GDPR (the General Data Protection Regulation) applies to every piece of software that processes the personal data of EU citizens - which practically means every webshop, CRM, mobile app, and internal system you use. Implementing GDPR compliance in custom software typically adds 5-15% to total project scope and costs €2,000-€20,000+ depending on complexity. Fines for non-compliance can reach 4% of global annual revenue or €20 million, whichever is higher. This isn’t an optional investment.
This article breaks down what GDPR concretely requires for software, the typical traps, and how a development partner must build compliance into the product from day 1.
What GDPR concretely requires from software
Six key requirements for any system that processes personal data:
1. Consent to collect data. The user must actively consent to data collection. “Consent” means clicking an unchecked checkbox, not “by using the site you agree.” Consent must be recorded (date, what they agreed to).
2. Right to access their data. The user must be able to see what data you have about them. Implementation: portal or export on request (within 1 month for response).
3. Right to correction. The user can request correction of inaccurate data. There has to be a way to do it - either automatically (through user profile) or manually (through support).
4. Right to deletion (“right to be forgotten”). The user can request deletion of their data. The system must support proper deletion, not just “mark as deleted.”
5. Right to data portability. The user can request export of their data in a standard format (JSON, CSV, XML).
6. Breach notification. If data is compromised (hack, leak), you must notify the supervisory authority within 72 hours. That means your system needs monitoring that detects this quickly.
Technical implementation - what must be built into the code
What a development partner must build into the software:
- Consent management: a system for collecting, storing, and withdrawing consent
- Audit log: record of all access to personal data
- Encryption in transit: TLS/HTTPS for all communications
- Encryption at rest: sensitive data (passwords, financial) encrypted in the database
- Data export mechanism: functionality for the user to download their data
- Deletion mechanism: “hard delete” of personal data while keeping anonymized records for business needs
- Backups and recovery: with the same security standards as production
- Least-privilege access: employees only see data they actually need
Hidden GDPR costs people forget
Development is one thing, but GDPR has long-term costs:
- DPO (Data Protection Officer): if you process large amounts of personal data, you must appoint one. External DPO: €200-€800/month.
- Legal review. Privacy policy, terms of service, data processor agreements - every time you significantly change them, a review is needed. €500-€2,000/year.
- Employee training. Required annually, especially for the team with data access. €500-€3,000/year.
- Periodic audits. Technical and legal system reviews. €1,500-€5,000/year.
- Responding to user requests. If you have a lot of users, requests for access/deletion come in. Typically 1-3 hours per request.
Total annual cost of maintaining GDPR compliance for a small/mid-sized company: €3,000-€15,000.
5 most common GDPR mistakes in software
1. Consent “hidden” in terms. The user “consents” by using the site. Not legal consent under GDPR. There must be an explicit checkbox that is NOT pre-checked.
2. Deletion as “mark as deleted.” User requests deletion, you say OK, but the data stays in the database. Not compliant. Real deletion means actually removing from the production database and backups (or anonymizing).
3. Passwords in plaintext or poorly hashed. Passwords must be hashed with a modern function (Argon2, bcrypt). Not MD5, not SHA1 - all of that counts as “unencrypted” for GDPR.
4. No audit log. GDPR requires knowing “who accessed the data and when.” Without an audit log, you can prove neither your nor anyone else’s innocence in a breach.
5. Third parties without DPA contracts. Using Mailchimp? Google Analytics? Stripe? Each is a “data processor” and needs a Data Processing Agreement (DPA). Without one - a fine.
How a development partner must bake GDPR into the process
A proper flow for a new project:
Discovery phase:
- Inventory of all personal data the system processes
- Mapping where data comes from, how it’s used, where it goes
- Defining retention periods for each data type
Development:
- Implementing consent management from the start
- Encryption in transit and at rest as standard
- Audit log for all access to personal data
- User portal for data access and export
Pre-launch:
- Review of privacy policy and terms of service
- DPA contracts with all third parties
- Security pen-test
- Breach response plan (how to react if the system is attacked)
Post-launch:
- Periodic audits (annually)
- Monitoring GDPR regulatory changes and adapting
- Training new employees
- Responding to user requests
A development partner who doesn’t mention GDPR in the first conversation is a red flag.
Local market specifics
The supervisory authority is the data protection regulator. Their guidance takes precedence over generic EU advice within the country.
The national GDPR implementation law adds some local specifics - e.g., mandatory use of the local language in privacy policies for local users.
Fines can reach the European maximum, but the authority usually prefers a warning before a fine, especially for small and mid-sized companies trying to be compliant.
Frequently asked questions
Do I need a DPO for a small company? Depends on the scope of processing. If you regularly process sensitive data (health, financial) or have “large-scale systematic monitoring,” a DPO is mandatory. For most small companies - no, but appointing a GDPR-responsible person is recommended.
How often are fines actually issued? The authority rarely issues maximum fines. Typical fines for small and mid-sized companies: €2,000-€20,000. Larger fines (€100,000+) go for systemic failures or large data leaks.
What if our old system isn’t GDPR-compliant? You have two options: (1) upgrade the existing system (€2,000-€15,000 depending on complexity) or (2) migrate to a new GDPR-compliant system. The second option is usually the right answer if the old system has other issues.
Can I be liable if the development partner makes a GDPR mistake? Yes. You are the “data controller” - ultimately responsible for compliance. The development partner is the “data processor” and is responsible to you. That’s why the contract with the development partner must have a DPA clause.
Need a GDPR audit or a new system?
Book a free Discovery call. We review your current system from both a legal and technical angle, identify risks, and propose a realistic compliance plan - no panic and no fear-mongering.
Reach out at [email protected] or through the form on our homepage.