DAT-012 Data Protection by Design and Default
Description
Privacy and security controls are embedded into system design from inception rather than added retrospectively. Default system configurations expose the minimum necessary personal data. New features and significant changes involving personal data undergo design review against privacy and security requirements before deployment.
Rationale
Post-hoc privacy remediation is significantly more expensive and less effective than designing it in. Regulators increasingly treat 'privacy by design' as an obligation, not a best practice.
Framework Mappings (6)
| DSP-07 | Data Protection by Design and Default | full |
| DSP-08 | Data Privacy by Design and Default | full |
| GDPR-Art.25.1 | Data Protection by Design | full |
| GDPR-Art.25.2 | Data Protection by Default | full |
| SA-17 | Developer Security and Privacy Architecture and Design | partial |
| SA-8 | Security and Privacy Engineering Principles | partial |
Evidence (2)
Completed privacy and security design review records demonstrating that new features involving personal data were assessed before deployment.
Example: Privacy-by-Design review tickets (Jira) for the last 4 product releases — each containing: feature description, data flows identified, privacy risks assessed, mitigations applied, DPO or Privacy Engineer sign-off, and release gate outcome (approved / approved with conditions / rejected)
Test: Request privacy design review records for the last 4 major releases. Verify: (1) a review was completed before deployment for each release involving personal data, (2) each review identifies data flows, processing purposes, and applicable risks, (3) DPO or designated reviewer signed off, (4) any high-risk features have documented mitigations implemented prior to launch.
System default configurations demonstrating that privacy-friendly defaults are applied (e.g. minimum data collection enabled, analytics opt-out by default).
Example: Product default settings configuration (environment config / feature flag export) — showing that new user accounts have analytics disabled, data sharing off, and minimum required permissions assigned by default, not requiring users to opt out
Test: Review the default configuration for a new user account and the product feature flag settings. Verify: (1) optional data collection features (analytics, personalisation, marketing) are off by default for new accounts, (2) the system does not grant broader data access than necessary by default, (3) configuration is version-controlled and reviewed.
Questions (2)
Are privacy and security controls embedded into the design process for new features involving personal data, with a formal review required before deployment?
A privacy-by-design gate (e.g. design review ticket, DPO sign-off) must be completed before any new feature involving personal data is released to production. Default configurations should expose the minimum necessary data.
How are privacy-by-design requirements enforced in the development lifecycle?
A mandatory deployment gate with documented sign-off is the most effective control. Post-deployment review or best-efforts application indicates a significant control gap.