PrivacyOps Certification

Course content

Create Account

Log in / Create account to save progress and earn badges

Module 13
PrivacyOps Certification
View course details →

Data Privacy Approaches: Privacy-by-design & Privacy-by-default

Mark Complete Enroll now to save progress and earn badges. Click to continue.

Organizations must have adequate strategies and policies in place to incorporate the afore-mentioned data protection principles. 

There are two main approaches to data privacy: privacy-by-design and privacy-by-default. Organizations must have mechanisms in place to incorporate the approaches of privacy-by-design and privacy-by-default in their product development. These two approaches complement each other, enable organizations to identify potential privacy impacts on data subjects and build technical strategies to address those impacts.


Privacy-by-design means embedding privacy into the design of IT products, systems, and business practices and integrating data protection considerations before the collection and processing of personal data. It refers to having in-built abilities that would prevent personal data breaches rather than repairing and restoring systems in the aftermath of a personal data breach.

To successfully implement the privacy-by-design approach, organizations must, at minimum, do the following:

  • Avoid excessive data collection and collecting data without a lawful basis to do so.
  • Ensure appropriate privacy controls to give data subjects control and rights over their data and improve their trust.
  • Identify sensitive personal data that merit additional protection.

Organizations must educate their product owners and developers on data protection principles so that they are able to automate and implement privacy-by-design principles in the product development and design stage.


The privacy-by-default approach requires organizations to implement appropriate technical and organizational measures to ensure that, by default, the data subject has been provided the strictest privacy measure available. 

To successfully implement the privacy-by-default approach, organizations must, at minimum, do the following:

  • Minimize the processing of personal data by default.
  • Keep the period for data storage by default to the extent necessary for the intended and stated purposes such as the amount of time needed to provide a particular service to the data subject.
  • Avoid the use of any dark patterns to obtain data subject’s consent where consent has been leveraged upon as a legal basis of data processing. This would include the obligation to not use pre-ticked consent checkboxes or cookie walls as default.
  • Encrypt or pseudonymize personal data as soon as possible.

Privacy-by-default allows organizations to build efficient privacy technologies and consider data protection principles into their products throughout the product’s lifecycle.

In light of privacy-by-design and privacy-by-default approaches, organizations must designate data protection responsibilities in their teams and implement effective risk assessments.

Sitemap - XML Sitemap