Data protection by design and by default
Latest updates – last updated 5 February 2026
5 February 2026 – We have updated this guidance to reflect changes following the Data (Use and Access) Act 2025 (DUAA). This includes a new subsection on the ‘children’s higher protection matters’ duty that DUAA added to the UK GDPR’s provisions on data protection by design and by default.
At a glance
- Data protection by design and by default is about considering data protection and privacy at the start of everything you do. It will help you comply with the UK GDPR’s fundamental principles and requirements, including accountability.
- You must put in place appropriate technical and organisational measures to implement the data protection principles effectively and safeguard people’s rights.
- This means you must integrate data protection into your processing activities and business practices, from the design stage and throughout the lifecycle.
- If you provide online services likely to be accessed by children, you must consider their needs when you’re thinking about which technical and organisational measures are appropriate. This is the ‘children’s higher protection matters’ duty.
What is ‘data protection by design and by default’?
The UK GDPR requires you to embed data protection practices into every aspect of your use of personal information. This approach is ‘data protection by design and by default’.
Data protection by design is where you consider privacy and data protection issues of any system, service, product or process:
- at the design phase; and
- throughout its lifecycle.
A product or business lifecycle highlighting multiple points to consider data protection by design and by default from the design stage, throughout the operative stages, and at the end stage when the organisation decommissions the product or system.At each stage, you must apply appropriate technical and organisational measures to implement the data protection principles effectively and protect people’s rights.
If your organisation provides products or services, our guidance on privacy in the product design lifecycle gives more detail on how and when to consider data protection issues.
Data protection by default means you must limit your use of personal information to what is necessary to achieve each specific purpose of your processing. It links to the fundamental data protection principles of data minimisation and purpose limitation.
This doesn’t necessarily require you to switch everything to “off” by default. Instead, it’s about deciding what’s appropriate based on the circumstances of your processing and the risks it poses to people.
Following a data protection by design and by default approach from the start will help you comply with many other parts of the UK GDPR. It may bring additional benefits. For example, it can:
- reduce longer-term costs by preventing the need for future large-scale redesigns when data protection issues arise;
- help build user trust and confidence, which could be a market differentiator and make it easier for you to scale;
- increase your chances of meeting procurement requirements for regulated markets such as healthcare; and
- make it easier for you to partner with other organisations if they trust that you have strong information governance practices in place.
So, it’s better to think about data protection issues from the start rather than at the end.
Also, if we’re considering whether to impose a fine or other regulatory intervention, we will take into account the technical and organisational measures you have put in place for data protection by design. The way you apply data protection by design and by default could impact our decision to move ahead with regulatory action and the severity of the action we take.
Relevant provisions in the legislation
Further reading
What are the ‘children’s higher protection matters’?
If you provide an online service likely to be accessed by children, you have an additional duty. When you assess what measures are appropriate for data protection by design, you must take into account the ‘children’s higher protection matters’.
These are:
- how you can best protect and support children who use your service;
- the fact that children are entitled to specific protection because they may be less aware of:
- the risks and consequences when you use their personal information; and
- what their rights are; and
- the fact that children have different needs at different ages and at different stages of their development.
This is about incorporating child-friendly design into your products, systems and services from the start rather than adding it in later.
This means that you must take children’s needs into account when designing and operating your service. And you must be able to demonstrate that you’ve done so.
The ‘children’s higher protection matters’ duty applies to the same online services that are in scope of our children’s code.
The code’s standards are about applying a data protection by design approach to online services. Some of the standards provide specific considerations that may help you to comply with the ‘children’s higher protection matters’ duty. For example:
- the best interests of the child standard includes considerations about how you can protect and support children, and our best interests of the child self-assessment framework provides useful tools and templates;
- the data protection impact assessment (DPIA) standard helps you consider risks that arise from your use of children’s information;
- the online tools standard shows how you can make children aware of their rights and help them to exercise them easily; and
- the age appropriate application standard looks at how you can make your services suitable for children of different ages and at different stages of their development.
So, if you already conform to the code, you are likely to comply with this duty.
Conforming to the Children’s code also shows that you take children’s privacy seriously and that your services are appropriate for them to use. The code also sets out other specific protections for you to build in when you design your service.
The ‘children’s higher protection matters’ duty only applies if you provide an online service in scope of the children’s code. But other organisations may still need to consider similar issues as part of their overarching privacy by design obligations. For example, you may not provide an online service, but you may still use children’s personal information in other contexts.
Relevant provisions in the legislation
What are we required to do?
How you approach data protection by design will differ depending on your organisation and how you use personal information:
- If your use of personal information is not likely to result in a high risk, you might only need to implement some simple steps.
- If your use of it is likely to result in a high risk to people, you may need more interventions to ensure you fully apply data protection by design and by default.
Depending on how you use personal information, you may want to obtain specialist advice not included in this guidance (eg legal or technical).
When deciding on your approach to data protection by design, article 25(1) UK GDPR specifies that you must consider:
- the state of the art;
- the cost of implementation;
- the nature, scope, context and purposes of processing; and
- the risks to people’s rights and freedoms (including how likely they are and how serious their impact could be).
You must assess the risks of how you use personal information and implement appropriate technical and organisational measures to mitigate them effectively.
Article 25(2) specifies that you must implement appropriate technical and organisational measures to ensure that, by default, you only use personal information necessary for your specific purposes. That obligation applies to:
- the amount of personal information collected;
- the extent of its processing;
- the period of its storage; and
- the degree of its accessibility.
To apply the data protection by default principle, you must specify the personal information you need before you start using it and only use what you need for your purposes.
You must also protect the personal information you store and make sure only those who need to can access it.
Relevant provisions in the legislation
How do we do this in practice?
Data protection by design and by default starts at the initial planning stages of any system, service, product or process and continues throughout its lifecycle.
Start by mapping out:
- what personal information you will use, how you will use it, and for what purpose;
- the risks that this may pose to people; and
- the possible measures available to ensure that you comply with the data protection principles and protect people’s rights.
You must consider:
- the state of the art and costs of implementation of any measures;
- the nature, scope, context and purposes of your processing; and
- the risks that your processing poses to people’s rights and freedoms.
If your use of personal information is likely to result in a high risk to people’s rights and freedoms, you must complete a DPIA. This is a tool that helps you identify and reduce the data protection risks in how you use information.
DPIAs are an important part of how you apply data protection by design and by default. It is good practice to complete a DPIA regardless of how you use personal information and whether you consider it high risk. Once you have worked out how you will put data protection by design and by default into practice, completing a DPIA will reveal what additional measures you might require.
To put data protection by design and by default into practice, you must design and implement technical and organisational measures across any relevant systems, designs and processes to comply with data protection principles.
Think about the outcomes you want to achieve and the different ways of doing so.
You must only process the personal information that is necessary to achieve your specific purpose. To achieve this outcome, think about how you do the following:
- Keep track of the personal information you hold and use – for example, by keeping an up-to-date data map.
- Ask if any changes to your product or business that require new or additional personal information are necessary (eg by adding this question as a recurring item in a regular management, design or engineering review meeting to make sure it’s always covered).
- Explore ways to anonymise or pseudonymise personal information (eg by applying techniques such as randomisation, generalisation or masking, depending on the right approach for your context).
- Delete any personal information that is no longer needed (eg by keeping a register or retention schedule to track how long you will keep information for).
A meeting agenda showing questions about data protection as a recurring item so that it’s always covered.Example – Data minimisation and security
A cake retailer wants to collect customers’ dates of birth to advertise products around their birthdays.
The team discusses the new marketing idea at their next meeting. They ask:
- Is the personal information needed to achieve the purpose, and to what level of granularity?
They agree that to advertise their products ahead of someone’s birthday, they will need to know the specific date. But they may not need to know the year the person was born.
- How will they secure the information?
They propose ways of encrypting the information and ensuring there are adequate access controls on systems that store it.
- How will their customers control this information?
They also need to gather consent from customers to collect and use this personal information and give the customers easy ways to withdraw their consent later.
They decide on a plan and record their decisions.
Example – Storage limitation
A library keeps track of how long it holds members’ information. If a member has been inactive for a period of time, as defined by the library’s policies, the library contacts them to ask if they still want their account. If the member says ‘no’ or does not reply, the library deletes all personal information about them, including contact details and lending history. They keep some demographic information about members, which they then aggregate to produce statistics for funding purposes.
You must protect the information that you and any other organisations or partners you work with use and ensure it is secure. To achieve this outcome, think about how you do the following:
- Check the IT systems you use have adequate security and data protection measures in place.
- Ensure you only use processors that provide sufficient guarantees of their technical and organisational measures for data protection by design and by default.
- Secure personal information (eg use encryption, pseudonymisation or other privacy-enhancing technologies).
- Ensure only the right staff can access the personal information (eg by having role-based or named access controls (depending on the scale of your organisation) and having a process to give or revoke access when staff change roles or leave the organisation).
- Check the devices you use have the latest security updates.
A document access control system to ensure only the right staff can access personal information.Example – Choose processors carefully
A charity is buying new software to manage volunteer information. The team review how the software company will store and use personal information and what security measures are in place to protect it. They discover that the software company uses analytics partners to provide insights, and it’s unclear how the partners use or store information. The charity feels this presents too great a risk and chooses an alternative solution with another supplier.
You must provide people with sufficient controls and options to exercise their rights. To achieve this outcome, think about how you do the following:
- Consider different types of people using your product or service and any risks you might expose them to by using their personal information – especially younger people or others who need more support to protect themselves.
- Create privacy information that is easy to find and read when people need it.
- Design appropriate choices for people to control how you use their personal information throughout their interactions with your product or service, not just at the start.
- Present choices equally and use neutral, plain language.
- Provide balanced choices in context when you collect information to help people understand why you need it, so that they can make an informed decision.
- Avoid harmful design practices that use elements like language and colour to influence users’ decisions (eg nudging and biased framing).
- Ensure any default settings offer strong privacy protections.
- Provide the identity and contact information of those responsible for data protection and explain how people can exercise their rights.
An online service asks for consent to use information for two different purposes at different points in time, when it is most relevant. This gives people appropriate choices to control the use of their personal information throughout interactions with products and services, not just at the start.Example – Consent and transparency
A running tracker app collects location information to analyse runs and recommend new routes. The app developer provides privacy information when a person first downloads the app. The app doesn’t start collecting location information until the person goes on a run. At that point, they send the runner a just-in-time consent notice asking if they are OK to share their location information for that purpose. They also explain again how they use information and remind the runner how they can exercise their rights, such as by deleting and downloading information if they want to transfer it to a different running app.
Example – Consent and transparency
A social media company is introducing a new AI chat interface to their product.
Before developing and integrating the new function, they complete risk assessments, a DPIA and a cycle of rigorous testing. This reduces the risk of the chat function either exposing personal information or causing discrimination or harm through using that information. They share the new AI chat interface with a small group of customers first and continue to increase the roll-out as they become more confident in its safety. They publish a blog post about how they developed and trained the model for their AI chat function and include links to the privacy policy of the foundation model that they used to build it.
When they give people the option to use the new AI chat function, they provide clear, concise privacy information in context. This explains how they and any partners they work with will use the information and identifies any potential risks in using the AI chat function. They also provide information about how they trained the chat function and underlying model, what datasets they used to train it, and how people can exercise their information rights.
As part of the experience, people can see how and why the AI chat function generated its responses to their queries. There are feedback mechanisms for people to flag any issues. At any point, people have easy ways to remove the AI chat function and delete information they put into it.
You must put in place organisational measures to ensure you meet data protection principles in practice. To achieve this outcome, think about how you do the following:
- Ensure staff consider data protection when they make important decisions, such as in management meetings or design reviews.
- Document significant decisions and processes relating to data protection.
- Create a blame-free culture to ensure staff feel comfortable raising risks and issues.
- Make senior leaders accountable for protecting data throughout its lifecycle.
- Conduct regular audits of systems and processes that use personal information – involve other staff in participating in audits to help them learn about data protection.
- Create policies for how your organisation will use and store personal information securely.
- Train staff in how to use and protect personal information and regularly refresh that training.
A decision tracker showing the documentation of significant decisions and processes about data protection.Example – Accountability
An insurance company wants to reassure their staff and their customers that they value data protection and consider it in everything they do. First, they hold a team workshop to write a set of principles describing how they, as a company, will protect personal information and give people control over it when they need it.
They publish these principles externally as a set of commitments. These principles act as a guide for all staff to know how to treat personal information. Whenever staff propose changes, they must check that they are in line with the company’s data protection principles.
Senior leaders continually review how their teams embody these principles in their work. The company publishes improvements they make to data practices to show continued commitment to their data protection principles.
Example – Accountability
The data protection officer (DPO) for an online publishing company ensures all staff know who they are and how to contact them. The DPO provides regular feedback on projects as they develop, rather than just at the start or end, to make sure they meet data protection principles throughout. If there are any issues, the DPO supports staff by reviewing the situation and suggesting next steps and improvements. They aim to enable and support project development with data protection principles in mind and reduce risk.
Further reading
- Data protection principles
- A guide to individual rights
- Guide to accountability and governance
- DPIAs
- DPOs
- Security, including cyber security
- Anonymisation
- Privacy in the product design lifecycle
- The Children’s code design guidance
- ICO and CMA joint position paper on harmful design in digital markets (external link, PDF)
Who is responsible for complying with data protection by design and by default?
If you make decisions about how and why you use personal information, you are a controller under the UK GDPR. And as the controller, you are responsible for complying with data protection by design and by default.
These decisions include considerations about the software, applications or services that you use. These can range from simple tools like pre-installed applications on your computing devices, up to more specialised software or hardware that may involve more complex arrangements.
In some cases, the providers of these products and services might play a role in the processing (eg as your processor or as a joint controller with you). In other situations, the providers might not have any role at all – you’re just using the products they make available in the market.
What does this mean if we use a processor?
Under data protection law, when you use another organisation to process personal information on your behalf, that organisation is your processor.
The data protection by design requirements don’t apply directly to processors. But remember that as the controller, you are responsible for compliance with the UK GDPR. And you must only use processors that provide sufficient guarantees that the processing they do for you will meet the requirements of the UK GDPR.
This applies to all aspects of data protection – including data protection by design.
Additionally, depending on the nature of the processing and the information you make available to them, your processor must help you in your compliance with:
- the UK GDPR’s security requirements; and
- your DPIAs.
What does this mean when we’re thinking about what products or services to use?
Article 25 doesn’t directly address the providers of applications, systems or services that you use to process personal information. However, it’s in their best interests to design their products with article 25 in mind.
These organisations might be controllers in their own right (eg for any personal information they process as part of running their business and designing their services).
But there are also many cases where you’re just using their products to achieve your processing, and the providers don’t play any data protection role with you.
Under your data protection by design obligations, you must take appropriate measures to implement the principles effectively. If you use products and services that don’t help you to do this, you may have to take more steps to be sure that your processing complies with the UK GDPR.
So, you should include data protection by design considerations in any decisions you make about the products and services you use.
Much of this is likely to depend on the specific circumstances of your processing and how you intend to achieve it. But some things you could look out for include the following:
- Does the provider of the service offer ways to enable and support you to comply with data protection by design?
- Has the provider designed its service in line with particular industry standards or common practices?
- Is the provider part of an approved certification mechanism or code of conduct?
Not all these things may be relevant to all types of processing. For example, there may not be an approved certification mechanism covering the type of processing you want to carry out, or the product you intend to use to do so.
Relevant provisions in the legislation
What is the role of certification?
Article 25(3) says that an approved certification mechanism is a way for you to show how you are complying with and implementing data protection by design and by default.
Certification mechanisms may be particularly relevant if you have to comply with the ‘children’s higher protection matters’ duty. For example, you may need to consider:
- the Age Check Certification Scheme (ACCS), which tests how age assurance products work; and
- the Age Appropriate Design Certification Scheme (AADCS), which provides criteria for the age appropriate design of online services.
Relevant provisions in the legislation