GDPR Compliance

๐Ÿ”ฅ Vibe Prompt

"Make an app GDPR compliant: consent, data deletion, breach notification, DPA."

GDPR Requirements

| Article | Requirement | Implementation |
|---------|-------------|----------------|
| Art. 5  | Lawful processing | Consent checkbox |
| Art. 7  | Consent conditions | Granular opt-in |
| Art. 15 | Right to access | Data export API |
| Art. 17 | Right to erasure | Delete user API |
| Art. 20 | Data portability | JSON export |
| Art. 25 | Privacy by design | PIA, data minimization |
| Art. 32 | Security measures | Encryption, access control |
| Art. 33 | Breach notification | 72h notification system |
| Art. 35 | Data protection impact | DPIA process |

Consent Implementation

// Consent modal
const consentTypes = {
  necessary: { required: true, label: "Essential cookies" },
  analytics: { required: false, label: "Analytics (Google Analytics)" },
  marketing: { required: false, label: "Marketing (cookies, emails)" },
  functional: { required: false, label: "Personalization" }
};

// Store consent
function saveConsent(preferences) {
  localStorage.setItem('consent', JSON.stringify({
    ...preferences,
    timestamp: new Date().toISOString(),
    version: '1.0'
  }));
  
  // Also send to server
  fetch('/api/consent', {
    method: 'POST',
    body: JSON.stringify(preferences)
  });
}

// Check consent before loading analytics
if (JSON.parse(localStorage.getItem('consent') || '{}').analytics) {
  loadGoogleAnalytics();
}

Right to Erasure (Art. 17)

@app.route('/api/user/data', methods=['DELETE'])
@jwt_required
def delete_user_data():
    user_id = get_jwt_identity()
    
    # 1. Anonymize or delete user data
    db.execute("UPDATE users SET email = NULL, name = 'Deleted User' WHERE id = %s", (user_id,))
    
    # 2. Delete related data
    db.execute("DELETE FROM user_analytics WHERE user_id = %s", (user_id,))
    db.execute("DELETE FROM sessions WHERE user_id = %s", (user_id,))
    
    # 3. Keep minimal audit log (legal requirement)
    db.execute("INSERT INTO deletion_log (user_id, deleted_at) VALUES (%s, NOW())", (user_id,))
    
    return jsonify({"message": "Data deleted. Audit log retained for legal purposes."}), 200

Data Protection Impact Assessment (DPIA)

# DPIA: User Analytics System

## 1. Data Processing Description
- What: User behavior tracking (pages, clicks, time)
- Why: Product improvement
- How: Google Analytics + custom events
- Data: page views, feature usage, session duration

## 2. Necessity & Proportionality
- Necessary for product decisions? Yes
- Minimum data collected? Yes (no PII in analytics)
- Can we achieve with less data? Anonymized aggregates

## 3. Risk Assessment
| Risk | Likelihood | Impact | Mitigation |
|------|-----------|--------|------------|
| Re-identification | Low | High | Anonymize IP, no user IDs |
| Data breach | Low | Med | Encrypt, access control |
| Consent bypass | Med | High | Audit consent logs |

## 4. Mitigation Measures
- IP anonymization
- No PII in analytics data
- Consent required before tracking
- 14-month data retention max
- Regular data deletion

## 5. Sign-off
- Data Protection Officer: [Sign]
- Product Manager: [Sign]
- Date: YYYY-MM-DD

Data Processing Agreement (DPA)

# Data Processing Agreement

## 1. Processor Obligations
- Process data only on documented instructions
- Ensure confidentiality of personnel
- Implement appropriate security measures
- Assist controller with data subject rights
- Notify breaches within 48 hours
- Delete/return data after service termination

## 2. Sub-processors
- AWS (cloud infrastructure)
- SendGrid (email delivery)
- Stripe (payment processing)

## 3. Security Measures
- Encryption at rest (AES-256)
- Encryption in transit (TLS 1.3)
- Access control (RBAC, MFA)
- Regular security audits
- Incident response plan

## 4. Data Breach Notification
- Processor notifies within 48 hours
- Includes: nature, categories, approximate number
- Measures taken or proposed

GDPR Best Practices

| Practice | Implementation | |----------|----------------| | Lawful basis | Consent, legitimate interest, contract | | Consent granularity | Separate toggles per purpose | | Cookie banner | Before any non-essential cookies | | Data map | What data, where, why, how long | | ROPA | Record of processing activities | | DPO | Appoint Data Protection Officer | | Breach notification | 72h process established | | Data portability | JSON/CSV export API | | Privacy notice | Clear, accessible, updated | | DPA with processors | Signed with all vendors |

GDPR Key Principles

| Principle | Meaning | Implementation | |-----------|---------|---------------| | Lawfulness, fairness, transparency | Process data legally and openly | Privacy notice, consent records | | Purpose limitation | Collect data only for specified purpose | Data inventory, usage audit | | Data minimization | Collect only what's necessary | Review forms, remove unused fields | | Accuracy | Keep data correct and up-to-date | Validation rules, update reminders | | Storage limitation | Delete data when no longer needed | Retention policy, automated deletion | | Integrity and confidentiality | Protect data from breaches | Encryption, access control, monitoring | | Accountability | Prove compliance | Documentation, DPO, records of processing |

Data Subject Rights

| Right | What It Means | Response Time | |-------|--------------|--------------| | Right to be informed | Tell users what data you collect | At collection point | | Right of access | Users can see their data | 30 days | | Right to rectification | Users can correct errors | 30 days | | Right to erasure ("Right to be forgotten") | Users can request deletion | 30 days | | Right to restrict processing | Users can limit how data is used | 30 days | | Right to data portability | Users can export their data | 30 days | | Right to object | Users can opt out of marketing | Immediate | | Rights related to automated decision-making | Explain algorithm decisions | Ongoing |

GDPR Fines

| Violation | Maximum Fine | Example | |-----------|-------------|---------| | Less severe | 2% of annual global turnover or โ‚ฌ10M | Inadequate records | | More severe | 4% of annual global turnover or โ‚ฌ20M | No lawful basis for processing |

Notable Fines

| Company | Fine | Year | Reason | |---------|------|------|--------| | Meta (Facebook) | โ‚ฌ1.2B | 2023 | Illegal data transfers to US | | Amazon | โ‚ฌ746M | 2021 | Cookie consent violations | | Meta (WhatsApp) | โ‚ฌ225M | 2021 | Lack of transparency | | Google | โ‚ฌ50M | 2019 | Insufficient consent for ads |

Summary

GDPR is the strictest data privacy regulation in the world. It gives individuals control over their personal data and imposes heavy fines for non-compliance.

Key takeaways: | 7 principles: lawfulness, purpose limitation, minimization, accuracy, storage limitation, integrity, accountability | | 8 rights: informed, access, rectification, erasure, restriction, portability, objection, automated decisions | | Fines up to 4% of global turnover or โ‚ฌ20M โ€” whichever is higher | | Privacy notice must be clear, concise, and transparent | | Data Protection Officer (DPO) required for large-scale processing | | Records of processing activities (ROPA) must be maintained | | Data Protection Impact Assessment (DPIA) required for high-risk processing | | International data transfers require adequacy decision or SCCs |

Next Chapter: ISO 27001

The next chapter covers ISO 27001 and the ISMS framework.

Member Exclusive Free Tutorial

This chapter is free exclusive content for registered members! Please login or register to unlock immediately.

Login / Register Now