Privacy by design and privacy by default

Data Protection By Default and By Design is one of the key principles in GDPR, as stated by Article 25 and recital 78 (Appropriate Technical and Organisational Measures). Article 25 GDPR actually focuses on the implementation of the data protection principles stated in Article 5 GDPR through a proactive approach. It mentions that “the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organizational measures, such as pseudonymization, which are designed to implement data-protection principles, such as data minimization, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects”. Thus, according to Article 25 GDPR, data protection must be thought of as ex-ante.

Privacy by design is a concept first mentioned in 1995 by Ann Cavoukian, former Information & Privacy Commissioner, Ontario, Canada, and it encompasses 7 principles:

Her work shaped the modern privacy and personal data protection regulations today.

You can find more information at these links:

• Article 25 GDPR - Data protection by design and by default: https://advisera.com/eugdpracademy/gdpr/data-protection-by-design-and-by-default/
• Article 5 GDPR - Principles relating to processing of personal data: https://advisera.com/gdpr/principles-relating-to-processing-of-personal-data/
• Privacy by Design - The 7 Foundational Principles: https://www.ipc.on.ca/wp-content/uploads/resources/7foundationalprinciples.pdf