GDPR fines reached €4.3 billion in 2023 alone. Developers who handle personal data without proper safeguards expose their organizations to massive penalties—up to €20 million or 4% of global revenue. This checklist breaks down the technical and legal requirements you need to implement today.
The General Data Protection Regulation applies to any organization processing personal data of EU residents, regardless of where your company operates. "Personal data" means anything identifying a person: names, email addresses, IP addresses, cookies, location data, even device IDs.
Here's what changed: developers are now accountable. You're not just writing features—you're responsible for implementing privacy by design. That means encryption, access controls, audit logs, and data minimization baked into your architecture from day one.
The shift matters because traditional development workflows—collect everything, sort it out later—no longer pass compliance. You need to know what data you collect, why, where it lives, who can access it, and when it gets deleted.
GDPR rests on six core principles that directly affect your implementation decisions:
You can't collect data secretly. Users must explicitly consent before you process their information. Hidden tracking pixels, pre-checked boxes, and dark patterns violate GDPR. Your code should log what consent was given, when, and what version of the privacy policy the user accepted.
Collect data for a specific purpose. Once you've collected an email for account signup, you can't later use that data for marketing without fresh consent. Your databases should enforce this—tag which purpose each data field serves and restrict queries accordingly.
Store only what's necessary. If you don't need someone's birthdate, don't ask for it. If you collected it three years ago but don't use it now, delete it. Developers often say "we might need this later"—GDPR says that's not enough justification. Your code should delete data on schedule, not accumulate it indefinitely.
Keep personal data up-to-date. If a user changes their email, your system should update it everywhere, not store duplicates. Implement validation on input, clean stale records, and give users tools to correct their own information.
Set expiration dates. Hard-delete old data instead of soft-deleting it. Implement automated retention policies in your database. For example: delete user login logs after 90 days, archive inactive accounts after 2 years, purge password hashes when the user changes their password.
Encrypt at rest and in transit. Use HTTPS, not HTTP. Hash passwords with bcrypt or Argon2. Enable database encryption. Implement role-based access controls so developers can't casually read production user data.
GDPR gives users six specific rights your code must support. These aren't optional features—they're legal requirements.
Users can request all their personal data. You need an API endpoint that exports their complete data profile in a machine-readable format (JSON/CSV). This should include every field across all systems.
// Example: Data export endpoint (Node.js)
app.get('/api/user/export', authenticateUser, async (req, res) => {
const userId = req.user.id;
const userData = await db.user.findById(userId);
const activityLogs = await db.logs.find({ userId });
const preferences = await db.preferences.findById(userId);
const exportData = {
profile: userData,
activity: activityLogs,
preferences: preferences,
exportedAt: new Date().toISOString()
};
res.json(exportData);
});
Users can demand deletion. You must delete their data within 30 days—across all systems, backups, and third-party integrations. Hard-delete, not soft-delete. This is the most expensive right to implement because backups and caches complicate it.
// Right to be forgotten implementation
async function deleteUserData(userId) {
// 1. Delete from primary database
await db.user.deleteOne({ _id: userId });
// 2. Delete from caches
await cache.del(`user:${userId}`);
// 3. Anonymize logs that must be kept for legal reasons
await db.logs.updateMany(
{ userId },
{ $set: { userId: null, username: 'DELETED_USER' } }
);
// 4. Notify third-party services
await notifyDataProcessor('stripe', { userId, action: 'delete' });
// 5. Log the deletion for compliance audit
await db.auditLog.insertOne({
action: 'user_deletion',
userId,
timestamp: new Date(),
initiator: 'user_request'
});
}
Users can correct inaccurate data. Provide edit endpoints and track changes. Log who modified what, when, and to what value—for audit purposes.
Users can pause processing of their data without deletion. Mark accounts as restricted and prevent any processing until they lift the restriction. Marketing still can't reach them. Analytics still can't profile them.
Users can move their data to a competitor. Export in standard, open formats. The data export endpoint from "Right of Access" largely covers this, but ensure it's easily portable.
Users can opt out of profiling and marketing. Implement preference flags in your database and enforce them in code. Don't send marketing emails to users with opt-out flags set.
Beyond code, GDPR requires documentation. You need a Data Processing Agreement (DPA) with any vendor who touches personal data—your cloud provider, payment processor, analytics service, email provider.
Create a Data Protection Impact Assessment (DPIA) for any new processing activity that poses risk. This is a technical document that should include:
Keep this document updated. Your security architecture changes—your DPIA should track those changes.
If personal data is compromised, you have 72 hours to notify regulators. Your incident response plan must be coded into your systems.
Implement automated breach detection: unusual database access patterns, mass data exports, failed login spikes. Log everything with timestamps so you can prove when you discovered the breach.
// Breach detection and notification
async function handleSecurityAlert(alert) {
const breachConfirmed = await investigateBreach(alert);
if (breachConfirmed) {
// 1. Isolate affected systems
await isolateDatabase(alert.affectedDb);
// 2. Log the incident
await breachLog.insertOne({
timestamp: new Date(),
type: alert.type,
affectedRecords: alert.recordCount,
discoveredAt: new Date(),
notificationDueBy: addHours(new Date(), 72)
});
// 3. Alert compliance team
await sendAlert('[email protected]', {
subject: 'GDPR Breach - 72 Hour Notification Required',
details: breachConfirmed
});
// 4. Begin user notification process
await queueUserNotifications(breachConfirmed.affectedUsers);
}
}
Every third-party service that touches your data creates compliance risk. Before integrating:
Document all integrations. Maintain a registry of what data flows to each vendor. Your compliance team needs to audit this quarterly.
Compliance can't be bolted on later. Build it into your development process:
You don't have to build everything from scratch. Several tools accelerate GDPR compliance: