GDPR for Developers: What Your Website Must Do

Does GDPR Apply to You?

If your website has visitors from the EU/EEA and you collect any personal data, yes. "Personal data" under GDPR includes: names, email addresses, IP addresses, cookie identifiers, device fingerprints, and location data. If you run Google Analytics or set a session cookie, you're processing personal data.

It doesn't matter where your company is based. A US company with European users must comply. The official GDPR regulation (Article 3) makes this explicit.

Consent Management

You need a lawful basis to process personal data. For analytics and marketing cookies, that basis is almost always consent. The requirements for valid consent:

• Consent must be freely given. No "accept all or leave" dark patterns
• Consent must be specific. Separate toggles for analytics, marketing, functional cookies
• Consent must be informed. Explain what data you collect and why
• Pre-checked boxes are illegal. Opt-in, not opt-out
• Withdrawing consent must be as easy as giving it
• No tracking before consent. Don't load Google Analytics until the user clicks "Accept"

Data Minimization

Only collect data you actually need. If your signup form asks for name, email, phone, address, date of birth, and company (but only needs email to function) you're violating data minimization.

Audit every form field: can the feature work without this data? If yes, remove the field. Store data for the minimum time necessary. Set retention policies and automate deletion.

Encryption Requirements

GDPR Article 32 requires "appropriate technical measures" to protect personal data. In practice, this means:

• Encryption in transit. TLS 1.2+ on all pages. No HTTP fallback. HSTS header enabled.
• Encryption at rest. Encrypt personal data in your database. Use your database's built-in encryption or application-level encryption for sensitive fields.
• Password hashing. Bcrypt, scrypt, or Argon2. Never MD5 or SHA-1.
• Key management. Encryption keys stored separately from encrypted data. Use a key management service (AWS KMS, GCP KMS, Vault).

Breach Notification

If personal data is compromised, you have 72 hoursto notify your supervisory authority (the data protection authority in your EU member state). If the breach poses a high risk to individuals, you must also notify affected users "without undue delay."

This means you need: breach detection capabilities (logging, monitoring, alerting), an incident response plan, and contact details for your supervisory authority. The ICO breach reporting guidance provides a practical template.

User Rights You Must Support

• Right of access (Article 15). Users can request a copy of all data you hold about them
• Right to rectification (Article 16). Users can correct inaccurate data
• Right to erasure (Article 17). "Right to be forgotten." Delete all personal data on request.
• Right to data portability (Article 20). Provide data in a machine-readable format (JSON, CSV)
• Right to object (Article 21). Users can opt out of processing for direct marketing at any time

Build these as features. An admin panel where you can export and delete user data. An unsubscribe link that actually works. A settings page where users control their data.

Privacy by Design

GDPR Article 25 requires "data protection by design and by default." Concretely:

• Default settings should be the most privacy-friendly option
• New features should be evaluated for privacy impact before launch
• Access to personal data should be restricted to those who need it
• Data should be pseudonymized where possible

Developer Checklist

1. HTTPS everywhere with HSTS
2. Cookie consent banner with genuine opt-in (no pre-checked boxes)
3. No tracking scripts before consent
4. Privacy policy linked from every page
5. Data export endpoint (JSON/CSV)
6. Account deletion endpoint that removes all personal data
7. Password hashing with bcrypt/Argon2
8. Encryption at rest for sensitive database fields
9. Security logging and breach detection
10. Documented incident response procedure