Skip to main content

Two types of protection of personal data

In a world where our lives are increasingly digitised, the protection of our personal information is central. Two key terms that are often thrown around are “Privacy-by-default” and “Privacy-by-design”. These terms represent two different approaches to protecting our personal data online. This blog is about these two concepts, as understanding them is essential to navigating the complex landscape of digital services and technologies.


“Privacy-by-default”  (or “data protection by default”) refers to the principle that you should automatically enable and apply privacy settings and protections when people use your product or service for the first time. A person should not have to opt-in or configure them. Default settings and policies should:

  • Prioritise the protection of users’ personal information
  • Limit the collection and use of data to the minimum necessary


“Privacy-by-design” (or “data protection by design”) refers to the principle that you should integrate privacy considerations into the design and development of products, services, and systems from the earliest stages. They should not be added as an afterthought. This means you should:

  • Identify and mitigate privacy risks
  • Build data protection into the product or service from the ground up

Start your GDPR cleanup where it is needed the most

Sensitive data can tends to accumulate in the employees' e-mails. With a GDPR Risk Scan from DataMapper, you get a report that shows any potential GDPR risks in the company's e-mails.

GDPR & privacy by design and default

Many data regulations and laws across the world, like GDPR, CCPA, and PDPA, require companies to put the principles of privacy by design and default into their products and apps. However, regulations allow companies to determine which specific protective measures they should “build in” and exactly how settings must be configured. This leaves a lot of companies confused about how to apply these principles in practice. Let’s look at a few examples that can help you.

Examples of privacy-by-default

Here are some examples of how you can use the principle of privacy by default at your company for data protection:

  • Minimise the personal data you store
  • Limit collection of personal data to what you need
  • Use opt-in consents like unchecked consent boxes.
  • Give users clear and accurate info about your data processing activities.
  • Do not make your Yes buttons more prominent than your No buttons.
  • Do not give misleading information when getting consent.
  • Avoid other dark patterns when getting consent.
  • Do not require people to accept data processing or cookies to use your website.
  • Do not make personal data publicly available automatically.

Examples of privacy-by-design

Here are some examples of how you can use principle of privacy-by-design in your business and services, and the solutions you use for data protection:

  • Schedule regular privacy risk assessments
  • Use pseudonymisation and encryption
  • Set up to catch all data subjects’ rights requests and fulfill them
  • Set a reasonable data retention period
  • Auto-delete or anonymise personal data you no longer need

Get our Newsletter!

In our newsletter you get tips and tricks for dealing with privacy management from our founder Sebastian Allerelli.

When you sign up for our newsletter you get a license for one user to ShareSimple, which will give you a secure email in Outlook. This special offer is for new customers only, with a limit of one freebie per company.

Data protection by design and default in practice

Data protection by design and default are complementary principles. Put both in practice by:

  1. Ensure that data protection is built into your tools, systems and processes
  2. Make it easy and automatic for people to protect their data when they shop with you, are on your website, use your services, etc.
  3. Build your policies and practices on these principles. The same applies to the software you use, regardless of whether you develop it yourself or subscribe to it.

At Safe Online, we have created the GDPR platform PrivacyHub, which is based on these principles. PrivacyHub includes these three tools:

DataMapper – Find your sensitive data
ShareSimple – Send and receive data securely in Outlook
RequestManager – Process data subject requests easily

Sebastian Allerelli
Founder & COO at Safe Online
Governance, Risk & Compliance Specialist
Follow me on LinkedIn to get tips on GDPR →


How to handle sensitive personal data


How to find personal data with datamapping tool


How to prepare for a data audit