Organisations often overlook data protection by design and default (DPbDD) when they are considering their UK GDPR compliance obligations. This is understandable, as DPbDD is an intangible, all-pervading concept that can be difficult to translate into specific actions, particularly compared to other discrete requirements of the UK General Data Protection Regulation (UK GDPR). However, there is a dedicated section in the UK GDPR about DPbDD (Article 25) and extensive guidance published by the Information Commissioner’s Office (ICO).
In essence, DPbDD involves considering data protection and privacy issues upfront in everything you do. This means you have to integrate data protection into your processing activities and business practices, from the design stage right through the lifecycle.
DPbDD is a general concept of the UK GDPR regime, but also a specific requirement under Article 25 of Assimilated Regulation (EU) 2016/679 (UK GDPR):
Article 25(1) contains the data protection by design obligation
Article 25(2) covers data protection by default
This is supplemented by Recital 78, although much of this repeats the substantive content in Article 25.
The UK GDPR can be difficult
To view the latest version of this document and thousands of others like it, sign-in with LexisNexis or register for a free trial.
**Trials are provided to all LexisNexis content, excluding Practice Compliance, Practice Management and Risk and Compliance, subscription packages are tailored to your specific needs. To discuss trialling these LexisNexis services please email customer service via our online form. Free trials are only available to individuals based in the UK, Ireland and selected UK overseas territories and Caribbean countries. We may terminate this trial at any time or decide not to give a trial, for any reason. Trial includes one question to LexisAsk during the length of the trial.
The Solicitors Regulation Authority (SRA) has published guidance on terminating client retainers, clarifying the circumstances in which solicitors and...
This week's edition of Practice Compliance weekly highlights includes changes to the UK financial sanctions framework, the SRA’s upcoming July 2026...
The Solicitors Regulation Authority (SRA) has announced that its annual anti-money laundering (AML) and sanctions data collection exercise is...
Corporate Crime analysis: In this update, corporate crime experts Elliott Kenton, partner, and James Camidge, solicitor, at Weightmans, distil the...
Priority between loss reliefs in loss making companiesWhy does it matter?A company that is a member of a group and has incurred any of the types of losses available for surrender by way of group relief may, without any further rules, have more than one way in which to use the loss. There are a
If a rentcharge is shown as being informally exonerated on title information, does this apply to the current registered owner? Or does the informal exoneration only apply to the parties to the document which informally exonerated the rentcharge?This Q&A considers the situation where, at some
Strike out—making an application to strike out a statement of caseA strike out order can be made either following an application by the parties or on the court's own initiative. This Practice Note deals with the scenario of the order being made following a party's application.Making an application
Contributory negligence in personal injury claimsContributory negligence is a partial defence which can lead to a discount in damages.Other defences may also be relevant. See Practice Notes: Did the claimant consent to the risk of injury? and Was the claimant involved in an illegal activity?If a
0330 161 1234