Data protection by design and by default

General Data Protection Regulation · UE 2016/679

1. Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.

2. The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual's intervention to an indefinite number of natural persons.

3. An approved certification mechanism pursuant to Article 42 may be used as an element to demonstrate compliance with the requirements set out in paragraphs 1 and 2 of this Article.

Luxgap guidance · DPO & CISO

How to comply

The classic trap

Article 25 gets sanctioned when Privacy by Design remains a statement of intent with no technical proof. CNPD and CNIL primarily target web forms collecting too many fields (mandatory phone for a newsletter), overly permissive default settings (public profiles by default on a platform), and infinite retention in application databases. EDPB (guidelines 4/2019) requires an effective demonstration, not a PDF policy. The ultimate trap: relying on the standard settings of a SaaS (Salesforce, HubSpot, Workday) without hardening them, while these tools ship in 'maximum visibility' mode by default.

The toxic defaults authorities hunt down first

Form fields marked mandatory without demonstrated necessity for the purpose (date of birth for a quote request).
Pre-ticked opt-in boxes for marketing or partner sharing.
Public user profiles by default on collaboration platforms, forums, internal social networks.
Missing or 'never' retention periods in CRM, ERP, ATS databases.
Overly broad read access on M365, Google Workspace, Dropbox Business shared drives (active 'Everyone' group).
Application logs containing personal data with no rotation or automatic purge.
Unencrypted CSV exports accessible to the entire sales team.
Lack of pseudonymisation in pre-production and test environments, which often replay production copies.

The 'effective' test: what counts before CNPD

Article 25 requires effective measures, not symbolic ones. During an inspection, you must demonstrate that minimisation is technical (a field removed from the form), not declarative (a mention in the policy). CNPD systematically compares your Privacy by Design policy with the actual configuration of your systems: if the gap is visible in 5 minutes, the fine follows.

How Luxgap automates this risk

Our Luxgap Default Settings Auditor makes it impossible to have a gap between your Privacy by Design policy and the technical reality of your systems. The tool connects in read-only mode to your Microsoft 365, Salesforce, HubSpot, Workday, Google Workspace, Odoo and Active Directory to continuously compare your real settings against the 180 critical parameters identified by EDPB guidelines 4/2019, and triggers an instant Teams alert as soon as an administrator change weakens the default protection level.

Scans default configurations of your SaaS in real time and detects every parameter exposing data beyond strict necessity (profile visibility, external sharing, unlimited retention).
Automatically maps the fields of every public form on your websites via a lightweight JS snippet and flags mandatory fields without documented purpose justification.
Evaluates effective pseudonymisation of your pre-production environments by comparing sample hashes with the production database, without ever exporting data.
Computes a by design score per processing activity, aligned with EDPB methodology, opposable to CNPD as an article 5(2) accountability element.
Produces a timestamped, cryptographically sealed PDF report demonstrating, configuration by configuration, effective compliance with article 25(1) and 25(2).
Alerts the DPO and CISO as soon as an administrator switches a parameter to a more permissive configuration, with a full audit log of drifts.

Available as a complement to a Luxgap DPO or CISO mandate or as a dedicated SaaS module depending on your scope. Request a tailored quote and our teams will prepare a demonstration on your real scope, with a free 48h blind audit to measure the gap between your declared policy and the effective configuration of your systems.

Need help?

Our team (lawyers + cyber engineers + developers) supports you. Free quote within 48h.

Data protection by design and by default

They trust us

Before we chat