GDPR for Developers
A practical guide to GDPR compliance for developers. What you need to build and why.
Key GDPR Principles
Lawfulness & Consent
You need a legal basis to process personal data. For most apps, this means clear consent.
Purpose Limitation
Only collect data for specific, stated purposes. Don't repurpose without consent.
Data Minimization
Only collect data you actually need. Less data = less risk.
Storage Limitation
Don't keep data longer than necessary. Define retention periods.
Security
Protect personal data with appropriate technical measures.
User Rights You Must Support
Users can request a copy of their data
Implementation: Build data export functionality. Respond within 30 days.
Users can correct inaccurate data
Implementation: Allow profile editing. Have a process for corrections.
Users can request deletion ('right to be forgotten')
Implementation: Build account deletion. Actually delete data, not just flag.
Users can get their data in machine-readable format
Implementation: JSON/CSV export of user data.
Users can object to certain processing
Implementation: Opt-out mechanisms for marketing, profiling.
Technical Requirements
HTTPS everywhere. Encrypt sensitive data at rest. Secure key management.
Role-based access. Principle of least privilege. Audit logs.
Export functionality in common formats (JSON, CSV).
Complete account deletion. Cascade through all systems. Backup consideration.
Record consent. Allow withdrawal. Granular consent options.
Monitoring for unauthorized access. 72-hour breach notification requirement.
Common GDPR Mistakes in Vibe-Coded Apps
- •No cookie consent banner (or one that doesn't actually block cookies)
- •No way for users to delete their accounts and data
- •Collecting email for signup, then auto-adding to marketing lists
- •No privacy policy, or a generic one that doesn't match actual practices
Check Your Application's Security
GDPR requires appropriate security measures. VAS scans for vulnerabilities that could lead to data breaches—a core GDPR concern.
Get Starter ScanFrequently Asked Questions
Does GDPR apply to my startup?
If you have users in the EU, yes—regardless of where your company is based. If you specifically target EU users (EU language, EU currency, EU marketing), definitely yes. Even if you're a small US startup, EU users trigger GDPR obligations.
What's the penalty for GDPR violations?
Up to €20 million or 4% of global annual revenue, whichever is higher. In practice, small startups rarely face maximum fines, but enforcement is increasing. More likely: reputational damage, user trust loss, and having to retrofit compliance.
Do I need a Data Protection Officer (DPO)?
Only if you: process data on a large scale as a core activity, or process special category data (health, biometric, etc.) at scale. Most startups don't need one, but you should have someone responsible for data protection.
What counts as personal data?
Any data that can identify a person directly or indirectly: name, email, IP address, device ID, location data, cookies that can identify users. Broader than you might think. When in doubt, treat it as personal data.
How do I handle third-party services?
You need Data Processing Agreements (DPAs) with all third parties that process your users' data. Most major services (AWS, Stripe, etc.) offer GDPR-compliant DPAs. You're responsible for your vendors' compliance.
Last updated: January 16, 2026