GDPR Engineering Compliance
Implement GDPR technical requirements in software systems. Covers data subject rights automation, consent management, data minimization, right to erasure, data portability, privacy by design, and the patterns that make GDPR compliance a technical capability rather than a legal burden.
GDPR is not just a legal requirement — it is a technical requirement. Data subject rights (access, erasure, portability) must be implemented as software capabilities. Consent must be tracked and enforced programmatically. Data flows must be auditable. Engineering teams that treat GDPR as a checkbox will find themselves unable to comply when a data subject actually exercises their rights.
Data Subject Rights
Article 15 - Right of Access:
User: "What data do you have about me?"
System: Generate complete data export within 30 days
Engineering requirement:
☐ Catalog all data stores containing user data
☐ Build automated data export pipeline
☐ Include derived data (analytics, scores, predictions)
☐ Provide in machine-readable format (JSON, CSV)
Article 17 - Right to Erasure ("Right to be Forgotten"):
User: "Delete all my data"
System: Delete or anonymize all personal data within 30 days
Engineering requirement:
☐ Discover all data stores with user data
☐ Hard delete or cryptographic erasure
☐ Handle cascade: backups, logs, analytics, ML training data
☐ Notify all third parties with shared data
Article 20 - Right to Data Portability:
User: "Give me my data in a portable format"
System: Export in structured, machine-readable format
Engineering requirement:
☐ Standard export format (JSON-LD, CSV)
☐ Include all user-provided data
☐ Automated generation (not manual process)Implementation
class GDPRService:
def __init__(self, data_catalog, notification_service):
self.catalog = data_catalog # Registry of all data stores
self.notifier = notification_service
def handle_access_request(self, user_id: str) -> DataExport:
"""Article 15: Right of Access."""
all_data = {}
for store in self.catalog.get_stores_with_user_data():
data = store.export_user_data(user_id)
all_data[store.name] = data
export = DataExport(
user_id=user_id,
data=all_data,
generated_at=datetime.utcnow(),
format="json",
)
# Log the access request for audit
self.audit_log.record("DATA_ACCESS_REQUEST", user_id, export.id)
return export
def handle_erasure_request(self, user_id: str) -> ErasureResult:
"""Article 17: Right to Erasure."""
results = []
for store in self.catalog.get_stores_with_user_data():
if store.supports_hard_delete:
result = store.delete_user_data(user_id)
else:
# Anonymize if hard delete not possible (e.g., analytics)
result = store.anonymize_user_data(user_id)
results.append(result)
# Notify third parties
for partner in self.catalog.get_data_sharing_partners():
self.notifier.send_erasure_request(partner, user_id)
# Schedule backup erasure (backups are immutable,
# so wait for retention period)
self.schedule_backup_erasure(user_id)
return ErasureResult(
user_id=user_id,
stores_processed=len(results),
completion_status="partial", # Backups pending
estimated_full_completion=datetime.utcnow() + timedelta(days=30),
)Consent Management
class ConsentManager:
"""Track and enforce user consent per purpose."""
def record_consent(self, user_id, purpose, granted, version):
"""Record consent decision with full audit trail."""
self.store.insert({
"user_id": user_id,
"purpose": purpose, # e.g., "marketing", "analytics", "personalization"
"granted": granted, # True/False
"consent_version": version, # Version of consent text
"timestamp": datetime.utcnow(),
"ip_address": self.get_ip(),
"user_agent": self.get_user_agent(),
})
def check_consent(self, user_id, purpose) -> bool:
"""Check if user has active consent for a purpose."""
latest = self.store.get_latest_consent(user_id, purpose)
if not latest:
return False # No consent recorded = no consent
if not latest.granted:
return False # Consent explicitly denied
return True
def enforce_consent(self, user_id, purpose):
"""Middleware to block processing without consent."""
if not self.check_consent(user_id, purpose):
raise ConsentRequired(
f"User {user_id} has not consented to {purpose}. "
"Processing blocked per GDPR Article 6."
)Anti-Patterns
| Anti-Pattern | Consequence | Fix |
|---|---|---|
| Manual data export process | Cannot respond within 30 days | Automated data export pipeline |
| No data catalog | Cannot find all user data | Centralized data store registry |
| Soft delete only | Data still exists, not erased | Hard delete or cryptographic erasure |
| Consent assumed by default | GDPR requires explicit, informed consent | Opt-in consent with clear purpose |
| No audit trail | Cannot prove compliance | Immutable audit logs for all GDPR actions |
GDPR compliance is a software engineering problem. If your system cannot automatically export, delete, and track consent for every user, you are not compliant — regardless of what your privacy policy says.
