Skip to main content

Privacy-by-design vs. privacy-by-default

Have you heard of the principles, “privacy-by-design” and “privacy-by-default”? Why are they so important for data protection? What is the difference between privacy-by-design vs. privacy-by-default?

Let’s take a look at each principle and make sure you understand and are applying both in your business.


“Privacy-by-default”  (or “data protection by default”) refers to the principle that you should automatically enable and apply privacy settings and protections when people use your product or service for the first time. A person should not have to opt-in or configure them.

Default settings and policies should:

  • Prioritize the protection of users’ personal information
  • Limit the collection and use of data to the minimum necessary


“Privacy-by-design” (or “data protection by design”) refers to the principle that you should integrate privacy considerations into the design and development of products, services, and systems from the earliest stages. They should not be added as an afterthought.

This means you should:

  • Identify and mitigate privacy risks
  • Build data protection into the product or service from the ground up

Want to clean up your emails for sensitive information?

With an analysis scan by DataMapper, you can have all Outlook accounts in your company scanned. You will receive key statistics on all (current and former) employees' emails - including information on which emails, employees and processes generate GDPR risk.

GDPR & privacy by design and default

Many regulations and laws across the world, like GDPR, CCPA, and PDPA, require companies to put the principles of privacy by design and default into their products and apps.

However, regulations allow companies to determine which specific protective measures they should “build in” and exactly how settings must be configured.

This leaves a lot of companies confused about how to apply these principles in practice. Let’s look at a few examples that can help you.

Examples of privacy-by-default

Here are some examples of how you can use the principle of privacy by default at your company for data protection:

  • Minimize the personal data you store
  • Limit collection of personal data to what you need
  • Use opt-in consents like unchecked consent boxes.
  • Give users clear and accurate info about your data processing activities.
  • Do not make your Yes buttons more prominent than your No buttons.
  • Do not give misleading information when getting consent.
  • Avoid other dark patterns when getting consent.
  • Do not require people to accept data processing or cookies to use your website.
  • Do not make personal data publicly available automatically.

Examples of privacy-by-design

Here are some examples of how you can use principle of privacy-by-design in your business and services, and the solutions you use for data protection:

  • Schedule regular privacy risk assessments
  • Use pseudonymisation and encryption
  • Set up to catch all data subjects’ rights requests and fulfill them
  • Set a reasonable data retention period
  • Auto-delete or anonymize personal data you no longer need

Get our Newsletter!

In our newsletter you get tips and tricks for dealing with privacy management from our founder Sebastian Allerelli.

When you sign up for our newsletter you get a license for one user to ShareSimple, which will give you a secure email in Outlook. This special offer is for new customers only, with a limit of one freebie per company.

Data protection by design and default in practice

Data protection by design and default are complementary principles. Put both in practice by:

  1. Making sure data protection is built into your tools, systems, and processes
  2. Making it easy and automatic for people to choose privacy when they deal with you, your website, your services, etc.

At Safe Online, we have created the GDPR platform PrivacyHub, which is based on these principles. PrivacyHub includes these three tools:

DataMapper - find your sensitive data
ShareSimple - send and recieve data securely in Outlook
RequestManager - process data subject requests easily

Sebastian Allerelli

Founder & COO at Safe Online
Governance, Risk & Compliance Specialist
Follow me on LinkedIn to get tips on GDPR →