Data protection by design and default

Copyright © 2025 LexisNexis

Data protection by design and default (DPbDD) is often overlooked by organisations when they are considering their UK GDPR compliance obligations. This is understandable, as DPbDD is an intangible, all pervading concept that can be difficult to translate into specific actions, particularly compared to other discrete requirements of the UK General Data Protection Regulation (UK GDPR). However, there is a dedicated section in the UK GDPR about DPbDD (Article 25) and extensive guidance published by the European Data Protection Board (EDPB) and Information Commissioner’s Office (ICO):

  1. ICO: UK GDPR guidance and resources—Data protection by design and default

  2. EDPB, Guidelines 4/2019 on Article 25 Data Protection by Design and by Default—according to the ICO, these guidelines are no longer directly relevant to the UK regime and are not binding under the UK regime, however they may still provide helpful guidance on certain issues

In essence, DPbDD involves considering data protection and privacy issues upfront in everything you do. This means you have to integrate data protection into your processing activities and business practices, from the design stage right through the lifecycle.

UK GDPR requirements

DPbDD

To view the latest version of this document and thousands of others like it, sign-in with LexisNexis or register for a free trial.

Existing user? Sign-in TAKE A FREE TRIAL
Powered by Lexis+®
Latest Practice Compliance News

Practice Compliance weekly highlights—2 October 2025

This week's edition of Practice Compliance weekly highlights includes OFSI’s penalty on Colorcon for Russia sanctions breaches, OFSI’s new and updated General Licences and an update to the OFSI UK Financial Sanctions FAQs. We also cover EU pressure on member states to implement new AML rules, the NCA and Law Society campaign against payment diversion fraud and a High Court ruling restricting unqualified employees from conducting litigation.

NCA and Law Society launch campaign targeting payment diversion fraud in property transactions

The National Crime Agency (NCA) and The Law Society have launched a joint campaign aimed at solicitors and conveyancers to address payment diversion fraud in property transactions. The campaign, delivered with the Home Office's national Stop! Think Fraud initiative, highlights risks where criminals intercept and redirect legitimate property purchase funds by impersonating solicitors, estate agents or buyers through fraudulent contact. The campaign provides practical guidance including checking by calling before transferring money, testing accounts with small sums, and never transferring money until details are verified as correct. The initiative includes an information sheet and social media campaign across NCA and Law Society platforms.

Six in ten SMEs hit by cyberattack in 2025, Hiscox says

Law360, London: Some 59% of small and midsized enterprises have said they experienced a cyberattack in 2025, Hiscox said on 30 September 2025, highlighting the evolving threat posed by criminals adapting to new technologies to exploit businesses. The insurer stated in its annual cyber-readiness report that 33% of SMEs said they were hit with a substantial fine following an attack or a data breach. Companies face fines by regulatory bodies such as the Information Commissioner's Office after such incidents for failing to protect data and privacy.

LeO publishes second set of public interest decisions

The Legal Ombudsman (LeO) has published its second set of public interest decisions, reaffirming its commitment to transparency and the improvement of legal service standards. This latest publication includes ten decisions highlighting serious service failings across various legal areas, including immigration, conveyancing, family law and litigation. Recurring issues identified in these cases include missed deadlines, poor communication, inaccurate cost estimates and actions taken without client consent. LeO introduced routine publication of these decisions this year to enhance transparency, strengthen accountability and curb recurring issues in legal services.

View Practice Compliance by content type :
News
Practice notes
Precedents
Q&As

Popular documents

If a rentcharge is shown as being informally exonerated on title information, does this apply to the

If a rentcharge is shown as being informally exonerated on title information, does this apply to the current registered owner? Or does the informal exoneration only apply to the parties to the document which informally exonerated the rentcharge?This Q&A considers the situation where, at some

Late payment penalties—inheritance tax

Late payment penalties—inheritance taxWhile interest often accrues on overdue tax, the late payment of certain taxes may also attract a penalty. For information on the interest accruing on overdue tax, see Practice Notes: IHT—payment deadlines on death—Interest on IHT and Interest on late paid

Strike out—making an application to strike out a statement of case

Strike out—making an application to strike out a statement of caseA strike out order can be made either following an application by the parties or on the court's own initiative. This Practice Note deals with the scenario of the order being made following a party's application.Making an application

Template for regulatory references given by SMCR firms and disclosure requirements

Template for regulatory references given by SMCR firms and disclosure requirements[Insert addressee details]Dear [insert name][It is our understanding that [insert name of prospective employee] [was an employee of yours between the dates of [insert dates as appropriate] OR is a current employee of
If a rentcharge is shown as being informally exonerated on title information, does this apply to the

If a rentcharge is shown as being informally exonerated on title information, does this apply to the

If a rentcharge is shown as being informally exonerated on title information, does this apply to the current registered owner? Or does the informal exoneration only apply to the parties to the document which informally exonerated the rentcharge?This Q&A considers the situation where, at some

Late payment penalties—inheritance tax

Late payment penalties—inheritance tax

Late payment penalties—inheritance taxWhile interest often accrues on overdue tax, the late payment of certain taxes may also attract a penalty. For information on the interest accruing on overdue tax, see Practice Notes: IHT—payment deadlines on death—Interest on IHT and Interest on late paid

Strike out—making an application to strike out a statement of case

Strike out—making an application to strike out a statement of case

Strike out—making an application to strike out a statement of caseA strike out order can be made either following an application by the parties or on the court's own initiative. This Practice Note deals with the scenario of the order being made following a party's application.Making an application

Template for regulatory references given by SMCR firms and disclosure requirements

Template for regulatory references given by SMCR firms and disclosure requirements

Template for regulatory references given by SMCR firms and disclosure requirements[Insert addressee details]Dear [insert name][It is our understanding that [insert name of prospective employee] [was an employee of yours between the dates of [insert dates as appropriate] OR is a current employee of