Do you prefer to contact us by phone?

Bekijk het overzicht van onze Wanted kantoren op onze contactpagina.

02/02/2026
28/04/2018

Data protection by design or data protection by default ?

Data protection by design or data protection by default ?

The General Data Protection Regulation (GDPR), the European data protection law, requires all data controllers to comply with the principles of "data protection by design" and "data protection by default" (Article 25 of the GDPR). But what exactly do these principles mean?

Data protection by design versus data protection by default.

Le Règlement général sur la protection des données (RGPD), loi européenne sur la protection des données, impose à tout responsable du traitement des données de respecter les principes de « protection des données dès la conception » et de « protection des données par défaut » (article 25 du RGPD). Mais que signifient exactement ces principes ?

“Facebook and many other platforms offer extensive privacy settings (by design), but do not make them privacy-friendly by default.”

Pieter Pauwels

Data Protection by design.

Data protection by design means that when you develop (or purchase/configure) products, services, processes and software applications, you take privacy into account from the outset, including:

  • Purpose limitation: process data only for specified, explicit purposes.
  • Data minimisation: collect and use only what is strictly necessary.
  • Transparency: explain clearly what you do with personal data.
  • Accuracy and storage limitation.
  • Integrity and confidentiality (security).
  • Accountability: being able to demonstrate compliance.

Crucially, “by design” does not mean shifting responsibility to the user. The organisation designing the processing must select appropriate measures, considering the nature, scope, context and purposes of the processing and the risks to individuals.

Example 1: a website contact form

Data protection by design means limiting mandatory fields to what is necessary for the purpose.

  • If you need to respond, name and email are typically sufficient.
  • Asking for a phone number “just in case” is often hard to justify.
  • Free-text fields are useful, but may invite people to disclose (overly) sensitive data. Consider adding context and warnings (e.g. “please do not share medical information here”).

Example 2: pseudonymisation and encryption

Pseudonymisation is processing personal data so that it can no longer be attributed to a specific data subject without additional information. Note: pseudonymised data will generally remain personal data (as the person may still be indirectly identifiable). Where appropriate, encryption can also help reduce risks.

Practical addition (evolution): privacy engineering and ‘dark patterns’

Since 2022, there has been increased attention to interface choices that nudge users towards less privacy (so-called “dark patterns” or deceptive design patterns), especially on social media and in apps. Designs that make privacy-friendly choices harder (confusing options, repeated prompts, guilt-inducing language) may undermine meaningful choice and run counter to the spirit of Article 25 GDPR.

Strategies for data protection by design

There are various strategies to implement data protection by design in practice. A widely used classification relies on eight privacy design strategies:

  • Data-oriented:
    • Minimise: minimise the data.
    • Hide: avoid unnecessary exposure of identifiers.
    • Separate: separate datasets (e.g. identifiers from content data).
    • Aggregate: generalise/aggregate where detail is not needed.
  • Process-oriented:
    • Inform: ensure transparency.
    • Control: enable real, effective choices.
    • Enforce: implement policies, roles, procedures and (where relevant) codes of conduct.
    • Demonstrate: document and demonstrate compliance (accountability).

Data protection by default.

Data protection by default means that default settings must be the most privacy-friendly. In practice, this means:

  • by default, processing only the personal data necessary for the purpose;
  • by default, keeping retention periods as short as possible;
  • by default, limiting access to those who need it;
  • by default, avoiding public sharing or “open” visibility;
  • avoiding pre-ticked boxes for additional processing.

The core idea is simple: if a user does nothing (does not click, change, or configure settings), the processing should still be as privacy-protective as possible.

Example: location

Location data can be sensitive. By default, location should not be switched on unless it is necessary for the core functionality (and provided you have an appropriate legal basis and clear transparency).

Example: social media / community platform

Many platforms provide privacy options that users can adjust later (by design), but default settings are often broad (public profiles, automatic tagging, search engine visibility, personalised ads). That is the difference: by design = options exist; by default = privacy-friendly starting point.

Legal strengthening (evolution): evidence and governance

In practice, supervisory authorities increasingly expect organisations to be able to demonstrate:

  • which design choices were made and why;
  • which risk assessment was performed (and when a DPIA is required);
  • which access rights apply and how they are enforced;
  • which default settings apply to new accounts/users;
  • how changes are tested (release management) so that updates do not unintentionally revert privacy-friendly defaults.

Conclusion

Article 25 GDPR requires organisations not to “fix” privacy after the fact, but to build it in upfront—both into the design of processing operations (by design) and into the standard settings users start with (by default). In practice, this means collecting less but with better justification, providing clear choices without manipulation, limiting access and retention, and—above all—being able to demonstrate which measures were taken and why.

Strong implementation of data protection by design and by default does not only reduce legal risk (complaints, enforcement, liability); it also strengthens trust with customers, employees and partners.

Others also read.

Disclaimer

The information on legal topics that you will find in this contribution is purely informative, general discussions and can in no case be considered as legal advice. Wanted Law accepts no liability for any damage that someone may suffer by relying on this information. If you want legal advice, you should contact a qualified lawyer who will advise you based on your personal situation. All blog posts published on the Wanted Law website are written in accordance with Belgian law.

Copyright

Wanted Law holds the exclusive copyright of this website, its design and its entire content. Use of this website, or parts thereof, in any form whatsoever is prohibited without the prior written consent of Wanted Law.

Share this message

I book a video consultation with Wanted Law!

Ik boek een videoconsultatie bij Wanted Law!

Do you know the Wanted Speeddate?

Immediately present your legal problem to a lawyer!

Do you have a problem and would you like affordable legal advice?

Book a consultation at Wanted Law!