Privacy by design and by default – the new baseline for GDPR compliance

A lot of the electronic ink being spilled across the internet in recent weeks and months about the EU’s General Data Protection Regulation (Regulation (EU) 2016/679) has focussed on the attention grabbing figure of fines of up to €20M or 4% of global turnover (whichever is greater) for, inter alia, various egregious GDPR offences such as non-adherence to the core principles of processing personal data, infringement of the rights of data subjects or the international transfer of personal data without adequate safeguards.

‘Online you reveal more than you think’ (c) European Commission, 2012.

Proportionally far less attention has been paid to the fact that the GDPR differs from the Data Protection Directive (95/46/EC) which it shall be replacing on 28 May 2018.  Firstly, the 1995 Directive is, just that, a Directive! Meaning that each Member State was free to adopt laws in accordance with the principles laid out in the Directive.  In practice, this meant that there were often significant differences in the way each Member State implemented and enforced the Directive.

The GDPR is a “Regulation” that has direct applicability in the national law of each EU member state simultaneously without the need for enabling national legislation to give it statutory force (NB the United Kingdom has only had to introduce the Data Protection Bill to avoid a potential regulatory interregnum once the UK ceases to be an EU Member State on 29 March 2019).  

This regulatory model has been deliberately chosen to provide a uniform, cross-EU enforcement model in relation to privacy and data breaches in an increasingly data-driven and inter-connected world that is vastly different from the time in which the 1995 Directive was adopted.

Secondly, under the GDPR (just as in the current Data Protection Directive) personal data must be protected against unauthorised access using appropriate organisational and technical measures under the 1995 Directive this only relates to data which has already been processed.

The GDPR goes much, much further then the 1995 Directive in this regard by explicitly recognising that privacy cannot be ensured only by means of legislation alone, but that it must be a fundamental component in the design and maintenance of information systems and the default modus operandi  for each data controller and processor, otherwise known as “privacy by design and privacy by default” in the Regulation.

This approach is codified in Article 25 of the GDPR which requires that personal data must be protected against unauthorised access using appropriate organisational and technical measures.  The data controller will need to ensure that, by default, only personal data which is necessary for each specific purpose of the processing is processed.

Data controllers should only hold and process only the data absolutely necessary for the completion of its duties (“data minimisation”), as well as limiting the access to personal data to those needing to act out the processing. Any such privacy by design measures may include, for example, pseudonymisation or other privacy-enhancing methodology. Failure to operationalise these principles can lead to a fine of up to €10M or 2% of annual global turnover, whichever is greater.

Although new as a legal requirement under the GDPR, the concepts of privacy by design and by default are not new, having been originally introduced by the Canadian Privacy Commissioner of Ontario in the 1990s.

Considering privacy from the start of the development process should lead to potential data privacy issues being identified at an earlier (and less costly stage!) and to the increase of awareness of privacy and data protection related matters throughout an organisation.


UK Information Commissioner’s Office GDPR microsite –

Gov.UK Data Protection Bill 2017 –

European Commission data protection reform –