Home » Blog » GDPR Compliance » What do Privacy by Design, and Privacy by Default mean?

What do Privacy by Design, and Privacy by Default mean?

Publié le


The principles of Privacy by Design and Privacy by Default aim to integrate privacy protection throughout the lifecycle of various technologies and applications that process personal data. 

These two principles are set out in Article 25 of the General Data Protection Regulation (GDPR) and allow for optimal protection of personal data at the design stage and in every use of a new technology.

These principles are becoming increasingly important as good practices for the processing and storage of personal data. 

Find out more in this blog post.

What is Privacy By Design?


The principle of Privacy By Design means “data protection through technology design” and requires the data controller to implement appropriate technical and organisational measures, to ensure that the requirements of the GDPR are embedded in the processing activity. In an effective manner, at the time of its initiation, as well as in its later stages (including outsourcing, development, support, maintenance, testing, storage, deletion, etc.). 

When implementing data protection by design, the controller must take into account:

  • The nature (i.e. the inherent characteristics of the processing operations), the scope (scale and range (e.g. if they concern sensitive data) of the processing operations), the context (circumstances of the processing) and the purposes/aims of the processing;
  • the current standards and capabilities of the existing technical and organisational measures, which can vary greatly;
  • their cost of implementation, including money, time and human resources; and
  • the risks of varying likelihood and severity to the rights and freedoms of natural persons deriving from the processing operations. 

Technical and organisational measures may consist of:

  • Minimising the processing of personal data;
  • Pseudonymising personal data as soon as possible;
  • Ensuring transparency with regard to the functions and processing of personal data;
  • Enable the data subject to control the processing of the data;
  • Enable the controller to put in place or improve security features.


The application of this principle therefore allows you to have a preventive approach to avoid any non-compliant use of personal data.

The difference between Privacy by Design and Privacy by Default

In order to ensure an adequate level of data protection, there is another principle to take into account: the principle of Privacy by Default.

Privacy by default is the principle according to which an organisation (the controller) ensures that only the personal data strictly necessary for each specific purpose of the processing, is processed by default (without the need for external intervention).

Thus, the controller must provide the highest level of protection to the data subjects by default, which implies that security and protection measures are taken systematically into account when processing personal data.

Going further – How to implement the Privacy By Design and Privacy by Default principles?

As a company, you are therefore encouraged to implement technical and organisational measures at the earliest stages of designing personal data processing operations, so as to safeguard privacy and data protection principles from the outset.

You should ensure that any development of an application, website, or online service should include measures to safeguard user privacy from the beginning.

With the Admeet solutions, you can quickly and easily implement your website GDPR compliance. But also easily demonstrate your compliance to the data protection authority such as the CNIL in France, and the APD in Belgium.