most privacy-protective settings. Both are legal requirements under GDPR Article 25.
What Does GDPR Require?
Privacy by Design (Article 25(1))
Controllers must implement appropriate technical and organizational measures designed to implement data protection principles effectively. This must happen:
- At the time of determining the means for processing (design phase)
- At the time of processing itself
Measures should take into account:
- The state of the art
- The cost of implementation
- The nature, scope, context, and purposes of processing
- The risks of varying likelihood and severity
Privacy by Default (Article 25(2))
Controllers must implement appropriate measures to ensure that, by default:
- Only personal data necessary for each specific purpose is processed
- This applies to the amount of data collected, extent of processing, retention period, and accessibility
- Personal data is not made accessible to an indefinite number of persons without individual intervention
The Seven Foundational Principles
Privacy by Design was originally developed by Ann Cavoukian and consists of seven principles that remain relevant guidance for GDPR compliance:
1. Proactive Not Reactive
| Principle | Application |
|---|---|
| Anticipate risks | Identify privacy risks before they materialize |
| Prevent harm | Design systems to prevent privacy issues, not just respond to them |
| Early intervention | Address privacy in planning, not after problems emerge |
2. Privacy as the Default
| Principle | Application |
|---|---|
| Automatic protection | Privacy protections apply without user action |
| Opt-in not opt-out | Additional data collection requires active choice |
| Minimal collection | Collect only what's needed by default |
3. Privacy Embedded into Design
| Principle | Application |
|---|---|
| Core functionality | Privacy is integral to the system, not an add-on |
| Architecture level | Built into technical architecture, not just policies |
| Full integration | Privacy measures embedded in business practices |
4. Full Functionality (Positive-Sum)
| Principle | Application |
|---|---|
| Avoid false trade-offs | Privacy doesn't have to sacrifice functionality |
| Win-win solutions | Find approaches that achieve both privacy and business goals |
| Creative design | Innovate to satisfy all requirements |
5. End-to-End Security
| Principle | Application |
|---|---|
| Full lifecycle | Protect data from collection through deletion |
| Secure destruction | Ensure data is properly deleted when no longer needed |
| Continuous protection | Security maintained throughout processing |
6. Visibility and Transparency
| Principle | Application |
|---|---|
| Open practices | Data handling practices are transparent |
| Verifiable | Privacy claims can be verified |
| Accountability | Clear responsibility for privacy |
7. Respect for User Privacy
| Principle | Application |
|---|---|
| User-centric | Individual interests are paramount |
| Strong defaults | Protect users who don't adjust settings |
| Empowerment | Give users meaningful control over their data |
Practical Implementation
In Product Development
Requirements Phase:
- Include privacy requirements alongside functional requirements
- Identify personal data the feature will process
- Determine legal basis for processing
- Consider whether a DPIA is needed
Design Phase:
- Apply data minimization principles
- Design for user control and transparency
- Plan for data subject rights (access, deletion, portability)
- Consider pseudonymization or anonymization where possible
Development Phase:
- Implement security controls appropriate to risk
- Build in access controls and audit logging
- Ensure data retention limits are enforced technically
- Test privacy features alongside functional tests
Deployment and Operations:
- Review privacy configuration before launch
- Monitor for privacy issues
- Plan for updates as privacy requirements evolve
In System Architecture
| Area | Privacy-by-Design Approach |
|---|---|
| Data storage | Encrypt at rest, use appropriate access controls |
| Data transmission | Encrypt in transit, minimize data in APIs |
| Authentication | Strong authentication, appropriate session management |
| Logging | Log what's needed for security, minimize personal data in logs |
| Backups | Include backups in retention and deletion processes |
| Third parties | Minimize data shared, ensure contractual protections |
Default Settings
Privacy by Default requires careful attention to initial configurations:
| Setting Type | Privacy-Protective Default |
|---|---|
| Profile visibility | Private by default |
| Marketing communications | Opt-in required |
| Data sharing | Disabled by default |
| Location tracking | Off by default |
| Analytics cookies | Blocked until consent |
| Account data | Accessible only to account owner |
Data Minimization Techniques
Data minimization is central to privacy by design:
Collect Only What's Needed
| Question | Action |
|---|---|
| Is this data element necessary? | Remove if not essential |
| Do we need this precision level? | Reduce granularity if possible |
| Do we need to identify individuals? | Use pseudonymization or anonymization |
| How long do we actually need this? | Set appropriate retention limits |
Technical Approaches
| Technique | Application |
|---|---|
| Pseudonymization | Replace identifiers with tokens; retain ability to re-identify if needed |
| Anonymization | Remove ability to identify individuals; data no longer subject to GDPR |
| Aggregation | Work with aggregate statistics rather than individual records |
| Data masking | Hide sensitive elements in test/development environments |
| Access controls | Limit who can see personal data to those with legitimate need |
Privacy in Common Scenarios
User Registration
Privacy-by-Design Approach:
- Request only essential information for account creation
- Make optional fields clearly optional
- Don't require more than needed for service delivery
- Provide clear privacy information at registration
- Set privacy-protective defaults for new accounts
Analytics and Tracking
Privacy-by-Design Approach:
- Use privacy-focused analytics tools where possible
- Implement proper cookie consent mechanisms
- Configure IP anonymization
- Limit data retention in analytics platforms
- Consider whether granular tracking is actually needed
Marketing Communications
Privacy-by-Design Approach:
- Require explicit opt-in (especially for EU/EEA)
- Make unsubscribe easy and immediate
- Don't pre-tick consent boxes
- Maintain separate consent for different communication types
- Document consent with timestamp and version
Customer Support
Privacy-by-Design Approach:
- Verify identity before discussing account details
- Limit support agent access to necessary information
- Implement automatic retention limits on support tickets
- Train support staff on privacy principles
- Provide self-service options for privacy-related requests
Documentation and Evidence
Organizations should document their privacy-by-design approach:
Design Documentation
| Element | Content |
|---|---|
| Privacy requirements | How privacy was considered in requirements |
| Design decisions | Privacy-related design choices and rationale |
| Risk assessment | Privacy risks identified and mitigated |
| Default settings | Documentation of default configurations |
Ongoing Evidence
| Element | Content |
|---|---|
| Privacy reviews | Records of privacy reviews for new features |
| Configuration audits | Evidence that defaults remain privacy-protective |
| Training records | Evidence that teams understand privacy by design |
| Process documentation | How privacy by design is integrated into development |
Common Challenges
Challenge 1: Legacy Systems
Older systems may not have been designed with privacy in mind.
Approach:
- Prioritize improvements based on risk
- Implement compensating controls where redesign isn't feasible
- Plan privacy improvements into maintenance cycles
- Document current state and improvement roadmap
Challenge 2: Third-Party Dependencies
Privacy by design can be harder when relying on vendor systems.
Approach:
- Include privacy requirements in vendor selection
- Configure vendor systems for maximum privacy
- Review vendor privacy practices and certifications
- Implement additional controls where vendor capabilities are limited
Challenge 3: Balancing Business Needs
Privacy by design can seem to conflict with business objectives.
Approach:
- Seek positive-sum solutions that achieve both
- Challenge assumptions about what data is "needed"
- Explore privacy-enhancing technologies
- Involve privacy expertise early to find creative solutions
Challenge 4: Cultural Change
Privacy by design requires organization-wide commitment.
Approach:
- Leadership support for privacy as a priority
- Training for all teams involved in product development
- Include privacy in project approval processes
- Recognize and reward privacy-conscious design
How Bastion Helps
Embedding privacy by design into your organization requires both expertise and practical processes. Working with experienced partners helps establish approaches that are effective without slowing down development.
| Challenge | How We Help |
|---|---|
| Process Integration | Guidance on integrating privacy into your development lifecycle |
| Design Reviews | Support for privacy reviews of new features and products |
| Technical Guidance | Recommendations for privacy-enhancing technical approaches |
| Training | Programs to build privacy-by-design capability in your teams |
| Documentation | Templates and support for demonstrating compliance |
| Vendor Assessment | Privacy-focused evaluation of third-party tools and services |
Establishing privacy by design as standard practice helps organizations move faster in the long run—avoiding the costly remediation work that comes from bolting privacy on after the fact.
Looking for help implementing privacy by design? Talk to our team →
Sources
- GDPR Article 25 (EUR-Lex) - Official text on data protection by design and default
- EDPB Guidelines on Data Protection by Design and Default - EDPB guidance on Article 25
- ENISA Privacy by Design - Technical guidance from EU cybersecurity agency