Privacy-by-default and privacy-by-design

Have you heard of the principles, “privacy-by-design” and “privacy-by-default”? Why are they so important for data protection? What is the difference between privacy-by-design vs. privacy-by-default?

Let’s take a look at each principle and make sure you understand and are applying both in your business.

“Privacy-by-default”  (or “data protection by default”) refers to the principle that you should automatically enable and apply privacy settings and protections when people use your product or service for the first time. A person should not have to opt-in or configure them.

Default settings and policies should:

• Prioritize the protection of users’ personal information
• Limit the collection and use of data to the minimum necessary

“Privacy-by-design” (or “data protection by design”) refers to the principle that you should integrate privacy considerations into the design and development of products, services, and systems from the earliest stages. They should not be added as an afterthought.

This means you should:

• Identify and mitigate privacy risks
• Build data protection into the product or service from the ground up

Many regulations and laws across the world, like GDPR, CCPA, and PDPA, require companies to put the principles of privacy by design and default into their products and apps.

However, regulations allow companies to determine which specific protective measures they should “build in” and exactly how settings must be configured.

This leaves a lot of companies confused about how to apply these principles in practice. Let’s look at a few examples that can help you.

Here are some examples of how you can use the principle of privacy by default at your company for data protection:

• Minimize the personal data you store
• Limit collection of personal data to what you need
• Use opt-in consents like unchecked consent boxes.
• Give users clear and accurate info about your data processing activities.
• Do not make your Yes buttons more prominent than your No buttons.
• Do not give misleading information when getting consent.
• Avoid other dark patterns when getting consent.
• Do not require people to accept data processing or cookies to use your website.
• Do not make personal data publicly available automatically.

Here are some examples of how you can use principle of privacy-by-design in your business and services, and the solutions you use for data protection:

• Schedule regular privacy risk assessments
• Use pseudonymisation and encryption
• Set up to catch all data subjects’ rights requests and fulfill them
• Set a reasonable data retention period
• Auto-delete or anonymize personal data you no longer need

Data protection by design and default are complementary principles. Put both in practice by:

1. Making sure data protection is built into your tools, systems, and processes
2. Making it easy and automatic for people to choose privacy when they deal with you, your website, your services, etc.

Base all your policies and practices on these principles. The same goes for the software you use, whether you develop it yourself or subscribe to it.

Would you like to learn more about data protection tools based on these principles?

Read about our data protection tools.