The GDPR (EU Regulation 2016/679) requires software developers to handle personal data with minimisation, purpose limitation, integrity and accountability. Compliance demands privacy by design, a DPIA for high-risk processing, records of processing activities, revocable consent management, AES-256 encryption and regular penetration tests.
In today's digital context, where personal data protection is a top priority, GDPR compliance has become an unavoidable responsibility for those developing software. Failing to comply with the regulation means exposing yourself to legal risk, financial penalties and damage to corporate reputation.
This article provides a practical, up-to-date checklist to help software houses, developers and companies build digital products compliant with the General Data Protection Regulation (GDPR).
What the GDPR is and why it matters in software development
The GDPR (EU Regulation 2016/679) came into force in 2018 with the aim of protecting the personal data of European Union citizens. It requires companies to handle data in a transparent, secure and responsible way.
Core principles of the GDPR:
- Data minimisation: collect only what is strictly necessary.
- Purpose limitation: use data only for the stated purpose.
- Integrity and confidentiality: protection against unauthorised access or loss.
- Accountability: responsibility for demonstrating compliance.
Personal data: what it is and how to identify it
What counts as personal data?
Any information that can directly or indirectly identify a natural person: name, email address, IP, geolocation, cookies. Sensitive data includes information on health, political opinions, sexual orientation, and so on.
Where is it found in software?
- CRM: customer records, email history
- E-commerce: shipping details, purchase preferences
- HR platforms: payslips, leave requests, CVs
GDPR checklist for software development
1. Privacy by Design and by Default
Integrate data protection from the design phase. Ensure that the software's default settings safeguard users' privacy.
Practical examples:
- Automatic masking of sensitive data
- Public sharing disabled by default
2. Data Protection Impact Assessment (DPIA)
Mandatory when processing may involve high risks to individuals' rights.
How to carry it out:
- Mapping of collected data
- Risk analysis and mitigation measures
- Involvement of the DPO
3. Consent management
Consent must be explicit, freely given, informed and easily revocable.
Best practice:
- Clear flows for requesting consent
- Tracking and logging of every consent obtained
- Easy access to modify or revoke it
4. Access and authorisations
Define roles and privileges for each user, ensuring secure access to data.
Key measures:
- Two-factor authentication (2FA)
- Encryption of data in transit and at rest
5. Records of processing activities
Required to document processing activities, mandatory for companies with more than 250 employees or those handling sensitive data.
Minimum contents:
- Purposes
- Data categories
- Processors involved
Recommended tools:
6. Data retention and right to be forgotten
Define data retention policies and automatic deletion of data that is no longer needed.
Actions to implement:
- Deletion or anonymisation after a defined period
- Automated handling of deletion requests
7. Data security
Essential to prevent breaches. Preventive measures and advanced security techniques must be in place.
Essential measures:
- Encryption (AES-256, TLS 1.2 or above)
- Encrypted backups
- Regular penetration tests
Privacy isn't just a regulatory obligation, it's a value. Designing GDPR-compliant software means putting the user at the centre and building trust. This checklist gives you a concrete base from which to start or strengthen your compliance journey.
