GRCWatch
Sign inStart free trial

GDPR A25-02: Data Protection by Default

Data Protection by Default (GDPR A25-02) requires organizations to embed privacy into systems and processes from the ground up. This means collecting only necessary personal data, limiting processing scope, and minimizing storage periods by design—not as an afterthought. For SMBs managing compliance across multiple systems, this control is critical to reducing your regulatory exposure and building customer trust.

What this means

This control mandates that your organization implement technical and organisational measures ensuring minimal personal data processing by default. Specifically, you must: limit data collection to what is strictly necessary for each processing purpose; restrict the extent and duration of processing activities; control data accessibility to authorized personnel only; and apply these principles across your entire data lifecycle. The focus is on 'privacy by design'—making data minimization the default rather than an opt-in practice.

How to comply

  1. 1.Map all data processing activities and identify which personal data elements are truly necessary for each specific purpose
  2. 2.Configure systems and applications to collect only required data fields; disable collection of optional or 'nice-to-have' personal data
  3. 3.Set automated data retention schedules aligned with processing purposes; delete or anonymize data when no longer needed
  4. 4.Implement access controls limiting personal data visibility to roles and individuals who genuinely need it
  5. 5.Document your data minimization approach in a Data Protection Impact Assessment (DPIA) and processing records
  6. 6.Review and test technical measures (encryption, pseudonymization, access logs) at least annually

Evidence auditors look for

  • Data retention policies specifying deletion timelines for each data category
  • Application configuration screenshots showing disabled optional data collection fields
  • Access control matrices limiting personal data visibility by job function
  • DPIA documentation demonstrating necessity and proportionality of data processing
  • Database schemas and API configurations enforcing data minimization rules
  • Automated data purge logs and anonymization records
  • Privacy impact assessments for new systems or processing activities

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates data retention policy enforcement and access control auditing, helping you identify over-collected or unnecessary personal data across your systems without manual spreadsheet tracking.

See how GRCWatch handles this control automatically

Start free trial

Related controls

GDPR A32 — Security of processingGDPR A5 — Principles relating to processing of personal data (lawfulness, fairness, transparency)GDPR A17 — Right to erasure