The principle of Privacy by Default or the principle of data protection by default is set out in Article 25 of the GDPR.
It means that the organisation must implement by default the highest parameters to protect the privacy of individuals.
For example, only data that is strictly necessary for each specific purpose of processing is processed, or a short retention period and access limited to a need-to-know basis.
This means that the data controller must guarantee, by default, the highest level of protection by systematically implementing security measures when processing personal data.