Article 25

Data protection by design and by default

1.   Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.

2.   The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons.

3.   An approved certification mechanism pursuant to Article 42 may be used as an element to demonstrate compliance with the requirements set out in paragraphs 1 and 2 of this Article.

What does it mean?

Article 25 of the GDPR addresses the concept of “Data Protection by Design and by Default,” commonly referred to as privacy by design and privacy by default.

Organizations must implement appropriate technical and organizational measures to ensure that data protection principles are integrated into the design and operation of their systems, products, and services.

The goal is to enhance data privacy and protection throughout all stages of personal data processing.

This concept is essential for achieving effective data protection, and thus ensuring compliance with GDPR regulations.

To ensure the protection of rights and freedoms of individuals, it is essential to conduct a risk assessment. This risk assessment should evaluate the likelihood and severity of potential impacts on privacy and data protection for individuals.

This can be done by evaluating the nature of the personal data involved, the sensitivity of the data, and the potential consequences if the data were to be compromised or mishandled.

The risk assessment will determine the current level of risk. Then, you should take steps to reduce this risk to an acceptable level by implementing technical and organizational measures.

Privacy by Design is an approach that incorporates data protection and privacy features and principles into the development process of systems, products, and services.

It involves identifying and addressing potential risks to privacy and implementing measures to mitigate those risks.

All organisations are required to incorporate Privacy by Design into their processing of personal data, as mentioned in Article 25 of the GDPR.

Privacy by Default refers to the practice of setting the default option in any process or system to the most privacy-friendly choice, without requiring any action from the individual. This principle aligns with the data protection principle of data minimization.

By defaulting to enhanced privacy, individuals are ensured the highest level of privacy protection from the moment they begin using a system, product, or service.

Furthermore, Privacy by Default means that organizations should limit the collection, use, and storage of personal data to only what is necessary for the specified purposes.

Article 25 requires your organization to implement privacy by design and by default, which means adjusting all handling of personal data in order to protect it.

Unfortunately, organizations frequently prioritize security and privacy protection as an afterthought, once the product or business process has already been designed.

This becomes even more problematic as new processes and systems are continuously added and integrated into the existing ones. This leads to a scattered and complex security landscape for the organization, filled with insecurities that are difficult to patch and secure. As a result, overhead costs increase as well.

Integrating the requirements of Article 25 will improve the protection of personal data and make it easier to sustain as business processes and systems develop.

Some examples of implementing Privacy by Design and by Default include:

  • Implementing default settings that prioritize privacy, such as giving individuals the option to opt-in instead of opt-out of data collection and processing.
  • Applying access controls to restrict access only to those who need it.
  • Conducting risk assessments when developing new business processes or systems to identify and address potential privacy risks.
  • Ensuring that all employees are educated in data protection principles and IT security, and have a sufficient understanding of how to process personal data safely.

Yes, there are specific requirements for implementing Data Protection by Design and by Default.

Article 25 of the GDPR mandates that organizations must implement appropriate technical and organizational measures to ensure that data protection principles are considered and integrated into the design and operation of their systems, products, and services.

This includes taking a proactive approach to privacy and data protection, setting privacy as the default setting, minimizing data collection, ensuring purpose limitation, providing transparency to individuals, giving user control and obtaining consent, implementing data security measures, and more.

To ensure compliance with Article 25 of the GDPR, a company should take the following steps:

  • Map the processing of personal data in all processes and systems, as required by Article 30’s records of processing activities.
  • Conduct a risk assessment of these processes and systems.
  • Implement privacy by design and by default to reduce the identified risk level in the risk assessments.
  • Document the use of privacy by design and by default, for example, by adding documentation of this to the records of processing activities.

Awareness Training

Ensure that your entire company is equipped with the necessary awareness training on the basics of GDPR and IT security.