What is privacy by design + by default? (GDPR Art. 25)

Privacy by design + by default (GDPR Art. 25) is not optional "nice to have" — it is a legal obligation with fines (Art. 83(4), up to €10m / 2%). Concept from the 1990s (Ann Cavoukian) but became hard law in 2018. Two parts: (1) Privacy by Design (DPbD): privacy as design requirement in every new product, service, process. Not "we'll add privacy" as last sprint, but built in from user research + architecture. Concrete requirements: data minimisation, pseudonymisation, encryption at rest + in transit, audit logs, scope control. (2) Privacy by Default: most privacy-friendly settings active up front. No "everything off by default" + expecting user to tick — the other way. E.g. social media profile = private by default, not public. Location = off by default, not on. Analytics = off by default until consent. Practical examples: WhatsApp E2E encryption by default (positive), Facebook public profiles 2007 (negative — led to AP investigations). For businesses: DPIA + privacy review mandatory part of product development sprints. For consumers: if a service asks you to turn on privacy settings = signal the business is NOT complying with Art. 25 → AP complaint.