GDPR Essentials

GDPR Essentials

Lawful basis, purpose limitation, retention, subject access — the four duties that show up in every audit.

Why it matters

GDPR articles cluster into a small set of operational duties; the legal text is dense, the operational checklist is short.

Going deeper

The engineering implications of GDPR's top principles:

• Lawful Basis & Consent: You need a metadata field (e.g. consent_version, lawful_basis) attached to the incoming record. It can't just be an implicit assumption.
• Purpose Limitation: Once data lands in the lake, you must restrict who can query it. An ML team cannot automatically use billing data to train a recommendation engine unless the user consented to that specific purpose.
• Data Minimisation: Don't SELECT * and dump everything into the CRM. Send only the fields explicitly needed.
• Storage Limitation (Retention): A cron job that deletes data older than X years is not a 'nice to have', it's a legal requirement. Soft deletes (is_deleted=1) often don't pass audits; you must eventually hard delete.

GDPR is like borrowing a neighbor's car.

If you borrow a car, you need a valid reason to ask (Lawful Basis). You say you are taking it to the grocery store; you can't suddenly drive it across the country (Purpose Limitation). You have to bring it back when you're done, not keep it in your driveway indefinitely (Retention). And if the neighbor asks where the car is or demands the keys back, you have to hand it over immediately (Subject Access Request and Erasure).

You don't own the data. You are just borrowing it under strict conditions. Once the condition breaks, you must return or destroy the data.