Data protection by Design and by Default
The GDPR provides for two crucial concepts for future project planning: Data Protection By Design and Data Protection By Default. While long recommended as good practice, both of these principles are enshrined in law under the GDPR (Article 25).
Data Protection by design means embedding data privacy features and data privacy enhancing technologies directly into the design of projects at an early stage. This will help to ensure better and more cost-effective protection for individual data privacy.
Data Protection by default means that the user service settings (e.g. no automatic opt-ins on customer account pages) must be automatically data protection friendly, and that only data which is necessary for each specific purpose of the processing should be gathered at all.