Back to all our Insights
Privacy by Design dan Default
Knowledge

Privacy by Design and Privacy by Default in the PDP Law and ISO/IEC 27001: Proactive Strategies for Personal Data Protection

Privacy by Design and Privacy by Default have become two crucial concepts in the realm of personal data protection in the digital era. Both serve as proactive approaches that ensure user privacy is embedded from the outset of system and process design within organizations.

Regulations and Standards: PDP Law and ISO as the Foundation of Compliance

In Indonesia, Undang-Undang Nomor 27 Tahun 2022 tentang Pelindungan Data Pribadi (UU PDP) is the primary legal framework that comprehensively governs the management of personal data. Complementing this regulation are international standards such as ISO/IEC 27001 and ISO/IEC 27701, which provide frameworks to help organizations ensure their data management systems align with information security principles and regulatory compliance.

As the volume of personal data processed and stored by organizations continues to grow, threats to privacy have also intensified. Systematic approaches such as Privacy by Design and Privacy by Default have therefore become increasingly relevant and critical.

What Are Privacy by Design and Privacy by Default?

Privacy by Design is an approach that requires personal data protection to be an integral part of system and organizational process design from the initial planning phase. Privacy is not treated as an add-on feature but as a core principle embedded in the development of products, services, and technology infrastructure.

Privacy by Default emphasizes that systems or services should be configured by default to collect and process only the personal data that is strictly necessary, used for legitimate purposes, and based on the explicit consent of the data subject. This aligns with the principles of data minimization and individual control over personal information.

Perbedaan Privacy by Design dan Default

Connection with the PDP Law

Privacy by Design under the PDP Law

This principle supports the implementation of the PDP Law by encouraging organizations to integrate personal data protection during the early design stages of systems, processes, and policies. It ensures data is collected only for legitimate purposes and that appropriate security measures are built in from the beginning to prevent misuse.

Privacy by Default under the PDP Law

Fully aligned with the PDP Law, this principle mandates that systems and services be configured by default to minimize the collection and processing of personal data. It requires organizations to gather only necessary data, with processing based on valid and explicit consent. This reinforces data minimization and strengthens individual control.

Privacy by Design & Default in ISO/IEC 27001

ISO/IEC 27001 is the international standard that outlines requirements for establishing an Information Security Management System (ISMS). It not only focuses on general information protection but also provides a structured and systematic guide for safeguarding personal data—including risk management, access controls, and physical and technical security. As such, ISO/IEC 27001 offers a comprehensive framework for maintaining the confidentiality, integrity, and availability of information.

Privacy by Design

Within the ISO/IEC 27001 framework, Privacy by Design is implemented through security policies and controls that proactively embed data protection into the design of systems and processes. It ensures that all systems, procedures, and technologies adopted by the organization include personal data protection as an integral security measure.

Privacy by Default

ISO/IEC 27001 also promotes Privacy by Default by ensuring systems and processes are configured to minimize the collection and use of personal data. Organizations are required to implement strict access controls, process only what is necessary, and limit processing scope to lawful and proportionate purposes. This supports data minimization and the protection of data subjects’ rights.

The Role of ISO/IEC 27701 in Enhancing Data Privacy

ISO/IEC 27701 is an extension of ISO/IEC 27001, specifically focused on Privacy Information Management Systems (PIMS). It provides additional guidance for managing and protecting personal data effectively, whether the organization functions as a data controller or processor.

This standard expands ISO/IEC 27001 by including privacy-specific elements, making it a vital tool for organizations aiming to develop a holistic and compliant information security management system.

Privacy by Design

ISO/IEC 27701 requires organizations to integrate privacy policies into their design and operations, ensuring personal data protection is built into every aspect of information management systems. This fully aligns with the Privacy by Design concept.

Privacy by Default

ISO/IEC 27701 also reinforces Privacy by Default by requiring system configurations that ensure only necessary data is collected and processed. This helps organizations comply with strict data protection standards and reduce privacy breach risks.

Why Your Organization Needs an ISO/IEC 27001 Consultant

Implementing ISO/IEC 27001 and ISO/IEC 27701 is a strategic move for organizations seeking to secure personal data and protect sensitive information. However, applying these standards can be challenging—especially for organizations lacking experience, resources, or in-house expertise.

This is where the role of an ISO/IEC 27001 consultant becomes essential. An experienced consultant can help organizations:

  • Develop policies and procedures aligned with international standards

  • Identify and manage risks related to personal and sensitive data

  • Ensure compliance with the PDP Law and global privacy requirements

  • Conduct internal audits to validate the effectiveness of the ISMS

Conclusion: Building Trust Through Privacy

Privacy by Design and Privacy by Default are foundational principles every organization should apply in protecting personal data and ensuring user privacy. These principles are highly aligned with Indonesia’s PDP Law, as well as international standards such as ISO/IEC 27001 and ISO/IEC 27701, offering a unified guide for systematic, secure, and compliant data management.

For organizations looking to implement these standards, working with an ISO/IEC 27001 consultant is a strategic decision. A consultant ensures that your ISMS complies with technical requirements and integrates privacy principles comprehensively and sustainably.

By adopting Privacy by Design and Privacy by Default, your organization can:

  • Build trust with customers and business partners

  • Reduce the risk of data breaches and reputational harm

  • Ensure compliance with national and international data protection laws

Need help preparing your Personal Data Protection framework for the digital era?

Contact Robere & Associates (Indonesia) via WhatsApp at 0811-9555-476 and build a governance system that is adaptive, sustainable, and regulation-compliant.

OTHER INSIGHT POSTS
ISO 27001 Logistic Postal Sector
Implementation of ISO/IEC 27001:2022 Now Mandatory for the Postal and Logistics Sector Under Permenkomdigi No. 8 of 2025 Knowledge
Public Trust Through ISO/IEC 27701:2025
Building Public Trust Through ISO/IEC 27701 Implementation Knowledge
Consult with us