Skip main navigation

Achieving data protection by design and by default

Dr. Bo Zhao briefly explains how to achieve data protection by design and by default as reflected in the GDPR.
Paint brushes and colours
© by stux via Pixabay

A significant, general GDPR duty for all data controllers is to achieve data protection by design and by default in their processing operations as reflected in Article 25. This is an important concept closely related to the concept of Privacy by Design (PbD) explained in week 1, but with a larger scope in the context of data and privacy protection.

Data protection by design means that the controller should take appropriate measures to protect personal data from the very beginning, meaning the design stage or the moment that the means of data processing are decided upon. The controller should design and implement appropriate technical and organisational measures to implement data protection principles, taking into account:

  • The state of the art (the most recent stage of the design);
  • The cost of implementation;
  • Nature, scope, context and purposes of processing;
  • The risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing.

Furthermore, by design means that both technical and organisational measures need to be effective and that the necessary safeguards are integrated. An example of an effective measure as mentioned in Article 25 is pseudonymisation. Pseudonymisation substitutes the identity of the data subject in such a way that additional information is required to re-identify a data subject. Such measures may also include anonymisation, which irreversibly destroys any way of identifying the data subject.

Data protection by default means that, by default, technical and organisational measures need to be taken to ensure that only personal data which are necessary for a specific purpose are processed. This obligation covers the amount of data collected, extent of processing, storage period and accessibility. This means that, by default, the less personal data that are processed, the better. This obligation includes that, by default, personal data are not accessible without the data subject’s intervention.

If you are interested in this topic and want to learn more, you can read the two articles listed below.

© University of Groningen
This article is from the free online

Understanding the GDPR

Created by
FutureLearn - Learning For Life

Reach your personal and professional goals

Unlock access to hundreds of expert online courses and degrees from top universities and educators to gain accredited qualifications and professional CV-building certificates.

Join over 18 million learners to launch, switch or build upon your career, all at your own pace, across a wide range of topic areas.

Start Learning now