GDPR Article 25: Privacy by Design and by Default
Article 25 of the UK GDPR requires data protection to be considered from the beginning of a project — not added as an afterthought. Privacy by Design means incorporating data protection into the design and architecture of systems. Privacy by Default means that by default, only the minimum necessary personal data is collected and processed.
What Privacy by Design Means in Practice
- Data minimisation: Only collect personal data that is strictly necessary for the stated purpose. Don't collect fields "just in case".
- Purpose limitation: Design systems so that personal data collected for one purpose cannot easily be repurposed
- Storage limitation: Design automated data retention and deletion workflows from the start
- Pseudonymisation: Separate identifying data from functional data where possible
- Access control: Build role-based access controls that limit which team members can access personal data
- Encryption: Personal data should be encrypted at rest and in transit by default
- Audit logging: Log access to personal data to support accountability
Privacy by Default
Settings that involve personal data should default to the most privacy-protective option. Users should actively opt in to sharing more data — not opt out of sharing. For example, profile pages should default to private, marketing emails should default to opted-out, and social features should default to limited sharing.
Our Process
We include a Data Protection Impact Assessment (DPIA) review as part of the design phase for systems handling personal data, and we produce privacy architecture documentation suitable for your DPO and ICO.