For the complete documentation index, see llms.txt. This page is also available as Markdown.

Privacy by design and by default

Learn what privacy by design and privacy by default mean and how to apply them in Dastra.

๐ŸŒ Introduction

The principles of privacy by design and privacy by default are at the heart of the GDPR, set out in Article 25. They aim to ensure that personal data protection is integrated from the design phase of a project, and that default settings respect the highest possible level of privacy.

๐ŸŽฏ Objective: prevent risks before they arise and demonstrate compliance at every stage of the data lifecycle.


๐Ÿงฉ Key definitions

๐Ÿง  Privacy by Design

The data controller anticipates data protection from the design phase of a product, service or processing activity. โžก๏ธ Action is taken upfront, before any data collection or deployment.

๐Ÿ›ก๏ธ Privacy by Default

Default settings must guarantee the highest possible level of protection: only strictly necessary data is processed, and sharing or visibility options must be disabled by default.

โš–๏ธ Data minimisation

Process only data that is adequate, relevant and limited to the purpose.

๐Ÿ” Integrity and confidentiality

Restrict access, ensure confidentiality, integrity and availability of data, and log all actions.

โณ Storage limitation

Plan from the design phase for the deletion, anonymisation or archiving of data at the end of its useful life.


๐Ÿงญ Implementing Privacy by Design

The approach must be continuous and integrated into the lifecycle of the processing:

Key steps:

  1. Identify the project

    • Any new processing, tool or process change.

    • Alert the DPO from the study phase.

  2. Assess the impacts

    • Map data and purposes.

    • Identify risks to individuals' rights and freedoms.

    • Launch a DPIA if necessary.

  3. Design appropriate measures

    • Minimisation, compartmentalisation, encryption, pseudonymisation, logging.

    • Define retention periods, roles and access rights.

    • Plan mechanisms for the exercise of rights.

  4. Document compliance

    • Include measures in the record of processing activities.

    • Archive evidence in the audit trail.

    • Justify decisions (proportionality, technology choices, etc.).

  5. Monitor and improve

    • Audit processing activities regularly.

    • Update records and action plans.


๐Ÿงฑ Typical measures to integrate

Objective
Technical or organisational measure

Minimise data

Selective collection, masking, automatic deletion

Secure data flows

Encryption, TLS, strong authentication, access management

Preserve rights

Rights management portal (DSR), objection procedures

Ensure transparency

Privacy notices, access logs, clear documentation

Ensure traceability

Processing logs, regular audits

Control retention

Purge, anonymisation, secure intermediate archiving


Privacy by Design flows directly from the accountability principle (Article 5 GDPR). The data controller must be able to demonstrate compliance at any time.

๐Ÿ’ฌ This means: "Not only being compliant, but being able to prove it."


โš™๏ธ Privacy by Design in Dastra

Dastra facilitates the practical implementation of privacy by design and privacy by default through its integrated modules:

๐Ÿ” 1. Identify risks

Create targeted questionnaires or analysis templates for each new project.


๐Ÿงฎ 2. Assess and document risks

Conduct DPIAs or risk assessments for each processing activity.


๐Ÿ“‹ 3. Plan compliance actions

Assign remediation tasks, track progress and automate follow-ups.


๐Ÿ—‚๏ธ 4. Document in the record

Integrate security and governance measures into your processing activity forms, with evidence and logging.


๐Ÿค– Extension: Privacy by Design and responsible AI

Privacy by Design also applies to AI system governance (AI Act). Dastra allows you to link your AI models to their data processing activities, assess compliance and document risk control measures.



๐Ÿ“˜ For more information

Security measuresRecord of processing activities (ROPA)

Last updated

Was this helpful?