Want to keep learning?

This content is taken from the University of Groningen's online course, Understanding the GDPR. Join the course to learn more.
Paint brushes and colours

Achieving data protection by design and by default

A significant, general GDPR duty for all data controllers is to achieve data protection by design and by default in their processing operations as reflected in Article 25. This is an important concept closely related to the concept of Privacy by Design (PbD) explained in week 1, but with a larger scope in the context of data and privacy protection.

Data protection by design means that the controller should take appropriate measures to protect personal data from the very beginning, meaning the design stage or the moment that the means of data processing are decided upon. The controller should design and implement appropriate technical and organisational measures to implement data protection principles, taking into account:

  • The state of the art (the most recent stage of the design);
  • The cost of implementation;
  • Nature, scope, context and purposes of processing;
  • The risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing.

Furthermore, by design means that both technical and organisational measures need to be effective and that the necessary safeguards are integrated. An example of an effective measure as mentioned in Article 25 is pseudonymisation. Pseudonymisation substitutes the identity of the data subject in such a way that additional information is required to re-identify a data subject. Such measures may also include anonymisation, which irreversibly destroys any way of identifying the data subject.

Data protection by default means that, by default, technical and organisational measures need to be taken to ensure that only personal data which are necessary for a specific purpose are processed. This obligation covers the amount of data collected, extent of processing, storage period and accessibility. This means that, by default, the less personal data that are processed, the better. This obligation includes that, by default, personal data are not accessible without the data subject’s intervention.

If you are interested in this topic and want to learn more, you can read the two articles listed below.

Share this article:

This article is from the free online course:

Understanding the GDPR

University of Groningen

Get a taste of this course

Find out what this course is like by previewing some of the course steps before you join: