GDPR Technical Requirements: A Developer Checklist
UK GDPR and the Data Protection Act 2018 impose specific technical requirements on systems that process personal data. This article summarises the key technical requirements we implement in every project that handles personal data.
Data Minimisation
Collect only the personal data you actually need for the specified purpose. Every data field should be justified. We work with you at specification stage to eliminate unnecessary personal data collection.
Data Subject Rights
Systems must support the following rights technically:
- Right of access (SAR): Ability to extract all personal data about a specific individual
- Right to erasure ("right to be forgotten"): Ability to delete an individual's personal data across all systems and backups
- Right to rectification: Ability for users to correct inaccurate data
- Right to data portability: Export of personal data in a machine-readable format (JSON, CSV)
- Right to object/withdraw consent: Mechanism to withdraw consent with immediate effect
Privacy by Design
- Data retention periods configured and enforced automatically
- Pseudonymisation of personal data where analytics or testing purposes allow
- Encryption at rest and in transit for all personal data
- Access controls limiting who can access personal data to those with a legitimate need
- Audit logging of all access to personal data
Consent Management
Where consent is the lawful basis for processing, consent mechanisms must be: freely given, specific, informed, unambiguous, and as easy to withdraw as to give. Cookie consent implementations must comply with the PECR as well as UK GDPR.