In conversations, I repeatedly hear that the terms "Privacy by Design" and "Privacy by Default" are sometimes misinterpreted. For this reason, I will briefly and concisely explain both requirements of the General Data Protection Regulation (GDPR) so that even non-lawyers can understand them.
Data protection starts at the development stage
The GDPR already describes a lot in the heading of Art. 25 - Data protection through technology design and through data protection-friendly default settings.
Privacy by design = data protection through technology design
This means that data protection is systematically taken into account right from the start during programming and manufacturing. In this process, data protection experts work closely with the development team and ensure DSGVO-compliant implementation. Even if this means extra work for companies, it brings advantages. In the future, users will pay closer attention to data protection requirements and make their purchasing decisions accordingly. And technical and organizational measures (TOM) for data processing can be much leaner if hardware and software are designed to comply with data protection requirements from the outset.
Privacy by default = data protection through data protection-friendly default settings
This means that when hardware and software are commissioned, data protection is practiced from the outset in the basic or default settings. In contrast to the previous Facebook default setting of "I give Facebook access to everything, just do it ...", privacy is now protected. There is also no longer the confirmation of any consent by an already set check mark. You have to give your consent consciously and intentionally, and hopefully you know what you are doing.
It's about personal data
Privacy is supposed to take effect even before personal data is collected. The principles of data avoidance and data economy should already be incorporated into the design and architecture of IT systems, and all precautions against data breaches and data mishaps should be preemptively considered and integrated during the development of the technology. If the software then automatically handles the pseudonymization and encryption of sensitive data, a good part of the DSGVO requirements is already taken care of.
Both Privacy by Design and Privacy by Default are neither luxury add-ons nor optional extras, i.e. they are not "nice to have". They are a clear "must-have", a legal requirement by the GDPR. At the latest, the data protection impact assessment in companies will reveal in the future that IT systems that do not comply with these requirements are no longer sustainable. This is because the technical and organizational measures required to make them DSGVO-compliant and upgrade them in the aftermath will be far too costly. Increasingly, therefore, the two technical privacy principles are becoming decisive decision-making arguments for the choice or purchase of hardware and software.