This document from Spain’s data protection authority Agencia Española de Protección de Datos (AEPD) looks into notion of Data protection by design and by default and provides guidance on its implementation.
The General Data Protection Regulation (GDPR), in Article 25 and under the heading “Data protection by design and by default” incorporates the practice of considering privacy requirements from the first stages of product and service design into data protection regulations. It therefore confers on it the status of a legal requirement in order to integrate the guarantees for protecting citizens’ rights and freedoms with regard to their personal data from the early development stages of systems and products. Understood therefore as the need to consider privacy and the principles of data protection from the inception of any type of processing and for the purposes of drafting this document, the terms “data protection by design” and “privacy by design” can be considered as equivalent.
The final goal is to ensure that data protection is present from the early stages of development and not a layer added to a product or system. Privacy should be an integrated part of the nature of said product or service.