8.4 Privacy by design and privacy by default

Clause 8.4 requires organisations to embed privacy considerations into the design and architecture of information systems and business processes, ensuring that appropriate technical and organisational safeguards are built in from the outset. It also mandates that default settings limit the collection, use, retention and disclosure of personal data to the minimum necessary for the intended purpose, thereby operationalising the principles of privacy-by-design and privacy-by-default.