On 13 November 2019, the European Data Protection Board (EDPB) published draft guidelines (the Guidelines) on the principle of “Data Protection by Design and by Default” set out under Article 25 of the General Data Protection Regulation (GDPR). The Guidelines explain how controllers must ensure that they effectively implement the “data protection principles and data subjects’ rights and freedoms by design and by default” during the design and life cycle of processing activities. The EDPB underlines that Data Protection by Design and Default is a requirement for all controllers, independent of their size. The examples contained in the Guidelines illustrate the broad range of processing activities to which this principle applies: from setting up membership administration to buying customer relationship management (CRM) software; designing online order forms; improving effectiveness of deliveries (through tracking employees); deciding on loan applications as a financial institution; or using artificial intelligence to profile customers. However, the complexity of implementing this principle will vary based on the individual processing operation. In this regard, the principle of Data Protection by Design and Default is coherent with the “risk-based approach” underlying the GDPR. Please click below for a short client memorandum on these guidelines.