Why Technical GDPR Compliance Matters
GDPR isn't just a legal checkbox—it's a technical architecture requirement. Get it wrong, and you face fines up to €20M or 4% of global revenue. Get it right, and you have a competitive advantage with privacy-conscious EU customers.
Core Technical Requirements
1. Data Residency
Personal data of EU citizens should stay in the EU unless you have proper safeguards:
- Use EU regions exclusively (AWS eu-west-1, eu-central-1)
- Configure S3 bucket policies to prevent cross-region replication
- Audit third-party services for data processing locations
- Document all data flows in your architecture diagrams
2. Encryption Requirements
- At rest: AES-256 for all databases and storage
- In transit: TLS 1.2+ for all connections
- Key management: AWS KMS with customer-managed keys
- Backup encryption: Same standards as primary data
3. Access Controls (Least Privilege)
// Example IAM policy - minimum required access
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": ["s3:GetObject"],
"Resource": "arn:aws:s3:::customer-data/*",
"Condition": {
"StringEquals": {"aws:RequestedRegion": "eu-west-1"}
}
}]
}4. Right to Deletion Implementation
Design your data model for deletion from day one:
- Centralize user data with foreign key relationships
- Implement soft delete with scheduled hard delete
- Handle backups (rotate/expire within 30 days)
- Document data retention policies per data type
5. Audit Logging
Log all access to personal data:
- Who accessed the data
- When they accessed it
- What data was accessed
- Why (purpose/justification)
Cloud Provider Specific Guidance
AWS
- Enable CloudTrail for all regions
- Use AWS Config for compliance monitoring
- Implement AWS Macie for PII detection
GCP
- Use Data Loss Prevention API
- Enable Access Transparency logs
- Configure organization policies for region restriction
Building a new system or auditing existing infrastructure for GDPR? We can help.