Implementing DP principles using Data Protection By Design - By Default



Τhis material aims to provide practical guidance on how to implement data protection by design and by default in practice.

In particular, practical examples are provided, as well as known bad practices, in order to allow a system analyst/designer/developer to identify the main challenges towards ensuring the fulfilment of the aforementioned principles

(Recall that, although the data protection by design and by defaults are legal obligations for the data controllers, the role of system/product developers is crucial).

At the end of the study, the reader is expected to:

  • Understand the importance of data protection by design and by default.
  • Be familiar with known problems/challenges to implement these principles.
  • Be able to identify several pitfalls with respect to data protection by design and by default.
  • Have knowledge of a proper guide towards implementing these principles.




  • How to efficiently implement the principles of transparency, lawfulness and fairness?
    • Be careful on how accurate, clear and easily accesible/readable is the information provided to the users.
    • Not vague formulations….
    • Not dark patterns….
    • Is any third party employed?
      • E.g. Do you implement an Android app that is based on third-party libraries?

See relevant slides

  • How to efficiently implement the principles of purpose limitation, data minimisation and accuracy?
    • Be careful on the purpose of the processing; having (“legally”) the users’ data does not allow making use of them for other purposes.
      • Does the design exclude such an option? E.g. Is a connection between different datasets, for different purposes, not possible?
    • Are the data processed the minimum possible?
      • Be careful: Proper pseudonymisation may be prerequisite in some cases.
      • Do you erroneously consider data as anonymous, but they are actually not?
    • Do you implement measures towards ensuring accuracy of data?
      • Are your sources trusted?
      • What about users with “similar/almost similar identifiers”? E.g. what about two different users named Mary Adams?

See relevant slides

  • How to efficiently implement the principles of storage limitation and security of data
    • Is the retention time well-determined? If yes, is it ensured that it is implemented properly?
      • Be careful of what remains in temporary storage, backups etc.
      • Is data recovery indeed impossible?
    • Do you anonymise instead of delete
      • Be careful: Data anonymisation is by itself a personal data processing.
      • Not always an easy task: Is it ensured that the resulting data are indeed anonymous?
    • Are your decisions on security measures ad-hoc or relying on a systematic risk management?
      • Ad-hoc empirical decisions is not the proper way…
      • Even simply adopting the latest version of a security program/protocol is not adequate…
      • Always consider the weakest link in the security chain…

See relevant slides

  • What about data protection by default?
    • Which are the proper default settings?
    • Are any guiding questions to help in making the proper choice for the default settings?

See relevant slides


General References


  1. European Union Agency for Cybersecurity, “Privacy and Data Protection by Design - From policy to Engineering’’, 2014


Image removed.

This online toolkit was funded by the European Union’s Rights, Equality and Citizenship Programme (2014-2020).

Disclaimer: The content of this online toolkit represents the views of the authors only and is their sole responsibility. The European Commission does not accept any responsibility for use that may be made of the information it contains.