GDPR Article 25 — Data protection by design and by default
Enforced by: ICO (UK) / National DPAs
Current as of May 25, 2018
Plain Language Summary
Privacy must be built into systems from the start and default settings must minimize data collection. Cannot be bolted on afterward.
The controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner.
The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed.