Privacy by Design & Default

The concepts of Privacy by Design and Privacy by Default are often terms mentioned in the context of software development. However, these terms are not only applicable to software development but also play a role in processes and behavior.

Privacy by Design and Privacy by Default are often mentioned together, which is not surprising as both terms are closely related. However, they have distinct meanings. Let’s start by exploring what Privacy by Design entails, and you’ll see that Privacy by Default naturally becomes part of the Privacy by Design philosophy.

Privacy by design

Privacy by Design focuses on considering privacy when developing new products or services. Its core objective is to prioritize privacy throughout the development process continually.

Privacy by Design is not a term that emerged out of nowhere. In fact, it is not just a term but a framework based on seven principles. When applied, these principles should result in a solution that handles sensitive data privacy appropriately.

Privacy by design en Privacy by default maken een belangrijk deel uit van de AVG wet- en regelgeving met als doel de privacy beschermende functionaliteiten van oplossingen en diensten vanaf de ontwikkeling al te vergroten. Privacy by Design and Privacy by Default are integral parts of the GDPR laws, aiming to enhance privacy-protective features of solutions and services right from the development stage.

The ‘Seven Privacy by Design’ Principles

Proactive, not reactive; Preventive, not remedial.

Privacy by Design aims to prevent privacy breaches before they occur. It doesn’t wait for privacy-threatening situations to arise but proactively works to prevent such situations.

Privacy as the Default Setting

While Privacy by Design and Privacy by Default are often mentioned together, the latter is actually one of the principles of Privacy by Design. Privacy by Default focuses on automatically protecting all sensitive information in a system, even without actions required from the individuals the data is about.

Privacy Integrated into Design

Privacy must be a standard and integrated part of the solution, process, or service. It is not an “additional functionality” but an essential component.

Complete functionality with a win-win approach

No compromise between functionalities, security, and privacy. The Privacy by Design approach assumes that there should never be a trade-off between functionality and privacy. The focus should be on achieving both in a win-win approach.

Fully protected from start to finish

Sensitive data must be protected from the beginning until the moment it is destroyed.

Visible and Transparent

Ensure that users and third parties can see how data flows through the solution and how it is protected. Providing insight into how such privacy-sensitive data is protected contributes to accountability and trust.

Focus on individuals’ privacy

The solution should have the primary focus on the privacy protection of individuals and be optimized accordingly.

Privacy by default

In the above list, Privacy by Default reappears as one of the principles. The main characteristic of Privacy by Default is that personal data should always be “default” protected. A person registering their data should not have to take additional actions to protect their privacy, and systems processing the data should default to a privacy-friendly configuration.

An example of Privacy as the Default is, for instance, the request to subscribe to a newsletter on a website. By defaulting to keeping the checkbox for this option unchecked, we comply with a standard privacy-friendly solution. If the checkbox is always checked, a user must explicitly take action if they do not want to share their data, which goes against the principle.