Examples
Worked examples
- Is an instance
A research-platform development team integrates pseudonymisation and role-based access controls into the build pipeline rather than retrofitting them after deployment.
- Is an instance
A new survey tool is configured so that responses are stored without contact details by default, with linkage to identifiers requiring an explicit opt-in.
Counter-examples
Looks similar, but isn't
- Not an instance
Adding a privacy notice to an existing system without altering the underlying data flows or controls is not, by itself, privacy by design.
- Not an instance
A purely paper-based, ad-hoc privacy review at the end of a project lifecycle does not satisfy Article 25's lifecycle requirement.
Editorial commentary
Article 25 codifies data protection by design and by default as legal obligations, not merely best practice. By design means privacy considerations are embedded throughout the lifecycle of the processing, including at the architecture and procurement stages. By default means that only personal data necessary for each specific purpose are processed, that the extent of processing, period of storage, and accessibility are minimised, and that, in particular, such data are not made accessible without the individual's intervention to an indefinite number of natural persons. Concrete measures include pseudonymisation, access controls, encryption, data-minimisation review, secure-development practices, default-private settings, and built-in logging for accountability.
References
- GDPR Regulation (EU) 2016/679 Article 25 Data protection by design and by default
- European Data Protection Board Guidelines 4/2019 on Article 25
- ENISA Privacy and Data Protection by Design report
Also known as
data protection by design · data protection by default · PbD
Machine-readable encodings
Use in your systems
<role vocab="credit"
vocab-identifier="https://casrai.org/dictionary/"
vocab-term="Privacy by design"
vocab-term-identifier="https://casrai.org/dictionary/term/privacy-by-design" />{
"@context": "https://schema.org",
"@type": "DefinedTerm",
"name": "Privacy by design",
"identifier": "https://casrai.org/dictionary/term/privacy-by-design",
"description": "The obligation under Article 25 of the GDPR for a controller to implement appropriate technical and organisational measures at the time of determination of the means of processing and at the time of processing itself in order to implement data-protection principles effectively and integrate the necessary safeguards into the processing.",
"inDefinedTermSet": "https://casrai.org/dictionary/domain/compliance-and-regulatory/",
"url": "https://casrai.org/dictionary/term/privacy-by-design",
"sameAs": [
"data protection by design",
"data protection by default",
"PbD"
],
"license": "https://creativecommons.org/licenses/by/4.0/"
}
