github/gdpr-compliant

GDPR Engineering Skill

Actionable GDPR reference for engineers, architects, DevOps, and tech leads. Inspired by CNIL developer guidance and GDPR Articles 5, 25, 32, 33, 35.

Golden Rule: Collect less. Store less. Expose less. Retain less.

For deep dives, read the reference files in references/:

• references/data-rights.md — user rights endpoints, DSR workflow, RoPA
• references/security.md — encryption, hashing, secrets, anonymization
• references/operations.md — cloud, CI/CD, incident response, architecture patterns

---

1. Core GDPR Principles (Article 5)

| Principle | Engineering obligation | |---|---| | Lawfulness, fairness, transparency | Document legal basis for every processing activity in the RoPA | | Purpose limitation | Data collected for purpose A MUST NOT be reused for purpose B without a new legal basis | | Data minimization | Collect only fields with a documented business need today | | Accuracy | Provide update endpoints; propagate corrections to downstream stores | | Storage limitation | Define TTL at schema design time — never after | | Integrity & confidentiality | Encrypt at rest and in transit; restrict and audit access | | Accountability | Maintain evidence of compliance; RoPA ready for DPA inspection at any time |

---

2. Privacy by Design & by Default

MUST

• Add CreatedAt, RetentionExpiresAt to every table holding personal data at creation time.
• Default all optional data collection to off. Users opt in; they never opt out of a default-on setting.
• Conduct a DPIA before building high-risk processing (biometrics, health data, large-scale profiling, systematic monitoring).
• Update the RoPA with every new feature that introduces a processing activity.
• Sign a DPA with every sub-processor before data flows to them.

MUST NOT

• Ship a new data collection feature without a documented legal basis.
• Enable analytics, tracking, or telemetry by default without explicit consent.
• Store personal data in a system not listed in the RoPA.

---

3. Data Minimization

MUST

• Map every DTO/model field to a concrete business need. Remove undocumented fields.
• Use separate DTOs for create, read, and update — never reuse the same object.
• Return only what the caller is authorized to see — use response projections.
• Mask sensitive values at the edge: return ****1234 for card numbers, never the full value.
• Exclude sensitive fields (DOB, national ID, health) from default list/search projections.

MUST NOT

• Log full request/response bodies if they may contain personal data.
• Include personal data in URL path segments or query parameters (CDN logs, browser history).
• Collect dateOfBirth, national ID, or health data without an explicit legal basis.

---

4. Purpose Limitation

MUST

• Document the purpose of every processing activity in code comments and in the RoPA.
• Obtain a new legal basis or perform a compatibility analysis before reusing data for a secondary purpose.

MUST NOT

• Share personal data collected for service delivery with advertising networks without explicit consent.
• Use support ticket content to train ML models without a separate legal basis and user notice.

---

5. Storage Limitation & Retention

MUST

• Every table holding personal data MUST have a defined retention period.
• Enforce retention automatically via a scheduled job (Hangfire, cron) — never a manual process.
• Anonymize or delete data when retention expires — never leave expired data silently in production.

Recommended defaults

| Data type | Max retention | |---|---| | Auth / audit logs | 12–24 months | | Session / refresh tokens | 30–90 days | | Email / notification logs | 6 months | | Inactive user accounts | 12 months after last login → notify → delete | | Payment records | As required by tax law (7–10 years), minimized | | Analytics events | 13 months |

SHOULD

• Add RetentionExpiresAt column — compute at insert time.
• Use soft-delete (DeletedAt) with a scheduled hard-delete after the erasure request window (30 days).

MUST NOT

• Retain personal data indefinitely "in case it becomes useful later."

---

6. API Design Rules

MUST

• MUST NOT include personal data in URL paths or query parameters.
  • GET /users/{userId}
• Authenticate all endpoints that return or accept personal data.
• Extract the acting user's identity from the JWT — never from the request body.
• Validate ownership on every resource: if (resource.OwnerId != currentUserId) return 403.
• Use UUIDs or opaque identifiers — never sequential integers as public resource IDs.

SHOULD

• Rate-limit sensitive endpoints (login, data export, password reset).
• Set Referrer-Policy: no-referrer and an explicit CORS allowlist.

MUST NOT

• Return stack traces, internal paths, or database errors in API responses.
• Use Access-Control-Allow-Origin: * on authenticated APIs.

---

7. Logging Rules

MUST

• Anonymize IPs in application logs — mask last octet (IPv4) or last 80 bits (IPv6).
  • 192.168.1.xxx
• MUST NOT log: passwords, tokens, session IDs, credentials, card numbers, national IDs, health data.
• MUST NOT log full request/response bodies where PII may be present.
• Enforce log retention — purge automatically after the defined period.

SHOULD

• Log events not data: "User {UserId} updated email" not "Email changed from [email protected] to [email protected]".
• Use structured logging (JSON) with userId as an internal identifier, not the email address.
• Separate audit logs (sensitive access, admin actions) from application logs — different retention and ACLs.

---

8. Error Handling

MUST

• Return generic error messages — never expose stack traces, internal paths, or DB errors.
  • "Column 'email' violates unique constraint on table 'users'"
  • "A user with this email address already exists."
• Use Problem Details (RFC 7807) for all error responses.
• Log the full error server-side with a correlation ID; return only the correlation ID to the client.

MUST NOT

• Include file paths, class names, or line numbers in error responses.
• Include personal data in error messages (e.g., "User [email protected] not found").

---

9. Encryption (summary — see references/security.md for full detail)

| Scope | Minimum standard | |---|---| | Standard personal data | AES-256 disk/volume encryption | | Sensitive data (health, financial, biometric) | AES-256 column-level + envelope encryption via KMS | | In transit | TLS 1.2+ (prefer 1.3); HSTS enforced | | Keys | HSM-backed KMS; rotate DEKs annually |

MUST NOT allow TLS 1.0/1.1, null cipher suites, or hardcoded encryption keys.

---

10. Password Hashing

MUST

• Use Argon2id (recommended) or bcrypt (cost ≥ 12). Never MD5, SHA-1, or SHA-256.
• Use a unique salt per password. Store only the hash.

MUST NOT

• Log passwords in any form. Transmit passwords in URLs. Store reset tokens in plaintext.

---

11. Secrets Management

MUST

• Store all secrets in a KMS: Azure Key Vault, AWS Secrets Manager, GCP Secret Manager, or HashiCorp Vault.
• Use pre-commit hooks (gitleaks, detect-secrets) to prevent secret commits.
• Rotate secrets on developer offboarding, annual schedule, or suspected compromise.

.gitignore MUST include: .env, .env.*, *.pem, *.key, *.pfx, *.p12, secrets/

MUST NOT

• Commit secrets to source code. Store secrets as plain-text environment variable defaults.

---

12. Anonymization & Pseudonymization (summary — see references/security.md)

• Anonymization = irreversible → falls outside GDPR scope. Use for retained records after erasure.
• Pseudonymization = reversible with a key → still personal data, reduced risk.
• When erasing a user, anonymize records that must be retained (financial, audit) rather than deleting them.
• Store the pseudonymization key in the KMS — never in the same database as the pseudonymized data.

MUST NOT call data "anonymized" if re-identification is possible through linkage attacks.

---

13. Testing with Fake Data

MUST

• MUST NOT use production personal data in dev, staging, or CI environments.
• MUST NOT restore production DB backups to non-production without scrubbing PII first.
• Use synthetic data generators: Bogus (.NET), Faker (JS/Python/Ruby).
• Use @example.com for all test email addresses.

---

14. Anti-Patterns

| Anti-pattern | Correct approach | |---|---| | PII in URLs | Opaque UUIDs as public identifiers | | Logging full request bodies | Log structured event metadata only | | "Keep forever" schema | TTL defined at design time | | Production data in dev/test | Synthetic data + scrubbing pipeline | | Shared credentials across teams | Individual accounts + RBAC | | Hardcoded secrets | KMS + secret manager | | Access-Control-Allow-Origin: * on auth APIs | Explicit CORS allowlist | | Storing consent with profile data | Dedicated consent store | | PII in GET query params | POST body or authenticated session | | Sequential integer IDs in public URLs | UUIDs | | "Anonymized" data with quasi-identifiers | Apply k-anonymity, test linkage resistance | | Mixing backup regions outside EEA | Explicit region lockdown on backup jobs |

---

15. PR Review Checklist

Data model

• Every new PII column has a documented purpose and retention period.
• Sensitive fields (health, financial, national ID) use column-level encryption.
• No sequential integer PKs as public-facing identifiers.

API

• No PII in URL paths or query parameters.
• All endpoints returning personal data are authenticated.
• Ownership checks present — user cannot access another user's resource.
• Rate limiting applied to sensitive endpoints.

Logging

• No passwords, tokens, or credentials logged.
• IPs anonymized (last octet masked).
• No full request/response bodies logged where PII may be present.

Infrastructure

• No public storage buckets or public-IP databases.
• New cloud resources tagged with DataClassification.
• Encryption at rest enabled for new storage resources.
• New geographic regions for data storage are EEA-compliant or covered by SCCs.

Secrets & CI/CD

• No secrets in source code or committed config files.
• New secrets added to KMS and secrets inventory document.
• CI/CD secrets masked in pipeline logs.

Retention & erasure

• Retention enforcement job or policy covers new data store or field.
• Erasure pipeline updated to cover new data store.

User rights & governance

• Data export endpoint includes any new personal data field.
• RoPA updated if a new processing activity is introduced.
• New sub-processors have a signed DPA and a RoPA entry.
• DPIA triggered if the change involves high-risk processing.

---

Golden Rule: Collect less. Store less. Expose less. Retain less.

Every byte of personal data you do not collect is a byte you cannot lose, cannot breach, and cannot be held liable for.

---

Inspired by CNIL developer GDPR guidance, GDPR Articles 5, 25, 32, 33, 35, ENISA, OWASP, and NIST engineering best practices.