GDPR Compliance
๐ฅ Vibe Prompt
"Make an app GDPR compliant: consent, data deletion, breach notification, DPA."
GDPR Requirements
| Article | Requirement | Implementation |
|---------|-------------|----------------|
| Art. 5 | Lawful processing | Consent checkbox |
| Art. 7 | Consent conditions | Granular opt-in |
| Art. 15 | Right to access | Data export API |
| Art. 17 | Right to erasure | Delete user API |
| Art. 20 | Data portability | JSON export |
| Art. 25 | Privacy by design | PIA, data minimization |
| Art. 32 | Security measures | Encryption, access control |
| Art. 33 | Breach notification | 72h notification system |
| Art. 35 | Data protection impact | DPIA process |
Consent Implementation
// Consent modal
const consentTypes = {
necessary: { required: true, label: "Essential cookies" },
analytics: { required: false, label: "Analytics (Google Analytics)" },
marketing: { required: false, label: "Marketing (cookies, emails)" },
functional: { required: false, label: "Personalization" }
};
// Store consent
function saveConsent(preferences) {
localStorage.setItem('consent', JSON.stringify({
...preferences,
timestamp: new Date().toISOString(),
version: '1.0'
}));
// Also send to server
fetch('/api/consent', {
method: 'POST',
body: JSON.stringify(preferences)
});
}
// Check consent before loading analytics
if (JSON.parse(localStorage.getItem('consent') || '{}').analytics) {
loadGoogleAnalytics();
}
Right to Erasure (Art. 17)
@app.route('/api/user/data', methods=['DELETE'])
@jwt_required
def delete_user_data():
user_id = get_jwt_identity()
# 1. Anonymize or delete user data
db.execute("UPDATE users SET email = NULL, name = 'Deleted User' WHERE id = %s", (user_id,))
# 2. Delete related data
db.execute("DELETE FROM user_analytics WHERE user_id = %s", (user_id,))
db.execute("DELETE FROM sessions WHERE user_id = %s", (user_id,))
# 3. Keep minimal audit log (legal requirement)
db.execute("INSERT INTO deletion_log (user_id, deleted_at) VALUES (%s, NOW())", (user_id,))
return jsonify({"message": "Data deleted. Audit log retained for legal purposes."}), 200
Data Protection Impact Assessment (DPIA)
# DPIA: User Analytics System
## 1. Data Processing Description
- What: User behavior tracking (pages, clicks, time)
- Why: Product improvement
- How: Google Analytics + custom events
- Data: page views, feature usage, session duration
## 2. Necessity & Proportionality
- Necessary for product decisions? Yes
- Minimum data collected? Yes (no PII in analytics)
- Can we achieve with less data? Anonymized aggregates
## 3. Risk Assessment
| Risk | Likelihood | Impact | Mitigation |
|------|-----------|--------|------------|
| Re-identification | Low | High | Anonymize IP, no user IDs |
| Data breach | Low | Med | Encrypt, access control |
| Consent bypass | Med | High | Audit consent logs |
## 4. Mitigation Measures
- IP anonymization
- No PII in analytics data
- Consent required before tracking
- 14-month data retention max
- Regular data deletion
## 5. Sign-off
- Data Protection Officer: [Sign]
- Product Manager: [Sign]
- Date: YYYY-MM-DD
Data Processing Agreement (DPA)
# Data Processing Agreement
## 1. Processor Obligations
- Process data only on documented instructions
- Ensure confidentiality of personnel
- Implement appropriate security measures
- Assist controller with data subject rights
- Notify breaches within 48 hours
- Delete/return data after service termination
## 2. Sub-processors
- AWS (cloud infrastructure)
- SendGrid (email delivery)
- Stripe (payment processing)
## 3. Security Measures
- Encryption at rest (AES-256)
- Encryption in transit (TLS 1.3)
- Access control (RBAC, MFA)
- Regular security audits
- Incident response plan
## 4. Data Breach Notification
- Processor notifies within 48 hours
- Includes: nature, categories, approximate number
- Measures taken or proposed
GDPR Best Practices
| Practice | Implementation | |----------|----------------| | Lawful basis | Consent, legitimate interest, contract | | Consent granularity | Separate toggles per purpose | | Cookie banner | Before any non-essential cookies | | Data map | What data, where, why, how long | | ROPA | Record of processing activities | | DPO | Appoint Data Protection Officer | | Breach notification | 72h process established | | Data portability | JSON/CSV export API | | Privacy notice | Clear, accessible, updated | | DPA with processors | Signed with all vendors |
GDPR Key Principles
| Principle | Meaning | Implementation | |-----------|---------|---------------| | Lawfulness, fairness, transparency | Process data legally and openly | Privacy notice, consent records | | Purpose limitation | Collect data only for specified purpose | Data inventory, usage audit | | Data minimization | Collect only what's necessary | Review forms, remove unused fields | | Accuracy | Keep data correct and up-to-date | Validation rules, update reminders | | Storage limitation | Delete data when no longer needed | Retention policy, automated deletion | | Integrity and confidentiality | Protect data from breaches | Encryption, access control, monitoring | | Accountability | Prove compliance | Documentation, DPO, records of processing |
Data Subject Rights
| Right | What It Means | Response Time | |-------|--------------|--------------| | Right to be informed | Tell users what data you collect | At collection point | | Right of access | Users can see their data | 30 days | | Right to rectification | Users can correct errors | 30 days | | Right to erasure ("Right to be forgotten") | Users can request deletion | 30 days | | Right to restrict processing | Users can limit how data is used | 30 days | | Right to data portability | Users can export their data | 30 days | | Right to object | Users can opt out of marketing | Immediate | | Rights related to automated decision-making | Explain algorithm decisions | Ongoing |
GDPR Fines
| Violation | Maximum Fine | Example | |-----------|-------------|---------| | Less severe | 2% of annual global turnover or โฌ10M | Inadequate records | | More severe | 4% of annual global turnover or โฌ20M | No lawful basis for processing |
Notable Fines
| Company | Fine | Year | Reason | |---------|------|------|--------| | Meta (Facebook) | โฌ1.2B | 2023 | Illegal data transfers to US | | Amazon | โฌ746M | 2021 | Cookie consent violations | | Meta (WhatsApp) | โฌ225M | 2021 | Lack of transparency | | Google | โฌ50M | 2019 | Insufficient consent for ads |
Summary
GDPR is the strictest data privacy regulation in the world. It gives individuals control over their personal data and imposes heavy fines for non-compliance.
Key takeaways: | 7 principles: lawfulness, purpose limitation, minimization, accuracy, storage limitation, integrity, accountability | | 8 rights: informed, access, rectification, erasure, restriction, portability, objection, automated decisions | | Fines up to 4% of global turnover or โฌ20M โ whichever is higher | | Privacy notice must be clear, concise, and transparent | | Data Protection Officer (DPO) required for large-scale processing | | Records of processing activities (ROPA) must be maintained | | Data Protection Impact Assessment (DPIA) required for high-risk processing | | International data transfers require adequacy decision or SCCs |
Next Chapter: ISO 27001
The next chapter covers ISO 27001 and the ISMS framework.