GDPR enforcement is intensifying and fines are growing. We break down the technical requirements that every developer must implement — with practical code examples.
The ICO issued £14.2M in fines in 2024 alone, and enforcement is only intensifying. GDPR is not just a legal checkbox — it's a set of technical requirements that directly affect how you design databases, APIs, and data pipelines. Developers who understand these requirements are invaluable; those who don't are a liability.
The 6 Technical Requirements That Actually Affect Your Code
- <strong>Data minimisation.</strong> Only collect what you actually need. If you don't use date of birth for anything, don't store it.
- <strong>Right to erasure ("right to be forgotten").</strong> You must be able to delete all personal data for a given user within 30 days. This means your data model must track which records belong to which user — including in logs, analytics, and backups.
- <strong>Data portability.</strong> Users can request a machine-readable export of their data. Build a data export endpoint from day one.
- <strong>Consent management.</strong> Consent must be specific, informed, and revocable. Use a proper Consent Management Platform (CMP) — not a cookie banner that pre-ticks everything.
- <strong>Breach notification.</strong> You have 72 hours to notify the ICO of a data breach affecting EU/UK residents. You need incident response procedures before a breach, not after.
- <strong>Privacy by design.</strong> Security measures (encryption at rest and in transit, access controls, pseudonymisation) must be built in from the start.
The Right to Erasure in Code
javascript
users/delete.js
// Right to Erasure implementation
async function deleteUserData(userId) {
await db.transaction(async (trx) => {
// Anonymise instead of hard-delete where data is needed for accounting
await trx('orders').where({ userId }).update({
userId: null,
customerEmail: '[deleted]',
customerName: '[deleted]',
});
// Hard delete personal data
await trx('user_sessions').where({ userId }).delete();
await trx('user_addresses').where({ userId }).delete();
await trx('user_profiles').where({ userId }).delete();
await trx('users').where({ id: userId }).delete();
});
// Log the erasure for your compliance record
await auditLog.write({
event: 'USER_DATA_ERASED',
userId,
timestamp: new Date().toISOString(),
requestedBy: 'user', // or 'admin', 'legal'
});
}
The Backup Problem
Don't forget your backups. GDPR applies to all copies of personal data, including database backups. Either implement the ability to replay erasures against restored backups, or ensure your backup retention policy (typically 30 days) means deleted data is gone from all backups within that window.
Got a project in mind?
I work directly with founders and CTOs to build reliable, scalable software. Let's have a conversation about your goals.
Angebot einholen