GDPR
General Data Protection Regulation – EU-wide rules on processing personal data, affecting how software stores, processes and handles user data.
The GDPR (General Data Protection Regulation) has been the main data protection law in Europe since 2018. It applies to any software that processes personal data – from company websites to CRM and mobile apps. Breaches can lead to fines of up to €20 million or 4% of global annual turnover. GDPR compliance is not optional but mandatory.
What is GDPR?
The GDPR (General Data Protection Regulation) is an EU regulation that governs the handling of personal data. Personal data is any information relating to an identified or identifiable person: name, email, IP address, cookie IDs, location, health data, etc. The GDPR is based on principles such as: lawfulness (a legal basis for each processing), purpose limitation (data only for stated purposes), data minimisation (only necessary data), storage limitation (delete when no longer needed), and integrity and confidentiality (appropriate security).
How does GDPR work?
For software development the GDPR requires Privacy by Design (build data protection into architecture from the start) and Privacy by Default (most privacy-friendly settings as default). In practice: cookie consent before non-essential cookies, minimal data in forms, encryption in transit (HTTPS), data processing agreements with processors, records of processing activities, data protection impact assessments for high-risk processing, and technical measures such as pseudonymisation, access control and audit logs.
Practical Examples
Cookie consent: A site may set analytics cookies (e.g. Google Analytics) only after the user has actively consented – only strictly necessary cookies before that.
Right to erasure: A user requests account deletion. The system must delete or anonymise all their personal data – including in backups and logs.
Privacy notice: Every website and app needs a clear, complete privacy policy: controller, purposes, legal basis, recipients and data subject rights.
Processing agreement: A cloud host (e.g. AWS, Hetzner) processes data on behalf of the company – a data processing agreement is required.
Typical Use Cases
Web applications: Cookie consent, privacy policy, handling data subject rights
CRM and ERP: Lawful processing of customer data, retention and access control
E-commerce: Data protection for orders, payment data and marketing consent
Mobile apps: App Tracking Transparency, local storage and consent management
AI and analytics: Legal basis for analysis, anonymisation and profiling transparency
Advantages and Disadvantages
Advantages
- Trust: GDPR compliance signals competence and builds customer trust
- Advantage: In EU markets compliance is often a requirement for B2B
- Data quality: Minimisation and purpose limitation lead to cleaner data
- Security: GDPR’s security requirements also help protect against attacks
- Global: GDPR compliance often satisfies other countries’ laws too
Disadvantages
- Complexity: Interpreting the GDPR needs legal expertise
- Implementation: Consent, retention and rights require development effort
- Administration: Records of processing, DPAs and DPIAs take time
- Uncertainty: Some details are still being clarified in court (e.g. cookies, analytics)
- Cost: DPO, legal advice and technical measures cost money
Frequently Asked Questions about GDPR
Do I need a Data Protection Officer?
Is Google Analytics GDPR compliant?
What are the consequences of GDPR breaches?
Related Terms
Want to use GDPR in your project?
We are happy to advise you on GDPR and find the optimal solution for your requirements. Benefit from our experience across over 200 projects.