GDPR Compliance Cheat Sheet
Outlines core GDPR principles, data subject rights, lawful bases for processing, and breach notification requirements for engineering teams.
2 PagesIntermediateJan 25, 2026
Core Principles (Article 5)
The foundational principles that all GDPR processing must satisfy.
- Lawfulness, fairness, transparency- Processing must have a legal basis and be clearly communicated to data subjects
- Purpose limitation- Data collected for one purpose cannot be reused for an incompatible purpose
- Data minimization- Collect only the data necessary for the stated purpose
- Accuracy- Personal data must be kept accurate and up to date
- Storage limitation- Data must not be kept longer than necessary; define retention periods
- Integrity and confidentiality- Appropriate security (encryption, access control) must protect the data
- Accountability- Controllers must be able to demonstrate compliance, not just achieve it
Lawful Bases for Processing (Article 6)
At least one basis must apply before processing personal data.
- Consent- Freely given, specific, informed, and unambiguous agreement, revocable at any time
- Contract- Processing necessary to perform a contract with the data subject
- Legal obligation- Required to comply with a law the controller is subject to
- Vital interests- Necessary to protect someone's life
- Public task- Necessary for a task carried out in the public interest or official authority
- Legitimate interests- Necessary for the controller's legitimate interest, balanced against the data subject's rights
Data Subject Rights (Chapter III)
Rights individuals can exercise over their personal data.
- Right to access (Art. 15)- Obtain confirmation and a copy of data being processed about them
- Right to rectification (Art. 16)- Correct inaccurate or incomplete personal data
- Right to erasure (Art. 17)- 'Right to be forgotten' - deletion when data is no longer necessary or consent is withdrawn
- Right to restrict processing (Art. 18)- Limit how data is used while a dispute is resolved
- Right to data portability (Art. 20)- Receive data in a structured, machine-readable format to transfer elsewhere
- Right to object (Art. 21)- Object to processing based on legitimate interests or direct marketing
Implementing a Right-to-Erasure Endpoint
Example API pattern for handling GDPR deletion requests.
python
from datetime import datetime, timedeltadef handle_erasure_request(user_id): # 1. Verify the requester's identity before acting # 2. Check for legal retention obligations (e.g. tax records) if has_legal_retention_hold(user_id): anonymize_user(user_id) # anonymize instead of hard delete else: delete_user_data(user_id) # 3. Propagate deletion to downstream processors/backups queue_deletion_for_processors(user_id) # 4. Respond within one month (Art. 12(3)), extendable by two more # months for complex requests deadline = datetime.utcnow() + timedelta(days=30) log_erasure_request(user_id, deadline)
Breach Notification Rules (Art. 33-34)
Timelines and thresholds for reporting a personal data breach.
- 72-hour rule- Notify the supervisory authority within 72 hours of becoming aware of a breach, where feasible
- Risk assessment- No notification required if the breach is unlikely to result in risk to individuals
- High-risk breaches- Must also notify affected data subjects directly and without undue delay
- Documentation- All breaches must be logged internally, even if not reportable to the authority
Pro Tip
Build 'privacy by design' into schema migrations: tag personal-data columns with a retention policy and TTL at creation time, so automated purging runs from day one instead of becoming a manual audit project years later.
Was this cheat sheet helpful?
Explore Topics
#GDPRCompliance#GDPRComplianceCheatSheet#Cybersecurity#Intermediate#CorePrinciplesArticle5#Lawful#Bases#Processing#CheatSheet#SkillVeris
Advertisement
Sri Hayavadhana Info-Tech
Professional Web Designing Services
- Responsive Websites
- E-commerce Solutions
- SEO Friendly Design
- Fast & Secure
- Support & Maintenance