The General Data Protection Regulation (GDPR) introduced a fundamental shift in how organizations are expected to handle personal data. Instead of reacting to privacy risks after they occur, businesses must now anticipate and prevent them from the very beginning. This proactive approach is embedded in Article 25 of the GDPR, titled “Data protection by design and by default.”
Article 25 is one of the most practical and operationally demanding provisions of the GDPR. It affects how systems are built, how products are designed, how services are delivered, and how internal processes are structured. It applies not only to technology companies, but to any organization that processes personal data, regardless of size or industry.
What Is GDPR Article 25?
GDPR Article 25 requires controllers to implement appropriate technical and organizational measures that ensure personal data protection is built into processing activities from the outset and remains the default state throughout the data lifecycle.
In simple terms, Article 25 means:
- Privacy must be considered before data processing starts
- Systems must be designed to minimize personal data use
- Only the necessary data should be processed by default
- Access to personal data should be limited automatically
- Data protection should not rely on user actions alone
The article applies to both new systems and existing processing activities that are modified or expanded.
Data Protection by Design: What It Means
Data protection by design means integrating privacy and data protection principles into the architecture, design, and development of systems, products, and services that process personal data.
This is not limited to software development. It includes:
- Business process design
- Internal workflows
- Data collection methods
- Storage structures
- Access control models
- Retention and deletion mechanisms
Under Article 25, privacy is no longer an optional feature or an afterthought. It is a core functional requirement, similar to security or performance.
Key aspects of data protection by design include:
- Anticipating privacy risks before deployment
- Reducing the amount of personal data processed
- Preventing unauthorized access by default
- Embedding safeguards into systems, not policies alone
- Ensuring compliance without requiring constant manual intervention
Data Protection by Default: What It Means
Data protection by default focuses on how systems behave automatically, without requiring user configuration or action.
The core principle is that only personal data that is necessary for a specific purpose should be processed by default.
This applies to:
- Amount of data collected
- Scope of processing
- Storage duration
- Accessibility of data
If a system allows optional data sharing, extended retention, or public visibility, those features must be disabled by default.
In practice, this means:
- User profiles should not be public unless explicitly enabled
- Optional fields should not be mandatory
- Tracking should be off unless justified
- Retention periods should be minimal by default
Who Must Comply with Article 25?
Article 25 applies to data controllers, meaning organizations that determine the purposes and means of processing personal data.
This includes:
- Businesses of all sizes
- Startups and SaaS providers
- Employers
- Online platforms
- Healthcare providers
- Educational institutions
- E-commerce companies
- Public authorities
While processors are not directly addressed in Article 25, controllers are expected to choose processors that support privacy-by-design principles.
Legal Requirements of GDPR Article 25
Article 25 contains two main obligations:
1. Implement Appropriate Measures
Controllers must implement technical and organizational measures that take into account:
- State of the art
- Cost of implementation
- Nature, scope, context, and purposes of processing
- Risks to rights and freedoms of individuals
There is no one-size-fits-all solution. Measures must be proportionate to the risk level.
2. Ensure Default Data Protection Settings
Controllers must ensure that, by default:
- Only necessary personal data is processed
- Data is not made accessible to an indefinite number of people
- Processing is limited to the specific purpose
This applies throughout the entire lifecycle of the data.
Relationship Between Article 25 and Other GDPR Principles
Article 25 operationalizes several core GDPR principles, including:
- Data minimization
- Purpose limitation
- Storage limitation
- Integrity and confidentiality
- Accountability
Unlike abstract principles, Article 25 requires concrete implementation.
It also closely interacts with:
- Article 5 (Principles of processing)
- Article 24 (Responsibility of the controller)
- Article 32 (Security of processing)
- Article 35 (Data protection impact assessments)
Documentation and Accountability
Although Article 25 does not explicitly mention documentation, controllers must be able to demonstrate compliance.
This typically includes:
- Design documentation
- Risk assessments
- Technical specifications
- Internal policies
- Configuration records
- Decision logs
If investigated by a supervisory authority, an organization must show how privacy was embedded into its systems and defaults.
Penalties for Non-Compliance
Failure to comply with Article 25 can result in administrative fines of up to:
- €20 million, or
- 4% of global annual turnover
Supervisory authorities have repeatedly emphasized privacy-by-design failures in enforcement actions, especially in digital products.
5 Practical Examples of GDPR Article 25 in Action
Example 1: User Registration in an Online Platform
An online platform requires users to create an account.
Without Article 25 compliance, the registration form collects:
- Full name
- Date of birth
- Phone number
- Address
- Profile photo
None of these are strictly necessary.
With data protection by design and default:
- Only email and password are required
- Optional fields are clearly marked and disabled by default
- Profile visibility is set to private
- No additional data is collected unless justified
This demonstrates data minimization and privacy-first defaults.
Example 2: Employee Monitoring System
A company introduces software to monitor employee productivity.
Poor design would include:
- Continuous tracking
- Full activity logs
- Long-term storage of behavior data
Article 25-compliant design includes:
- Limited data collection
- Aggregated statistics instead of raw logs
- Restricted access to authorized roles
- Automatic deletion after a defined period
The system is designed to achieve its purpose without excessive surveillance.
Example 3: Mobile App with Location Features
A mobile app offers optional location-based features.
Non-compliant approach:
- Location tracking enabled by default
- Background tracking without user awareness
Privacy-by-default approach:
- Location access disabled by default
- Clear explanation of why location is needed
- Granular controls for users
- Location data processed only when feature is active
This ensures user control and purpose limitation.
Example 4: Customer Relationship Management (CRM) System
A company uses a CRM to manage leads and customers.
Without Article 25 principles:
- All users can see all records
- Data is retained indefinitely
- Export features are unrestricted
With Article 25 implementation:
- Role-based access controls
- Default data retention limits
- Restricted export permissions
- Logging of data access
The CRM is designed to prevent unnecessary exposure of personal data.
Example 5: Website Analytics and Tracking
A website uses analytics to understand visitor behavior.
Non-compliant setup:
- Tracking enabled by default
- Full IP addresses stored
- No data minimization
Article 25-compliant setup:
- Analytics disabled by default until consent
- IP anonymization enabled
- Limited retention periods
- Minimal data fields collected
This aligns technical configuration with privacy-by-design obligations.
Common Mistakes with Article 25
Organizations often misunderstand Article 25 as purely technical. Common errors include:
- Treating privacy as a policy issue only
- Relying on user consent instead of design choices
- Over-collecting data “just in case”
- Leaving default settings overly permissive
- Failing to reassess systems over time
Compliance requires continuous evaluation, not a one-time setup.
Article 25 and Business Innovation
Contrary to popular belief, Article 25 does not stifle innovation. Instead, it encourages:
- Trust-based product design
- Transparent data practices
- Reduced legal risk
- Better user experience
- Stronger security posture
Privacy-by-design often leads to cleaner, more efficient systems.
Conclusion
GDPR Article 25 is one of the most important and practical provisions of the regulation. It shifts data protection from a reactive obligation to a foundational design principle.
By requiring data protection by design and by default, Article 25 ensures that privacy is embedded into systems, products, and services from the very beginning. Organizations that take this obligation seriously reduce risk, improve compliance, and build greater trust with users.
Implementing Article 25 is not about perfection. It is about intentional, proportionate, and documented efforts to protect personal data at every stage of processing.