Privacy by Design & by Default: How Companies Address UU PDP & ISO 27001

Many companies still place data protection as a final stage, carried out after the system is running or when a compliance audit is approaching.

This pattern often appears in patchwork implementations: simply adding consent banners, updating privacy policies, or applying security patches after an incident has occurred.

The problem is that all these approaches are reactive, not built as part of a system designed from the outset with data protection in mind. As a result, the controls implemented tend to be partial, unintegrated, and often only address the surface level.

At this stage, organizations become vulnerable to regulatory sanctions. These range from fines under the Personal Data Protection Law (UU PDP), reputational damage due to data breaches, and the loss of customer trust.

The Privacy by Design and Privacy by Default approaches come to change this pattern from curative to preventive. By applying these principles, your organization commits to protecting data from the outset when a system or project is created, not as a patch at the end.

What is Privacy by Design & Privacy by Default?

Privacy by Design is a concept where personal data protection is considered and built in from the early stages of designing a system, application, or business process, not added after issues arise.

Meanwhile, Privacy by Default ensures that the default settings of a system or service already provide the highest level of privacy protection for users, without requiring them to manually change configurations.

In practice, Privacy by Design is applied during system architecture design, application development, and business process design. For example, when an engineering team designs a new feature, data protection requirements are included as part of the requirements, not added at the end.

Privacy by Default, on the other hand, is reflected in system configurations that automatically limit data collection, usage, and access. For instance, an application only collects the minimum necessary data, and data-sharing features are disabled by default.

This approach transforms how organizations view privacy—from merely a compliance obligation into an integral part of product and service design.

Differences Between Privacy by Design & Privacy by Default

The main difference lies in the stage of implementation and the focus of control. Privacy by Design focuses on the design and development phase, while Privacy by Default focuses on operational configuration when the system is in use.

Privacy by Design operates at both strategic and technical levels from the outset, covering how data is collected, stored, processed, and deleted.

In its implementation, organizations usually integrate this principle into the Software Development Life Cycle (SDLC), including security and privacy requirements at the design stage.

By contrast, Privacy by Default works at the level of systems already in operation. Its focus is ensuring that, without any additional user action, the system is already in the safest state for data protection.

Examples of implementation in organizations:

• In Privacy by Design, a product team decides not to store full ID card data, but only a hash or partial data.
• In Privacy by Default, the system automatically hides user profile information from the public unless the user actively changes the settings.

Both complement each other: Design ensures the system is built correctly, Default ensures the system is used safely.

Relationship Between Privacy by Design & Privacy by Default in the PDP Law

Privacy by Design and Privacy by Default align with data protection principles under Indonesia’s Personal Data Protection Law (PDP Law), which emphasizes responsible data control from the start of processing.

Although UU PDP does not explicitly mention these terms, their principles are clearly reflected in the obligations of data controllers. For example, Article 35 of UU PDP requires Data Controllers to “protect and ensure the security of Personal Data under their control.”

Furthermore, Article 24 paragraphs 1 & 2 state that Personal Data Controllers are obliged to “carry out the processing of Personal Data in a limited and specific manner, transparently, legally valid and transparent and in accordance with the purpose of processing“.

These articles form the legal foundation for Privacy by Design & Privacy by Default in Indonesia.

In practical compliance terms, this means:

• The obligation to limit processing requires you to design systems so as not to collect data beyond what is necessary (Privacy by Design).
• The obligation for explicit consent means default settings must not assume user consent for additional processing (Privacy by Default).

If systems are not designed with these principles from the start, companies will face great difficulty in fulfilling both obligations. In other words, without Privacy by Design and Default, compliance with the PDP Law becomes expensive, complex, and at high risk of failure.

Privacy by Design & Privacy by Default in Other Data Regulations

Privacy by Design and Privacy by Default are not new concepts introduced only by the PDP Law. They have become global standards in data protection, especially since being formally adopted in the European Union’s General Data Protection Regulation (GDPR), particularly in Article 25.

In the context of ISO 27001, although this standard focuses more on information security in general, the application of Privacy by Design and by Default aligns with several key clauses:

• Control A.8.10 on Information Deletion encourages organizations to think about the data lifecycle from the start, which is the core of Privacy by Design.
• Control A.5.1 on Information Security Policy requires data protection to be integrated into policies, not treated as separate procedures.
• Control A.5.34 on Privacy and Protection of Personally Identifiable Information explicitly requires an approach that incorporates privacy into system design.

The consistency of this principle across regulations makes it easier for companies operating in various jurisdictions. That means, what you do to comply with the PDP Law also meets ISO 27001 requirements and aligns with the spirit of the GDPR.

Thus, you don’t need a different approach for each regulation; just build the right foundation, and compliance with various frameworks will follow.

Principles of Privacy by Design & Privacy by Default

The main principles of Privacy by Design and Privacy by Default focus on data minimization, usage control, security, and accountability.

1. Data Minimization

Data minimization means systems only collect data that is strictly necessary. In practice, this requires product teams to remove irrelevant fields from forms or avoid collecting sensitive data unless there is a clear business need.

Example: a fintech application only requests data required for verification, not full identity information.

2. Purpose Limitation

Purpose limitation means data collected for a specific purpose must not be used for another purpose without new consent. That means, you need to separate databases or at least provide clear labels on data based on the purpose of collection.

Do not mix data collected for core services with marketing data in the same table without strict access controls.

Example: email data collected for transactions is not automatically used for marketing without additional consent.

3. Security by Default

Security by Default means systems must be secure in their initial configuration. This includes encryption of data at rest and in transit, multi-factor authentication for internal access, and activity logging enabled by default.

In one financial services company, “secure by default” meant every new database instance was automatically encrypted, with no option to create an unencrypted instance.

Example: access to production databases is granted only through role-based access control (RBAC), not direct access.

4. Accountability

Accountability means organizations must be able to demonstrate that they protect data. This is typically implemented through audit trails, policy documentation, and activity monitoring.

Documentation is not just a formality, but a proof that design decisions were made with privacy considerations. Keep records explaining why certain features were designed in specific ways, why certain data was collected, and who approved those decisions.

In data protection regulatory audits such as the PDP Law or ISO 27001, this accountability principle often distinguishes between organizations that are merely compliant and those that are truly mature.

Example: every access to sensitive data is recorded and traceable in audit logs.

How to Implement Privacy by Design & Privacy by Default

The implementation of Privacy by Design and Privacy by Default must start from the design and governance stage, not entirely handed over to technical teams without direction. Here are concrete steps taken within organizations:

1. Integrate into SDLC

Privacy by Design must be part of requirement documents, not a checklist at the end. When defining new features, include mandatory questions:

• What personal data will this feature process?
• Can the feature work with less data?
• How long should the data be retained?

In mature organizations, product managers must complete a Data Protection Impact Assessment (DPIA) before development begins, not after release.

2. Apply Access Control & IAM

Privacy by Default at the access level means employees only have access to data that is truly necessary for their work. In practice, this means:

• No default access to the entire database for the engineering team.
• Each special access request must go through manager and compliance officer approval.
• Periodic access reviews every 3-6 months to ensure there are no accounts that are still active but no longer relevant.

3. Conduct Data Mapping & Classification

Organizations need to know what data they have, where it is stored, and how it is used. Without data mapping, privacy implementation is merely based on assumptions.

Data mapping is also an ongoing process. That means, whenever there is a new system or new integration, the data mapping must be updated. Create a clear data inventory using discovery tools, or create one through a simple spreadsheet that records:

• Types of data collected
• Purpose of collection
• Storage location
• Third parties receiving the data
• Retention period

4. Require Privacy Impact Assessment (PIA)

Not all features require a full PIA, but for projects that process sensitive data (health data, biometrics, financial data, children’s data) or use new technologies (AI, big data analytics), a PIA is a must. The practical PIA format used includes:

• Description of data flow
• Identification of privacy risks
• Planned mitigation steps
• Sign-off from the DPO or compliance officer before development begins

5. Configure Secure Defaults

Implementation of Privacy by Design & by System requires the highest level of data security from the start (default) without requiring users to change settings. That means, the initial system configuration must ensure that:

• Data sharing disabled by default
• Automatic data retention limits
• Tracking or analytics requires explicit consent

Companies that successfully implement this approach usually have strong collaboration between legal, compliance, IT, and product teams.

Conclusion

Privacy by Design and Privacy by Default are not just abstract compliance concepts. They are practical approaches that protect companies from the risk of PDP Law fines, prevent data breaches due to careless design, and build customer trust, which is increasingly critical about privacy.

Organizations that adopt these principles are not only better prepared for the PDP Law and ISO 27001 requirements but also more operationally efficient because they avoid sanctions and costly fixes at the final stage.

Start small: evaluate one business process or one application in development. Apply Privacy by Design questions at the planning stage and observe how early decisions prevent major issues later. That is the essence of effective data protection in the PDP Law era.

FAQ: Privacy by Design & by Default