Article 25 of the GDPR: Data protection by design and by default
Article 25 of the GDPR introduces the notions of data protection by design (privacy by design) and data protection by default (privacy by default). It requires data controllers to integrate data protection into each stage of design and use of processing.
Article 25 of the GDPR explained
The data controller must implement appropriate technical and organizational measures, from the design phase, to comply with the principles of the GDPR and protect the rights of individuals.
It must also ensure that, default, only the data necessary for each purpose is collected, processed, stored and accessible.
Why is this article important for your GDPR compliance?
Implementing data protection by design helps reduce risks from the start, improve transparency and integrate GDPR compliance into information systems, products and services. This limits corrective costs and potential sanctions.
How to comply with Article 25 of the GDPR?
- Integrate the dimension data protection in all IT, marketing, HR projects, etc.
- Apply a policy data minimization : collect only what is strictly necessary.
- Set your tools and software to default data protection (e.g. disabling optional options).
- Carry out impact analyzes in the event of risky treatment (PIA).
Examples of application of Article 25 of the GDPR
- A mobile application only requests the data strictly necessary for the operation of the service.
- An online form only displays the required fields for registration.
- Marketing software automates the deletion of data after a defined period.
Related Resources
Accelerate your compliance in just a few clicks
With our all-in-one solution, you can accelerate and ensure compliance easily:
- Automate your compliance with our GDPR software
- Supported or outsourced by our DPO experts
- Raise awareness among your teams with our GDPR training e-learning
Assess your situation in 15 minutes with our free, no-obligation GDPR self-diagnosis.
