Privacy by design and by default

Learn what privacy by design and privacy by default mean and how to apply them in Dastra.

🌍 Introduction

The principles of privacy by design and privacy by default are at the heart of the GDPR, set out in Article 25. They aim to ensure that personal data protection is integrated from the design phase of a project, and that default settings respect the highest possible level of privacy.

🎯 Objective: prevent risks before they arise and demonstrate compliance at every stage of the data lifecycle.

🧩 Key definitions

🧠 Privacy by Design

The data controller anticipates data protection from the design phase of a product, service or processing activity. ➡️ Action is taken upfront, before any data collection or deployment.

🛡️ Privacy by Default

Default settings must guarantee the highest possible level of protection: only strictly necessary data is processed, and sharing or visibility options must be disabled by default.

⚖️ Data minimisation

Process only data that is adequate, relevant and limited to the purpose.

🔐 Integrity and confidentiality

Restrict access, ensure confidentiality, integrity and availability of data, and log all actions.

⏳ Storage limitation

Plan from the design phase for the deletion, anonymisation or archiving of data at the end of its useful life.

🧭 Implementing Privacy by Design

The approach must be continuous and integrated into the lifecycle of the processing:

Key steps:

Identify the project
- Any new processing, tool or process change.
- Alert the DPO from the study phase.
Assess the impacts
- Map data and purposes.
- Identify risks to individuals' rights and freedoms.
- Launch a DPIA if necessary.
Design appropriate measures
- Minimisation, compartmentalisation, encryption, pseudonymisation, logging.
- Define retention periods, roles and access rights.
- Plan mechanisms for the exercise of rights.
Document compliance
- Include measures in the record of processing activities.
- Archive evidence in the audit trail.
- Justify decisions (proportionality, technology choices, etc.).
Monitor and improve
- Audit processing activities regularly.
- Update records and action plans.

🧱 Typical measures to integrate

Objective

Technical or organisational measure

Minimise data

Selective collection, masking, automatic deletion

Secure data flows

Encryption, TLS, strong authentication, access management

Preserve rights

Rights management portal (DSR), objection procedures

Ensure transparency

Privacy notices, access logs, clear documentation

Ensure traceability

Processing logs, regular audits

Control retention

Purge, anonymisation, secure intermediate archiving

🧠 Link with accountability

Privacy by Design flows directly from the accountability principle (Article 5 GDPR). The data controller must be able to demonstrate compliance at any time.

💬 This means: "Not only being compliant, but being able to prove it."

⚙️ Privacy by Design in Dastra

Dastra facilitates the practical implementation of privacy by design and privacy by default through its integrated modules:

🔍 1. Identify risks

Create targeted questionnaires or analysis templates for each new project.

🧮 2. Assess and document risks

Conduct DPIAs or risk assessments for each processing activity.

📋 3. Plan compliance actions

Assign remediation tasks, track progress and automate follow-ups.

🗂️ 4. Document in the record

Integrate security and governance measures into your processing activity forms, with evidence and logging.

🤖 Extension: Privacy by Design and responsible AI

Privacy by Design also applies to AI system governance (AI Act). Dastra allows you to link your AI models to their data processing activities, assess compliance and document risk control measures.

💡 Good practice: Anticipate compliance from the design phase: involve the DPO, document decisions, assess risks and integrate privacy safeguards by default. Dastra helps you structure this approach and demonstrate it easily.

📘 For more information

Security measures Record of processing activities (ROPA)

Last updated 24 days ago

Was this helpful?