GRCWatch
Sign inStart free trial

GDPR A25-01: Data Protection by Design and by Default

Data Protection by Design and by Default is a foundational GDPR requirement that shifts compliance left—embedding privacy safeguards into your systems and processes before data processing begins, not after. For SMBs, this means documenting your technical and organizational measures upfront to demonstrate accountability and reduce breach risk.

What this means

Article 25 of the GDPR requires you to implement appropriate technical and organizational measures that embed data-protection principles into your processing activities from the moment you design a system or process. This isn't a one-time audit; it's a proactive approach where you build privacy controls into your infrastructure, workflows, and vendor relationships. By design means considering data minimization, purpose limitation, and security at the architectural level. By default means your systems should be configured with the strongest privacy settings automatically—users shouldn't have to opt in to protection.

How to comply

  1. 1.Conduct a Data Protection Impact Assessment (DPIA) before deploying new processing systems, databases, or third-party tools
  2. 2.Document all technical measures: encryption, access controls, pseudonymization, authentication mechanisms, and audit logging
  3. 3.Document organizational measures: data retention schedules, staff training, data breach response procedures, and vendor contracts with data protection clauses
  4. 4.Set privacy settings to maximum protection by default; require explicit user action to reduce protection levels
  5. 5.Review and update measures annually or whenever processing activities change, new risks emerge, or regulations evolve
  6. 6.Assign clear ownership of data protection implementation—typically the Data Protection Officer (DPO) or compliance lead—with executive accountability

Evidence auditors look for

  • DPIA documentation for new CRM, payroll, or analytics systems showing privacy controls considered pre-deployment
  • System architecture diagrams with encryption, access control, and audit logging labeled
  • Data retention policies specifying how long personal data is kept and how it is deleted
  • Staff training records demonstrating data protection awareness across teams
  • Data Processing Agreements (DPAs) with vendors confirming they implement Article 25 measures
  • Audit logs showing authentication, access, and data modification events over the past 12 months
  • Privacy policy and system configuration screenshots showing default-secure settings

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates DPIA workflows, maintains your technical and organizational measures inventory, tracks control implementation across all systems, and generates audit-ready evidence—so you prove Article 25 compliance without manual spreadsheets.

See how GRCWatch handles this control automatically

Start free trial

Related controls

GDPR A32 — Security of ProcessingGDPR A33 — Personal Data Breach NotificationGDPR A34 — Communication of Breach to Data SubjectGDPR A5 — Principles Relating to Processing of Personal Data