What is Privacy by Default?
Privacy by Default means that the strictest privacy settings automatically apply when a customer acquires a new product or service, without requiring any manual input or configuration by the individual.
Privacy by Default, codified in Article 25(2) of the GDPR alongside Privacy by Design, requires that the default settings of a system, product, or service provide the highest level of privacy protection. This means that only personal data which is necessary for each specific purpose of the processing is collected and processed by default. The principle applies to the amount of data collected, the extent of processing, the period of storage, and the accessibility of the data.
In practice, Privacy by Default means that organizations should not collect more personal data than necessary for the stated purpose, data should not be made publicly accessible by default, privacy-friendly options should be pre-selected in user interfaces, personal data should be retained only for the minimum period necessary, and access to personal data should be limited to those who need it for processing purposes.
Organizations can implement Privacy by Default using IQWorks tools. DiscoverIQ helps identify where data collection may exceed what is necessary, ClassifyIQ ensures proper sensitivity labels drive default access restrictions, and ProtectIQ enforces access controls that limit data exposure to only those with a legitimate need.
Relevant Regulations
How IQWorks Helps
Related Terms
Privacy by Design
Privacy by Design is a proactive approach that embeds data protection safeguards into the design and architecture of IT systems, business practices, and products from the earliest stages of development.
Data Minimization
Data minimization is a core data protection principle requiring organizations to collect and process only the personal data that is strictly necessary for the specified purpose, and no more.
Purpose Limitation
Purpose limitation is a data protection principle requiring that personal data be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.
Access Control
Access control restricts who can view, modify, or delete data based on identity, role, and authorization policies, ensuring only authorized personnel access personal data.
Storage Limitation
Storage limitation is a data protection principle requiring organizations to retain personal data only for as long as necessary to fulfill the purposes for which it was collected, then securely delete or anonymize it.