Introduction to GDPR for Developers and Testers

Building Privacy-First Systems via Engineering Excellence

Presenter: Anandhu Krishnan

Why Engineers Must Care

GDPR is a technical responsibility, not just a legal one.

Secure storage and minimal collection.
Enable data access and deletion.
Privacy-by-design architecture.

Penalties: Up to €20 million or 4% of annual global turnover.

Special Categories of Data

Sensitive data requires stronger protection.

Health & Biometric data
Political opinions & Religious beliefs
Genetic data

Applications must avoid collecting these unless absolutely required.

Core GDPR Principles

Lawfulness, Fairness, Transparency
Purpose & Storage Limitation
Data Minimization & Accuracy
Integrity, Confidentiality & Accountability

Privacy by Design

Built-in, not bolted-on.

Minimal data collection and secure storage.
Role-based access control (RBAC).
Data encryption and comprehensive audit logging.

User Right to Access Data

Users can request what data is stored and why.
Users can request how it is used.

Example Implementation:

GET /user/data-export

Right to Erasure (Be Forgotten)

Users can request deletion of their personal data.
Remove from databases, logs, and backups where possible.

Example Implementation:

DELETE /user/account

Data Retention Policies

Data Type	Retention Period
User Account	Until account deletion
Logs	90 days
Security Logs	1 year

Logging Without Violating GDPR

Bad Practice

Login failed for user: john@email.com

Password: mypassword123

Good Practice

Login failed for user ID: 49283

Source IP logged separately.

Role of QA Engineers

Test data encryption and access controls.
Verify deletion and consent flows.
Verify data export functionality.
Security testing for PII leakage.

Final Recommendations

Design privacy at the architecture level.
Implement strong data security (TLS, AES).
Allow user control of personal data.
Continuously test privacy features.

Privacy is a shared responsibility.

1 / 1