Skip to content Skip to footer

Loading Results

Data protection by design and by default

With the implementation of the GDPR in May 2018, data protection and privacy are now taking centre stage for many businesses, both at the time of capturing data and the processing and use of the data thereafter.

As such, one of the key areas is for businesses and data controllers to place data protection at the core of all of their systems and processes - data by design and default. 

Article 25 of the GDPR states: 

“the controller shall, both at the time of the determination ofthe means for processing and at the time of the processing itself, implement appropriate technical and organisational measures and procedures, [...], which are designed to implement data protection principles.”


Need for change 

The EU Data Protection Directive did not explicitly include privacy by design. However, given that the right to privacy is a fundamental element of the European Convention on Human Rights, it was clear that those designing technology ought to consider privacy as part of their product design. In the same way that they would take measures to not discriminate on the basis of race or gender as part of that process, so too should they ensure data privacy is upheld and data is protected. 


The principle 

The principle of privacy by design and by default is consistent with, and an extension of, the requirement for data minimisation under Article 5 of the GDPR. This means that systems and technology should be designed in such a way so as to ensure that: (i) data processing is limited to what is necessary for the purpose for which the data was collected; and, (ii) only those within an organisation who need to access the personal data can do so.

Designing technology with data protection at the core, and ensuring restricted access to the data, should be the default position. 



The GDPR provides for a voluntary certification by which entities can demonstrate compliance with the principles of design and default by way of data protection seals and marks. Given that the privacy rights that the GDPR promotes are likely to change the expectations of citizens, when considering future products, such a proposal provides for a commercial advantage to those that choose to obtain these seals and marks, rather than just a regulatory obligation – again furthering the principle that the subjects are champions of the data.

Designing technology with data protection at the core, and ensuring restricted access to the data, is a fundamental shift in thinking. Internal processes and procedures need to be adapted to promote these principles and ensure that data protection is “baked in” to to the sue of data moving forward.


David Cook is a specialist Cyber Security and Data Protection solicitor. Over the next 10 weeks he will be sharing his insight on GDPR and helping you to prepare your business for the new legislation. You can contact David on or call 0161 245 2485 

Contact us

General Enquiries

North, PwC United Kingdom

Media Enquiries

North, PwC United Kingdom

Tel: +44 (0)7841 468175

Follow us