Guidesdata privacy regulationGDPR compliance

What Data Protection by Design and Default Means for AdTech and MarTech Platforms

GDPR Article 25data protection by design and defaultprivacy by designdata minimizationpseudonymisationdata retentionprivacy-impact assessmentPIAdata processorsdata controllerscomplianceencryptioninfrastructure costs

The EU's General Data Protection Regulation (GDPR) introduced a range of new obligations for AdTech and MarTech companies — the controllers and processors of personal data under the regulation's framework. Among those obligations, data protection by design and default stands out as a structural requirement: it compels privacy and data-protection thinking to begin at the earliest stage of software design, not as an afterthought once a product ships.

This article unpacks what that obligation actually means, how it differs from the closely related concept of privacy by design, and what practical steps platforms need to take to comply.

What Is Data Protection by Design and Default?

Data protection by design is a concept codified in Article 25 of the GDPR. The regulation doesn't offer a dictionary-style definition, but the concept promotes two core ideas: building privacy and data-protection considerations into the design phase of a system or process, and processing only the personal data that is strictly necessary for a defined purpose.

Data Protection by Design and Default vs. Privacy by Design and Default

GDPR commentary frequently references both data protection by design and privacy by design, and the terms are often used interchangeably. They are closely related, but they are not identical.

Data Protection by Design and Default

Data protection by design and default is centred on personal data. It is a relatively recent term, appearing specifically in the context of the GDPR. Its focus is on how data is processed — requiring that systems and processes (including advertising and marketing campaigns) be built with deliberate data-protection measures from the earliest design stages.

"By default" means that only the personal data absolutely necessary for a specific purpose should be processed. A practical illustration: the history of web searches entered into a search engine isn't stored by the engine by default — that is data protection by default in action.

Beyond the question of what is collected, the amount of data gathered, the scope of its processing, and the period of storage and accessibility must all be minimized to the bare minimum required by a specific purpose. This is also known as data minimization.

Two concrete examples of how these concepts apply in practice, per the EU Commission:

  • Pseudonymisation — replacing all personally identifiable information with automatically generated identifiers and encryption, satisfying the requirements of data protection by design.
  • Privacy-friendly default settings in a social media platform — ensuring the platform's defaults minimize the number of people who can access a user's data, satisfying the requirements of data protection by default.

Privacy by Design and Default

Privacy by design and default takes the concept a step further: it implies that tools and policies are architected such that no personal data needs to be protected in the first place, because none is processed at all.

Classic examples are systems that function without requiring personal identifiers:

  • DHCP — IP addresses are assigned by the server, allowing users to communicate without personal identifiers.
  • RFID — devices communicate via radiofrequency without revealing personal information.
  • GPS — users benefit from the system without disclosing their location or personal data.

The key distinction is that privacy by design avoids the processing of personal data altogether, whereas data protection by design acknowledges that personal data will be processed and focuses on protecting it rigorously. For the remainder of this article, the focus is on data protection by design and default, as this is the term and obligation that appears in the GDPR's framework and carries direct legal weight for AdTech and MarTech platforms. (Notably, the text of the regulation does not use the phrase privacy by design even once.)

Aligning AdTech and MarTech Platforms With Data Protection by Design and Default

Any company collecting marketing data from users — for an online contest, a loyalty programme, behavioural targeting, or any other purpose — is required to assess whether its data-processing methods and data-protection measures comply with the GDPR. This applies equally to data processors and data controllers.

Complying With Data Protection by Design

Compliance means that data processors and controllers are accountable for embedding data-protection procedures into the design of their systems and processes from the outset. This obligation applies across a range of activities:

  • Development of systems that store or access personal data
  • Creation of policies involving data processing
  • Data-sharing initiatives
  • Using data for new purposes

Practical compliance steps typically include:

  • Using a privacy-impact assessment (PIA) template whenever a business designs, procures, or implements a new system, so privacy risks are evaluated before deployment.
  • Revising standard contracts with data processors to clarify the distribution of liabilities related to data protection by design and privacy by default requirements.
  • Revisiting data-collection forms and web pages to identify and eliminate the collection of data that isn't strictly necessary.
  • Implementing automated deletion processes for personal data, along with technical measures that flag records for deletion after a defined retention period.

Complying With Data Protection by Default

For AdTech and MarTech platforms specifically, data protection by default demands careful scrutiny of every data point collected. The right questions to ask during platform evaluation are:

  • Do all data points genuinely need to be collected?
  • Which portions of the data can be pseudonymized and encrypted?
  • How soon can data be deleted (data retention) while still ensuring the platform remains functional and useful?

This is a direct reversal of the pre-GDPR approach that was common across the industry. In practice, many companies collected every data point they could access and stored it indefinitely, with little consideration of whether doing so was necessary or appropriate. That approach is no longer lawful. GDPR obliges data processors and controllers to rethink data collection from first principles — reconsidering which data points are genuinely necessary and what the appropriate retention period is for each.

One practical upside: less data stored means reduced infrastructure costs, which can partially offset the investment in compliance work.

Benefits of a Data-Protection-by-Design Approach

Adopting data protection by design delivers value beyond regulatory compliance:

  • Minimized risk and increased user trust — reduced exposure to data breaches and a stronger trust relationship with users.
  • Lower infrastructure costs — storing less data has direct cost implications for storage and processing.
  • Earlier identification of problems — data-processing issues caught at the design stage are significantly less expensive to fix than those discovered after a system is built and deployed.
  • Broader organizational awareness — embedding privacy thinking into design processes raises awareness of data-protection responsibilities across teams.
  • Higher likelihood of meeting legal obligations — including GDPR and any future data-protection legislation that builds on its framework.
  • Reduced privacy-intrusive outcomes — actions are less likely to have a negative impact on the individuals whose data is being processed.

Practical Takeaway

The principles of data protection by design and default may seem like obvious good practice, and in many respects they are. The GDPR's contribution is to formalize those practices, promote them across the industry, and provide legal grounds for enforcing them.

Many companies continue to treat personal data carelessly, even though virtually every online service or vendor processes it in some form. The regulation creates a universal obligation where previously there was only guidance.

Privacy and data protection by design is no longer an internal policy choice — it is a legal requirement. Non-compliance carries penalties of up to EUR 10,000,000 or 2% of total annual worldwide turnover from the preceding financial year, whichever is higher. For AdTech and MarTech platforms operating at scale, that exposure makes early, deliberate compliance the rational path.

<Related />