What does 'Privacy by Design' under GDPR Article 25 require?

Implementing technical and organizational measures for data protection at BOTH the design phase and during processing.

Which of the following violates GDPR's 'Privacy by Default' requirement? (Select all that apply)

A pre-checked checkbox for 'Share my data with marketing partners'. Additionally, Collecting GPS location data for a text-based feedback form. Additionally, Granting all employees company-wide access to customer personal data. Additionally, Storing personal data indefinitely 'for potential future use'.

What is the GDPR principle of 'data minimization'?

Collecting only personal data that is adequate, relevant, and limited to what is necessary for the specified purpose.

Privacy by Design Review

Learn to identify six common violations: excessive data collection, undefined retention periods, invalid consent mechanisms, overly broad access permissions, missing pseudonymization, and absent user rights. Understand why privacy must be built in during the design phase, not bolted on afterward. Fines can reach 4% of global annual turnover.

What You'll Learn

Recognize common cybersecurity threats
Respond appropriately to security incidents
Protect sensitive information
Follow security best practices
Report suspicious activities

Training Steps

Introduction

You are Alice, a Privacy Analyst at InnovateTech Labs. Your role is to review new features for GDPR compliance before they launch. Under Article 25 of GDPR, data protection must be built into systems from the design phase - not bolted on as an afterthought. This principle is called 'Privacy by Design.'
Feature Review Request

You receive an email from the Product Manager requesting an urgent privacy review. The 'Customer Insights' feature is scheduled to launch next week, but it hasn't been reviewed for GDPR compliance yet. The email contains a link to the feature specification document.
Accessing the Product Portal

You need to log into the Product Portal to review the feature specification. This portal contains all pending feature reviews and documentation.
Opening the Feature Spec

The Feature Reviews queue shows one pending review - the Customer Insights feature. You need to open the specification document to assess its privacy compliance.
Data Collection Issue

The feature specification reveals the first privacy issue: the feature collects GPS location and full device fingerprints. For a customer feedback feature, this data is excessive. GDPR's data minimization principle requires collecting only what is strictly necessary for the stated purpose.
Retention Problem

The second issue is even more concerning: the specification states that collected data will be 'stored indefinitely for future analysis.' GDPR requires defined retention periods. Data cannot be kept forever without a lawful basis.
Default Settings Issue

The third issue is a classic dark pattern: 'Share anonymized data with partners' is pre-checked by default. Under GDPR, privacy-protective settings must be the default. Pre-checked consent boxes do not constitute valid consent - users must take affirmative action to opt in.
Access Control Issue

The final technical issue: the specification grants access to feedback data to 'All Customer Support teams across all regions.' This is far too broad. Under Privacy by Default, data should not be accessible to an indefinite number of people. Access should be limited to those who genuinely need it.
Additional Technical Issues

You notice two more concerning items in the technical implementation section: 1. The analytics ID is directly linked to user accounts - no pseudonymization 2. There's no mention of user rights: no data export, no deletion capability These are fundamental GDPR requirements that cannot be retrofitted easily.
Filing the Privacy Review

You've identified six major privacy issues that must be resolved before launch. Now you need to formally document these findings in a Privacy Impact Assessment form. This official review will be shared with the Product Manager and Engineering team.

Knowledge Check Questions

This training includes a 6-question quiz to test your understanding of Security Awareness threats and defenses.

What does 'Privacy by Design' under GDPR Article 25 require?
Which of the following violates GDPR's 'Privacy by Default' requirement? (Select all that apply)
What is the GDPR principle of 'data minimization'?
Why are pre-checked consent boxes (dark patterns) prohibited under GDPR?
Which technical measures support Privacy by Design? (Select all that apply)