Data protection by design and default
Data protection by design and default

The following Risk & Compliance practice note provides comprehensive and up to date legal information covering:

  • Data protection by design and default
  • UK GDPR requirements
  • Data protection by design—regulatory requirements
  • What are you required to do?
  • When does this obligation apply
  • Factors to take into account
  • Data protection by default—regulatory requirements
  • What are you required to do?
  • What does default mean?
  • When does this obligation apply?
  • More...

Data protection by design and default

Data protection by design and default (DPbDD) is often overlooked by organisations when considering their UK GDPR compliance obligations. This is understandable, as DPbDD is an intangible, all pervading concept that can be difficult to translate into specific actions, particularly compared to other discrete requirements of the UK GDPR. However, there is a dedicated section in the UK GDPR about DPbDD (Article 25) and extensive guidance published by the European Data Protection Board (EDPB) and Information Commissioner’s Office (ICO):

  1. ICO, Guide to the UK GDPR, Data protection by design and default

  2. EDPB, Guidelines 4/2019 Article 25 Data Protection by Design and By default—according to the ICO, these guidelines are no longer directly relevant to the UK regime and are not binding under the UK regime, however they may still provide helpful guidance on certain issues

In essence DPbDD involves considering data protection and privacy issues upfront in everything you do. This means you have to integrate or ‘bake-in’ data protection into your processing activities and business practices, from the design stage right through the lifecycle.

UK GDPR requirements

DPbDD is a general concept of the UK GDPR regime, but also a specific requirement under Article 25:

  1. Article 25(1) contains the data protection by design obligation—see below Data protection by design—regulatory requirements

  2. Article 25(2) covers data protection by default—see below Data protection by

Related documents:

Popular documents