Certified Information Privacy Professional (CIPP): EU - Data Protection by Design and Default, Art. 25

CIPP/E – Data Protection by Design and Default (Art.?25 GDPR)

What This Is

Data protection by design and by default means that privacy must be built into every stage of a product, service, or processing activity—from the initial concept through deployment—so that only the minimum necessary personal data is collected, processed, and retained, and that appropriate safeguards are embedded automatically.

Real?world example: A European?based e?commerce platform launches a new mobile app. Instead of asking users for their full address, phone number, and birthdate at sign?up, the app only requests the email needed for order confirmation and stores it in an encrypted database. The privacy?by?design team also configures the app to delete inactive accounts after 12?months, fulfilling the “default” requirement.

Key Terms & Provisions

• Article?25 (GDPR – EU): The legal clause that obliges controllers to implement “appropriate technical and organisational measures” that embed data?protection principles into the processing lifecycle.
• Data Protection by Design: The proactive approach of integrating privacy safeguards (e.g., pseudonymisation, encryption) into the architecture of systems before processing begins.
• Data Protection by Default: Ensuring that, by default, only the data strictly necessary for the specific purpose is processed, and that settings are set to the most privacy?friendly option without user intervention.
• Pseudonymisation (Art.?4(5)): Processing that separates personal data from direct identifiers so that re?identification requires additional information kept separately.
• Encryption (Recital?78): Transforming data into a coded form that can only be read with a secret key; a core technical safeguard for design.
• Risk?Based Approach (Art.?24): Controllers must assess the likelihood and severity of risks to data subjects and apply measures proportionate to that risk.
• Data Protection Impact Assessment (DPIA) (Art.?35): A mandatory assessment for high?risk processing; the DPIA must describe how design and default measures mitigate identified risks.
• Joint Controllers (Art.?26): When two or more controllers jointly determine the purposes and means of processing, they must allocate responsibilities for design and default measures in a transparent agreement.
• Processor Obligations (Art.?28): Processors must follow the controller’s documented instructions, including any design?by?default requirements, and may be required to implement technical safeguards themselves.
• Record?Keeping (Art.?30): Controllers must maintain a record of processing activities that includes a description of the technical and organisational measures applied to meet Art.?25.
• Certification & Codes of Conduct (Art.?42?43): Approved mechanisms (e.g., ISO/IEC 27701) can demonstrate compliance with design?by?default obligations and may be used as evidence in audits.

Step?by?Step / Process Flow

1. Map the Processing Activity – Document the purpose, data categories, data flows, and lifecycle (collection-storage-use-retention-deletion).
2. Perform a Preliminary Risk Scan – Identify whether the activity is likely to be high?risk (large scale, special categories, systematic monitoring, etc.).
3. Determine Need for a DPIA – If high?risk, launch a DPIA; embed design?by?default controls (pseudonymisation, access limits) in the DPIA’s “Measures” section.
4. Select Technical & Organisational Safeguards – Choose appropriate measures (encryption, default?opt?out settings, data minimisation, UI design) and document the rationale (risk?proportionate).
5. Implement & Test – Build the safeguards into the system, conduct privacy?by?design testing (e.g., penetration testing, privacy impact testing), and verify that default settings are the most protective.
6. Monitor, Review & Update – Continuously audit the controls, update them when the processing changes, and keep the Art.?30 record current.

Common Mistakes

CIPP Exam Insights

1. Art.?25 vs. Art.?35: Exams often ask you to differentiate the obligation (Art.?25 – embed safeguards) from the trigger (Art.?35 – conduct a DPIA). Remember: design?by?default is always required; DPIA is only required for high?risk processing.
2. “Opt?in” vs. “Opt?out” default settings: Under GDPR, the default must be opt?in (i.e., no processing until consent is given) for activities that rely on consent. For legitimate interest or contract?necessary processing, the default can be opt?out but must still be the most privacy?friendly option.
3. Controller vs. Processor responsibilities: Controllers design the safeguards; processors must follow them. The exam may present a scenario where a processor independently adds encryption—this is permissible but does not relieve the controller of its Art.?25 duty.
4. Joint Controllers: When two firms share a platform, the exam may test who drafts the “joint controller agreement” and who bears the primary Art.?25 compliance burden (answer: both, with responsibilities clearly allocated).

Quick Check Questions

1. Question: A SaaS provider based in the US offers a CRM to EU customers. The platform automatically collects the full name, address, phone, and email of every user who signs up. Under Art.?25, what must the provider do?
   Answer: Configure the system to collect only the data necessary for the CRM’s core function (e.g., name and email) and set the default to the minimal data set; any additional fields must be optional and opt?in.
   Explanation: Art.?25 requires data minimisation and default privacy?friendly settings; unnecessary data collection violates the principle.

2. Question: A hospital implements a new AI?driven diagnostic tool that processes patients’ genetic data. Is a DPIA sufficient to satisfy Art.?25?
   Answer: No. The DPIA documents the risk analysis, but the hospital must also embed technical safeguards (e.g., pseudonymisation, encryption) and organisational measures (e.g., access controls) into the tool’s design.
   Explanation: Art.?25 is a standalone obligation; DPIA is evidence, not a replacement.

3. Question: Two European retailers jointly launch a loyalty program and share customer purchase data. Who is responsible for ensuring “by design” compliance?
   Answer: Both are joint controllers and must allocate and document their respective design?by?default responsibilities in a joint?controller agreement.
   Explanation: Art.?26 requires joint controllers to clearly define who does what, including technical and organisational safeguards.

Last?Minute Cram Sheet (10 One?Liners)

1. Art.?25 – “Data protection by design and by default” – mandatory for all processing.
2. Art.?24 – Controllers must adopt a risk?based approach; the higher the risk, the stronger the safeguards.
3. Art.?35 DPIA – Triggered when processing is likely to result in a high risk to data subjects.
4. Pseudonymisation – Reduces risk but does not anonymise; still counts as personal data under GDPR.
5. Encryption – Strong encryption (AES?256 or higher) is the default technical safeguard for data at rest.
6. Default Setting – Must be the most privacy?friendly option that still allows the intended purpose.
7. Joint Controllers (Art.?26) – Must sign a clear agreement allocating design?by?default duties.
8. Processor (Art.?28) – Must implement the controller’s design measures and may be liable for non?compliance.
9. Record?Keeping (Art.?30) – Include a description of technical & organisational measures to prove Art.?25 compliance.
10. Territorial Scope Trap: Art.?3 applies to non?EU controllers if they offer goods/services or monitor EU data subjects, not merely if they have a physical EU presence.

Use this guide to reinforce the core of Art.?25, practice the step?by?step workflow, and avoid the common pitfalls that trip candidates on the CIPP/E exam.