TsunamiDigital
EN HR
Selection 3 min read

GDPR and custom software: what business owners must know

A practical guide to GDPR compliance in custom software in Croatia: requirements, costs, the biggest traps, and how to avoid fines.

by Tsunami Digital Team

GDPR applies to every piece of software that processes EU citizens’ personal data - in practice, every webshop, CRM, mobile app, and internal system. Building GDPR into custom software typically adds 5-15% to project scope and costs €2,000-€20,000+. Fines reach 4% of global annual revenue or €20 million, whichever is higher. This is not optional.

What GDPR concretely requires

Six core requirements for any system processing personal data:

  1. Consent. Active opt-in via unchecked box, recorded with date and scope.
  2. Right to access - portal or export within one month.
  3. Right to correction.
  4. Right to deletion (“right to be forgotten”) - real deletion, not flags.
  5. Right to portability - export in JSON, CSV, or XML.
  6. Breach notification within 72 hours - requires monitoring and incident response.

Technical implementation

What a development partner must build in:

  • Consent management (collect, store, withdraw)
  • Audit log of every access to personal data
  • Encryption in transit (TLS) and at rest (AES-256)
  • Data export and hard-deletion mechanisms
  • Backups at production-grade security
  • Least-privilege access for staff

Hidden ongoing costs

Development is one cost; GDPR also creates long-term obligations:

  • DPO (external): €200-€800/month if required
  • Legal review: €500-€2,000/year
  • Employee training: €500-€3,000/year
  • Periodic audits: €1,500-€5,000/year
  • User requests: 1-3 hours each

Total annual maintenance for an SMB: €3,000-€15,000.

The 5 most common mistakes

  1. Consent hidden in terms. “By using the site you agree” is not legal consent.
  2. Soft deletion. Marking records “deleted” while data stays in the database is non-compliant.
  3. Plaintext or MD5/SHA1 passwords. Use Argon2 or bcrypt.
  4. No audit log. Without it, you cannot prove innocence in a breach investigation.
  5. Third parties without DPAs. Mailchimp, GA, Stripe - every processor needs a Data Processing Agreement.

Frequently Asked Questions

Do I need a DPO for a small company? Only if you regularly process sensitive data (health, financial) or run large-scale systematic monitoring. Otherwise no, but appoint a GDPR-responsible person.

How often are fines actually issued? Maximum fines are rare. Typical SMB fines: €2,000-€20,000. Six-figure fines are reserved for systemic failures or major leaks.

What if our old system is not GDPR-compliant? Two options: upgrade (€2,000-€15,000) or migrate to a new system. Migration is usually right when the old system has other issues too.

Am I liable if my development partner makes a mistake? Yes - you are the data controller. Your contract must include a DPA clause covering the processor’s responsibilities.

Need a GDPR audit or a new system?

Book a free Discovery call. We will review your current system from legal and technical angles, identify risks, and propose a realistic compliance plan - no panic, no fear-mongering.

Reach out at [email protected] or via the form on our homepage.

All articles