Key points:
European Data Protection Law requires appropriate technical and organizational measures to implement the data protection principles and safeguard individual rights. This is called ‘data protection by design and by default’.
In essence, this means controllers must integrate or ‘bake in’ data protection into processing activities and business practices from the design stage and throughout the lifecycle.
This concept is related to the concept of ‘privacy by design’. Data protection by design is about considering data protection issues upfront. It helps ensure compliance with fundamental principles and requirements, and forms part of the focus on accountability.
Controllers bear the burden to comply with data protection by design and by default.
Controllers must only use processors that provide sufficient guaranteesto meet the data protection by design and by default requirements.
Developers and designers have no specific obligations about how to design and build these products (although they may have specific obligations as a controller in their own right, eg for any employee data.) However, because controllers are required to consider data protection by design when selecting services and products for use in their data processing activities, developers and designers that design products with data protection in mind may be in a better position.

European Data Protection Law requires controllers and processors to integrate data protection concerns into every aspect of their processing activities. This approach is called ‘data protection by design and by default’. The approach is risk-based (that is, it focuses on minimizing the risks to the data subjects) and requires accountability (that is, organizations must be able to demonstrate how they are complying).

Under Article 25 of GDPR:

Article 25: Data protection by design and by default
1. Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.
2. The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons.
3. An approved certification mechanism pursuant to Article 42 may be used as an element to demonstrate compliance with the requirements set out in paragraphs 1 and 2 of this Article.

Data protection by design and by default is ultimately an approach that ensures controllers and processorsconsider data protection issues at the design phase of any system, service, product or process and then throughout the lifecycle. It requires them to:

establish appropriate technical and organizational measures designed to implement the data protection principles; and
integrate safeguards into their processing to meet legal requirements and protect theindividual rights.

Data protection by default means controllers must ensure they only process the personal data that is necessary to achieve specific purposes. It is linked to the fundamental data protection principles of data minimizationand purpose limitation. Controllers have to process some personal data to achieve their purpose(s). Data protection by default requires specifying the data before processing starts, appropriately inform individuals and only process the data needed for the specific purpose. It does not require the adoption of a ‘default to off’ solution, but it does require controllers to consider:

adopting a ‘privacy-first’ approach with any default settings of systems and applications;
avoiding an “illusory” choice to individuals;
not processing additional data unless the individual provides consent;
ensuring that personal data is not automatically made public unless the individual decides to make it so; and
providing individuals with sufficient controls and options to exercise their rights.

Data protection by design and by default also applies in the context of international transfers especially in cases where personal data is transferred overseas to a third country that does not have an adequacy decision. Controllers must ensure that, whatever mechanism they use, appropriate safeguards are in place for these transfers. As detailed in Recital 108 of GDPR, these safeguards must include compliance with data protection by design and by default.

Data protection by design and by default is related to the obligation to perform data protection impact assessments (DPIAs). A DPIA is a tool to identify and reduce the data protection risks of processing activities and design more efficient and effective processes for handling personal data. DPIAs are an integral part of a data protection by design and by default program. For example, they can determine the type of technical and organisational measures needed in order to ensure processing complies with the data protection principles. However, a DPIA is only required in certain circumstances. In contrast, ‘data protection by design and by default’ is a broader concept, as it applies organisationally and requires certain considerations even before ultimately deciding whether your processing is likely to result in a high risk or not.

Who is responsible for data protection by design and by default?

Controllers bear the responsibility for complying with data protection by design and by default. Data protection by design is about adopting an organization-wide approach to data protection, and ‘baking it into’ any processing activity. Depending on the circumstances, controllers may have different requirements for different areas within their organization. For example:

Senior management must develop a culture of ‘privacy awareness’ and establish policies and procedures with data protection in mind;
Software engineers, system architects and application developers (i.e. those who design systems, products and services) should be knowledgeable about data protection requirements and assist in complying with data protection obligations.

In considering whether to impose a penalty, data protection authorities scrutinize the technical and organizational measures with respect to data protection by design principles.

Data processors are not specifically mentioned in Article 25 of GDPR. However, Article 28 specifies the considerations controllers must take when selecting a processor (a processor shall provide ‘sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject’). This requirement covers both data protection by design in Article 25 and security obligations under Article 32. Although processors cannot necessarily assist with data protection by design implementation (unlike with security measures), controllers must only use processors that provide sufficient guarantees of compliance with the data protection by design and by default requirements.

When considering what to buy, controllers should choose products and services designed with data protection in mind. Therefore, data protection by design and by default can impact organizations other than controllers and processors. Examples include manufacturers, product developers, application developers and service providers. Recital 78 of GDPR extends the data protection by design concept to other organizations, although it does not place a requirement on them to comply (that obligation remains with the controller). It says:

Recital 78 of GDPR
‘When developing, designing, selecting and using applications, services and products that are based on the processing of personal data or process personal data to fulfil their task, producers of the products, services and applications should be encouraged to take into account the right to data protection when developing and designing such products, services and applications and, with regard to the state of the art, to make sure that controllers and processors are able to fulfil their data protection obligations.’

What does ‘data protection by design and by default’ require?

Data protection by design and by default requires placing appropriate technical and organisational measures designed to implement the data protection principles and safeguard individual rights. There is no ‘one size fits all’ method to do this, and there is no “check-the-box” list of measures that should be put in place. It depends on circumstances. The key is to consider data protection issues from the start of any processing activity and adopt appropriate policies and measures that meet the requirements of data protection by design and by default.

Some examples of how to accomplish this include:

minimizing personal data processing;
pseudo-anonymizing personal data as soon as possible;
ensuring transparency of the functions and processing of personal data;
enabling individuals to monitor the processing; and
creating (and improving) security features.

Data protection by design and by default should be considered:

‘at the time of the determination of the means of the processing’ — in other words, at the design phase of any processing activity; and
‘at the time of the processing itself’ — ie throughout the processing activity lifecycle.