Please ensure Javascript is enabled for purposes of website accessibility

By design and by default.

Protection of personal data means a built-in privacy and a risk management mechanism
Tens of articles on the protection of personal data begin with these words:
In May 2020, it was two years since the the GDPR entered into effect...

This spring that had the pandemic, the quarantine, the isolation and the forced transition to remote working changed user expectations.

Still, the issue of compliance with the requirements of the Regulation did not become secondary; on the contrary, it is one of the most important issues for the developers, lawyers and users. Many online businesses now have a very heavy load on their systems that they can barely support and ask themselves: “Why did not we do it earlier? Why did not we embed protection of personal data as the basis of our business at the earliest stage of development? Why did not we think about protecting user data by design and by default?”


In May 2020, it was two years since the coming into effect by the GDPR – it is a EU regulation that provides EU residents with controls over their personal data.

One of the GDPR Articles, namely, Article 25 sets forth the following requirements to online businesses: the creation of the system with a built-in protection of user personal data and the Privacy by Design and by Default system.

What does it mean?

The history of the “privacy by design and privacy by default” term began in the 1990s when the world only started to have thoughts that once protection of personal data would become a cornerstone of the entire online activities.

In 2009, Ann Cavoukian, Ontario Special Commissioner for Information and Personal Data Protection published the document entitled “Privacy by Design. The 7 Foundational Principles.” This document emphasizes that an online business must pay attention to the matters of the life cycle of users’ personal data. This process begins as early as at the stage of design. Such protection would ensure to the user a reliable retention and timely deletion of their data. Privacy by design ensures a continuous and safe management of the data life cycle and must operate not damaging the business.

The principles set forth in this document are effective even now. They are not only effective but represent a form of protection philosophy of personal data on the network:

They are listed below:
1. To apply preventive measures and not just eliminate the consequences
2. To use the privacy by default principle
3. To profess privacy by design
4. To ensure functionality at a mutual benefit, both to the business and to the user
5. To protect personal data over the entire cycle of their collection, storage, processing and deletion
6. Accessibility and transparency
7. To have respect for privacy The system must be user-oriented

The privacy by design and privacy by default principles drafted by Cavoukian today are the standard in the field of personal data protection.

What does privacy by design mean?

Primarily, it is the design stage. The system of personal data protection must be built in all processes at the earliest stage of development. In this case, this system must be continuously supported at all stages of design and functioning.

Privacy by design means an obligation that a business undertakes with respect to protecting personal data. This obligation envisages foreseeing the privacy-related risks in advance in all business actions, decisions and forecasts.
The privacy by design philosophy is in that the best way of mitigating privacy risks is not to create them.

What is behind privacy by default?

Privacy by default means that, by default, the user, when interacting with a business, should not take any steps to protect their privacy. Privacy must be available by default.

Privacy by default means that the principle of privacy by design must be included by default in any system or business so that personal data would be automatically protected without any actions whatsoever by the user. The privacy right must be protected automatically as a default setting.

The most important elements of the privacy by design and by default approach are transparency, legitimacy, due care, limited purpose, accurateness, limited storage, integrity and confidentiality.

In effect, the privacy by design and by default philosophy goes far beyond information technologies and jurisprudence. One may say that it is apt to become the soul of development of any product: it is data protection that is built-in by design in a project and that is carefully safeguarded during the entire life cycle of the project.
In addition to that, no necessity is ensured of the person (the user) to take independent steps to protect their personal data.

In accordance with this principle, many European start-up companies gain points by this criterion alone. Privacy by design and privacy by default are the principles that enhance the investment attractiveness of a project and may be an element of a “unique selling proposition” of the company, gaining brownie points as compared to the competitors.

Today, the developers already do not have the issue of what is better, to ensure the protection of user personal data in already finished product or service or include privacy in the system by design originally. Privacy by design and privacy by default have become not just a professional principle of the developer but also their philosophy.

Going back to the legal aspect of the privacy by design and privacy by default principle, it is worth noting that Article 25 of the GDPR sets forth special requirements to ensuring the protection of personal data by design and of confidentiality by default.

For example, in late 2019, the German Deutsche Wohnen SE company was fined for 14.5 million euro referencing Article 25 of the GDPR.
This real estate company stored archives of personal data of the leaseholders, not ensuring the possibility of deleting these data. The system design did not include a verification for admissibility of further retaining the data.

As such, the data were stored for years but no longer served the purposes for which they were collected. These were the data about the financial position of natural persons, their payment of taxes, social security and medical insurance etc.
The source of the problem of the company was the fact that privacy by design and privacy by default was not included in the system at the initial stage of design.

Today, to comply with the requirements of Article 25 of the GDPR and to avoid big fines, each online business has to analyze the manner, places and times of processing user personal data. Aside from that, it shall ensure the privacy right of each person at each stage of data processing, beginning with the initial stage of design.