Data protection by design and default

Copyright © 2025 LexisNexis

Data protection by design and default (DPbDD) is often overlooked by organisations when they are considering their UK GDPR compliance obligations. This is understandable, as DPbDD is an intangible, all pervading concept that can be difficult to translate into specific actions, particularly compared to other discrete requirements of the UK General Data Protection Regulation (UK GDPR). However, there is a dedicated section in the UK GDPR about DPbDD (Article 25) and extensive guidance published by the European Data Protection Board (EDPB) and Information Commissioner’s Office (ICO):

  1. ICO: UK GDPR guidance and resources—Data protection by design and default

  2. EDPB, Guidelines 4/2019 on Article 25 Data Protection by Design and by Default—according to the ICO, these guidelines are no longer directly relevant to the UK regime and are not binding under the UK regime, however they may still provide helpful guidance on certain issues

In essence, DPbDD involves considering data protection and privacy issues upfront in everything you do. This means you have to integrate data protection into your processing activities and business practices, from the design stage right through the lifecycle.

UK GDPR requirements

DPbDD

To view the latest version of this document and thousands of others like it, sign-in with LexisNexis or register for a free trial.

Existing user? Sign-in TAKE A FREE TRIAL
Powered by Lexis+®
Latest Practice Compliance News

OFSI publishes General Licence INT/2025/7598960 and updates UK Financial Sanctions FAQs

The Office of Financial Sanctions Implementation (OFSI) has published General Licence INT/2025/7598960 under regulation 64 of the Russia (Sanctions) (EU Exit) Regulations 2019, SI 2019/855. The licence permits the continuation of business activities involving Rosneft Deutschland GmbH, RN Refining and Marketing GmbH and their subsidiaries. OFSI has also updated its UK Financial Sanctions FAQs, adding FAQ 169, which clarifies that business operations with these entities may continue as normal in relation to UK financial sanctions, provided they comply with the terms of General Licence INT/2025/7598960.

EDPB adopts opinions on UK data adequacy extensions

The European Data Protection Board (EDPB) has adopted Opinions 26/2025 and 27/2025 on the European Commission’s draft decisions to extend the validity of the UK adequacy decisions under the General Data Protection Regulation (Regulation (EU) 2016/679) and the Law Enforcement Directive (Directive (EU) 2016/680) until December 2031. The Board has welcomed the continued alignment between UK and EU data protection frameworks but has urged the Commission to closely monitor UK developments that may affect the level of protection, including recent legislative changes to the Data (Use and Access) Act 2025 and the structure of the Information Commissioner’s Office (ICO).

OFSI publishes Legal Services General Licence INT/2025/7323088

The Office of Financial Sanctions Implementation (OFSI) has published a new Legal Services General Licence INT/2025/7323088 under most UK Autonomous Sanctions Regimes. The licence will take effect following the expiry of Legal Services General Licence INT/2024/6160920 on 28 October 2025. It permits UK legal firms and counsel that have provided legal advice to persons designated under the UK Autonomous Sanctions Regimes listed in Annex 1 to receive payment from those designated persons without requiring an OFSI specific licence, provided that the terms of the General Licence INT/2025/7323088 are met.

Firms in 'purgatory' as regulators respond to Mazur fallout

Law360, London: A recent court ruling that trainees and paralegals cannot conduct litigation, even under supervision, has left some firms 'in purgatory' as they grapple with a judgment that, lawyers warn, could make swathes of work unviable.

View Practice Compliance by content type :
News
Practice notes
Precedents
Q&As

Popular documents

Priority between loss reliefs in loss making companies

Priority between loss reliefs in loss making companiesWhy does it matter?A company that is a member of a group and has incurred any of the types of losses available for surrender by way of group relief may, without any further rules, have more than one way in which to use the loss. There are a

Late payment penalties—inheritance tax

Late payment penalties—inheritance taxWhile interest often accrues on overdue tax, the late payment of certain taxes may also attract a penalty. For information on the interest accruing on overdue tax, see Practice Notes: IHT—payment deadlines on death—Interest on IHT and Interest on late paid

Contributory negligence in personal injury claims

Contributory negligence in personal injury claimsContributory negligence is a partial defence which can lead to a discount in damages.Other defences may also be relevant. See Practice Notes: Did the claimant consent to the risk of injury? and Was the claimant involved in an illegal activity?If a

Can shares in a limited company that have not been paid-up at all be cancelled?

Can shares in a limited company that have not been paid-up at all be cancelled?A limited company having a share capital may not alter that share capital, except in the ways listed in section 617 of the Companies Act 2006 (CA 2006). Shares in a company cannot simply be cancelled without following an
Priority between loss reliefs in loss making companies

Priority between loss reliefs in loss making companies

Priority between loss reliefs in loss making companiesWhy does it matter?A company that is a member of a group and has incurred any of the types of losses available for surrender by way of group relief may, without any further rules, have more than one way in which to use the loss. There are a

Late payment penalties—inheritance tax

Late payment penalties—inheritance tax

Late payment penalties—inheritance taxWhile interest often accrues on overdue tax, the late payment of certain taxes may also attract a penalty. For information on the interest accruing on overdue tax, see Practice Notes: IHT—payment deadlines on death—Interest on IHT and Interest on late paid

Contributory negligence in personal injury claims

Contributory negligence in personal injury claims

Contributory negligence in personal injury claimsContributory negligence is a partial defence which can lead to a discount in damages.Other defences may also be relevant. See Practice Notes: Did the claimant consent to the risk of injury? and Was the claimant involved in an illegal activity?If a

Can shares in a limited company that have not been paid-up at all be cancelled?

Can shares in a limited company that have not been paid-up at all be cancelled?

Can shares in a limited company that have not been paid-up at all be cancelled?A limited company having a share capital may not alter that share capital, except in the ways listed in section 617 of the Companies Act 2006 (CA 2006). Shares in a company cannot simply be cancelled without following an