Skip main navigation

Achieving data protection by design and by default

Dr. Bo Zhao briefly explains how to achieve data protection by design and by default as reflected in the GDPR.
Paint brushes and colours
© University of Groningen

A significant, general GDPR duty for all data controllers is to achieve data protection by design and by default in their processing operations as reflected in Article 25. This is an important concept closely related to the concept of Privacy by Design (PbD) explained in week 1, but with a larger scope in the context of data and privacy protection.

Data protection by design means that the controller should take appropriate measures to protect personal data from the very beginning, meaning the design stage or the moment that the means of data processing are decided upon. The controller should design and implement appropriate technical and organisational measures to implement data protection principles, taking into account:

  • The state of the art (the most recent stage of the design);
  • The cost of implementation;
  • Nature, scope, context and purposes of processing;
  • The risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing.

Furthermore, by design means that both technical and organisational measures need to be effective and that the necessary safeguards are integrated. An example of an effective measure as mentioned in Article 25 is pseudonymisation. Pseudonymisation substitutes the identity of the data subject in such a way that additional information is required to re-identify a data subject. Such measures may also include anonymisation, which irreversibly destroys any way of identifying the data subject.

Data protection by default means that, by default, technical and organisational measures need to be taken to ensure that only personal data which are necessary for a specific purpose are processed. This obligation covers the amount of data collected, extent of processing, storage period and accessibility. This means that, by default, the less personal data that are processed, the better. This obligation includes that, by default, personal data are not accessible without the data subject’s intervention.

If you are interested in this topic and want to learn more, you can read the two articles listed below.

© University of Groningen
This article is from the free online

Understanding the GDPR

Created by
FutureLearn - Learning For Life

Our purpose is to transform access to education.

We offer a diverse selection of courses from leading universities and cultural institutions from around the world. These are delivered one step at a time, and are accessible on mobile, tablet and desktop, so you can fit learning around your life.

We believe learning should be an enjoyable, social experience, so our courses offer the opportunity to discuss what you’re learning with others as you go, helping you make fresh discoveries and form new ideas.
You can unlock new opportunities with unlimited access to hundreds of online short courses for a year by subscribing to our Unlimited package. Build your knowledge with top universities and organisations.

Learn more about how FutureLearn is transforming access to education