Data Protection by Design and by Default (Article 25)

Data Protection by Design and by Default (Article 25) – Complete Guide

Introduction

Data Protection by Design and by Default is one of the most foundational principles embedded in the General Data Protection Regulation (GDPR). Codified in Article 25, this principle requires data controllers to integrate data protection safeguards into the very fabric of their processing activities — from the earliest stages of system design through to the entire lifecycle of data processing. For anyone preparing for the CIPP/E exam, a thorough understanding of this article is essential, as it frequently appears in scenario-based and conceptual questions.

Why Is Data Protection by Design and by Default Important?

The importance of Article 25 cannot be overstated for several key reasons:

1. Proactive Rather Than Reactive: Traditional approaches to data protection often involved addressing problems after they occurred. Article 25 shifts the paradigm by requiring organisations to anticipate risks and embed protections from the outset. This prevents data breaches and privacy violations before they happen.

2. Accountability in Practice: Article 25 is a practical expression of the broader accountability principle found in Article 5(2) and Article 24 of the GDPR. It demonstrates that accountability is not merely a theoretical obligation — controllers must take concrete, demonstrable steps to protect personal data.

3. Trust and Compliance: Organisations that adopt data protection by design and by default build greater trust with data subjects, regulators, and business partners. It signals a commitment to privacy that goes beyond minimum legal compliance.

4. Minimising Harm: By embedding safeguards such as data minimisation, pseudonymisation, and access controls from the design phase, organisations reduce the volume and sensitivity of data exposed in any potential incident.

5. Regulatory Enforcement: Supervisory authorities can — and do — take enforcement action against controllers that fail to implement data protection by design and by default. Fines under Article 83(4) GDPR can reach up to €10 million or 2% of total worldwide annual turnover, whichever is higher.

What Is Data Protection by Design and by Default?

Article 25 contains two distinct but complementary obligations:

Article 25(1) — Data Protection by Design

This requires the controller, taking into account:
- The state of the art (current technological developments)
- The cost of implementation
- The nature, scope, context, and purposes of the processing
- The risks of varying likelihood and severity for the rights and freedoms of natural persons

…to implement appropriate technical and organisational measures (such as pseudonymisation) designed to implement data protection principles (such as data minimisation) in an effective manner, and to integrate the necessary safeguards into the processing.

Crucially, this obligation applies both at the time of the determination of the means for processing (i.e., the design phase) and at the time of the processing itself. This means data protection by design is not a one-time exercise — it must be maintained throughout the processing lifecycle.

Article 25(2) — Data Protection by Default

This requires the controller to implement appropriate technical and organisational measures to ensure that, by default, only personal data which is necessary for each specific purpose of the processing is processed. This applies to:
- The amount of personal data collected
- The extent of processing
- The period of storage
- The accessibility of personal data

In particular, such measures shall ensure that by default personal data is not made accessible without the individual's intervention to an indefinite number of natural persons.

In practical terms, this means that the most privacy-friendly settings should be the default — users should not have to take action to protect their privacy; protection should be the starting point.

Article 25(3) — Certification as a Demonstration of Compliance

An approved certification mechanism pursuant to Article 42 may be used as an element to demonstrate compliance with the requirements of Article 25(1) and (2). This provides controllers with a practical tool for evidencing their compliance efforts.

How Does It Work in Practice?

Implementing data protection by design and by default involves several practical steps and considerations:

1. Early Integration in System Design
When designing a new product, service, application, or processing operation, the controller should conduct a thorough assessment of privacy impacts from the outset. This often overlaps with conducting a Data Protection Impact Assessment (DPIA) under Article 35, especially for high-risk processing.

2. Technical Measures
Examples include:
- Pseudonymisation — replacing identifying information with artificial identifiers
- Encryption — protecting data at rest and in transit
- Access controls — limiting who can access personal data on a need-to-know basis
- Automated deletion — configuring systems to delete data after the retention period expires
- Data minimisation architectures — designing systems that collect only what is strictly necessary

3. Organisational Measures
Examples include:
- Privacy policies and training for staff
- Internal governance frameworks for data protection
- Privacy-aware procurement processes — ensuring vendors and third-party systems also comply
- Regular audits and reviews of processing activities

4. Default Settings
- Social media profiles should be set to the most private settings by default
- Marketing opt-ins should not be pre-ticked
- Data sharing features should be switched off unless the user actively enables them
- Only the minimum data fields should be mandatory in forms

5. Lifecycle Approach
Data protection by design is not a one-time checkbox. Controllers must continually assess and update their measures as technology evolves, as processing activities change, and as new risks emerge.

Key Relationships with Other GDPR Provisions

Understanding how Article 25 interrelates with other provisions is critical for the CIPP/E exam:

- Article 5 (Principles): Article 25 operationalises the principles, particularly data minimisation (Article 5(1)(c)), purpose limitation (Article 5(1)(b)), and storage limitation (Article 5(1)(e)).
- Article 24 (Responsibility of the Controller): Article 25 is a specific expression of the controller's general obligation to implement appropriate measures.
- Article 35 (DPIA): DPIAs and data protection by design are closely linked — a DPIA may reveal the need for specific design-level safeguards.
- Article 42 (Certification): Certification can serve as evidence of Article 25 compliance.
- Recital 78: Provides additional context, encouraging producers of products, services, and applications to take data protection into account during development, enabling controllers and processors to fulfil their obligations.

The Role of Recital 78

Recital 78 is particularly noteworthy because it extends the spirit (though not the legal obligation) of data protection by design to producers and developers of products, services, and applications. While Article 25 formally applies to controllers, Recital 78 encourages the broader technology ecosystem to embed privacy considerations into product development. This is a popular exam point.

EDPB Guidelines on Article 25

The European Data Protection Board (EDPB) has issued Guidelines 4/2019 on Article 25 — Data Protection by Design and by Default. Key takeaways from these guidelines include:

- Data protection by design requires implementing all data protection principles from Article 5, not just data minimisation
- The concept of effectiveness is central — measures must actually work, not merely exist on paper
- Controllers must be able to demonstrate that their measures are effective (linking back to accountability)
- The assessment of appropriate measures involves a balancing exercise considering state of the art, cost, nature/scope/context/purposes, and risks
- Key design and default elements highlighted include: transparency, lawfulness, fairness, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, and accountability

Common Exam Scenarios

The CIPP/E exam may present scenarios such as:

- A company launching a new app that collects excessive data by default — violation of Article 25(2)
- A social media platform with public-facing profiles as the default setting — violation of data protection by default
- An organisation that implements encryption and pseudonymisation during the design of a new HR system — example of compliance with Article 25(1)
- A question asking which article specifically addresses embedding safeguards into processing — Article 25
- A scenario involving a product manufacturer building privacy features into a device — relates to Recital 78

Exam Tips: Answering Questions on Data Protection by Design and by Default (Article 25)

Tip 1: Distinguish Between 'By Design' and 'By Default'
These are two separate obligations. By design focuses on embedding safeguards into the processing from the design stage onward. By default focuses on ensuring the most privacy-protective settings are applied automatically without requiring user action. Know which is which, because the exam may test your ability to distinguish them in a scenario.

Tip 2: Remember the Factors in the Balancing Test
Article 25(1) does not require perfection — it requires appropriate measures considering: state of the art, cost of implementation, nature/scope/context/purposes, and risk. If a question asks what a controller should consider when deciding on measures, these are the factors to cite.

Tip 3: Know That Article 25 Applies to Controllers, Not Processors
The legal obligation under Article 25 falls on the controller. While processors must comply with security obligations under Article 32, Article 25 is specifically directed at controllers. However, remember that Recital 78 encourages producers and developers to also consider these principles.

Tip 4: Link Article 25 to the Accountability Principle
If a question asks about how a controller can demonstrate compliance with GDPR principles, Article 25 is a key part of the answer, alongside Article 24 and Article 5(2). Data protection by design is a practical manifestation of accountability.

Tip 5: Remember the Four Dimensions of 'By Default'
Article 25(2) specifically addresses four dimensions: (1) amount of data collected, (2) extent of processing, (3) period of storage, and (4) accessibility. If a scenario question involves any of these being excessive by default, think Article 25(2).

Tip 6: Pseudonymisation Is the Explicitly Named Measure
Article 25(1) specifically mentions pseudonymisation as an example of an appropriate technical measure. This is the only specific measure named in the article itself. If a question asks what technical measure is explicitly referenced in Article 25, the answer is pseudonymisation.

Tip 7: Certification Under Article 42 Can Demonstrate Compliance
Article 25(3) states that an approved certification mechanism under Article 42 can be used as an element to demonstrate compliance. This is a detail the exam may test, particularly in questions about how organisations can evidence their compliance efforts.

Tip 8: Timing Matters — Design Phase AND Processing Phase
A critical detail is that Article 25(1) applies both at the time of determining the means for processing and at the time of the processing itself. This means compliance is not a one-off event but an ongoing obligation. Watch for questions that suggest compliance is only required at the design stage — this is incorrect.

Tip 9: Data Minimisation Is the Core Principle Expressed by Default
While Article 25 applies to all GDPR principles, data minimisation is the most closely associated principle with both 'by design' and 'by default.' If a scenario describes a system collecting more data than necessary, link it to Article 25 and Article 5(1)(c).

Tip 10: Watch for Recital 78 Questions
The exam may test your knowledge of Recital 78, which extends the concept to product developers and manufacturers. Remember: Recital 78 is not a legally binding obligation on developers, but it reflects the GDPR's encouragement for the broader ecosystem to embed privacy considerations. If a question mentions a technology manufacturer, think Recital 78.

Tip 11: Enforcement and Sanctions
Violations of Article 25 are subject to administrative fines under Article 83(4) — up to €10 million or 2% of total worldwide annual turnover, whichever is higher. This is the lower tier of fines. Do not confuse this with the higher tier under Article 83(5) (up to €20 million or 4%).

Tip 12: Use Process of Elimination
In multiple-choice questions, if a scenario describes an organisation failing to limit data collection by default or failing to embed privacy considerations during the development of a system, and the answer options include Article 25, this is very likely the correct answer. Eliminate options that refer to obligations not related to design or default settings.

Summary

Article 25 of the GDPR is a cornerstone provision that transforms data protection from a compliance afterthought into a fundamental design requirement. Data Protection by Design mandates proactive integration of safeguards from the earliest stages of planning, while Data Protection by Default ensures that the most privacy-friendly settings are automatically applied. Together, they operationalise the GDPR's accountability principle and help ensure that the rights of data subjects are protected throughout the entire data processing lifecycle. For the CIPP/E exam, focus on understanding the two distinct obligations, the balancing test factors, the role of pseudonymisation, the four dimensions of default settings, the link to accountability, and the enforcement framework under Article 83(4).