GDPR - The Practical, No-Fluff, Actionable Todo List

GDPR - The Practical, No-Fluff, Actionable Todo List

GDPR hell is here.
After reading too many GDPR articles, I’ve decided to summarize the important stuff in a short, clear, no-fluff actionable list.
A list I can use to prioritize our work internally, and hopefully a list that can help other developers or product managers understand what needs to be done.

General Guidelines: 

  1. Save as little personal data as possible. 
  2. Avoid making fields mandatory unless absolutely required by the business. (please note that Apple is already rejecting apps for excessive use of mandatory fields).
  3. Allow users to edit their data at any given time (make sure you have an “edit” functionality).
  4. Don’t track user activity to learn their taste and interests (probably relevant for marketing and giant companies) - I wouldn’t get excited about this one. 
  5. Security questions should not use personal data (like your kid’s name).


  1. Use HTTPS
  2. Encrypt all personal data (email, phone, address) with strong encryption algorithms including hashing. If you have not idea how to do it without messing up you product - you are probably not alone. 
  3. Store logs in a safe place, preferably encrypted.
  4. Delete old logs automatically.

General security measures:

  1. Be committed to notifying the national supervisory authority of any serious data breaches as soon as possible. (are you committed? Be committed!).  
  2. Make sure sessions and cookies expire when the user logs out (relevant for websites). 
  3. Use OAUTH to connect with other systems.
  4. While you go over your connected systems (all the integrations you ever developed…) - make sure you also use HTTPS.

Terms of use:

  1. Create clear and readable ‘terms of use' text - make it available from the main page. 
  2. Explain why you are storing some data about the user (i.e. we need your address to determine who is available near you).
  3. Tell the users that their data is stored encrypted (unless, of course, you still haven’t figured out how to do that…).
  4. Inform users about any data sharing with any 3rd party tool, plugin or app.
  5. Tell the users about logs that are using their location. Explain that the data is all encrypted. 
  6. Websites using cookies should notify their readers about it even without having to look for the terms of use. 

Double opt-in:

  1. Have a dedicated opt-in checkbox (unchecked by default) for receiving marketing materials from your company.
  2. Best practice talks about double opt-in (sending an approval email) but I think this is only a recommendation for now. 
  3. Have a simple way to opt-out via each email you send (unsubscribe functionality). 
  4. Store the ‘date’ when the consent was given by the user (don’t store it as a boolean - store the actual date!).
  5. Old users should get an email asking them to opt-in again in order to ensure their consent. This practically means you will lose 90% of your current mailing list because most users will not do it, so it’s important to tie this with a small gift for the ones who will opt-in again…).
  6. Beware not to send your special GDPR out-in/out emails to the old users who already unsubscribed from your mailing lists. 

The right to be forgotten:

  1. Add a ‘Delete Account’ button to your account/settings page. 
  2. Deleting the account should theoretically remove the user from the production database, but the problem is that you probably cannot do that (technically and business wise). 
  3. What you can do is: obfuscate this user information so no one can never know it’s him (name, phone, email, address, twitter account, website link) while keeping his record just for the sake of referential integrity.
  4. Take those details and place them inside another database that has nothing to do with your production system or marketing tools, just to be covered in case this user will ever attempt to sue you or something… You need to be covered!
  5. Make sure all marketing related fields are completely removed: emails, phone numbers, push notifications tokens, facebook, twitter - you need to completely forget about this guy.
  6. Do not break your database references…   
  7. Notify your integrated tools that this user needs to be deleted. They should support this functionality as well. 

The right to know what you know (or think you know):

  1. Add an ‘export’ button to your account/settings page so users can ask for their data. 
  2. Create a dedicated function that collects all the personal data of a given user and creates a human-friendly text report.
  3. Send this report via email or as a file.  

General tips

GDPR will change over time, it’s too early to spend all your development efforts implementing things that may soon be changed.
Prioritize accordingly.
  1. Build a plan, write down all the tasks, and prioritize them. 
  2. Make sure your software complies with at least 50% of the items above. 
  3. The rest should be included in your plan. Be serious about the plan. 
  4. Some of the items can be supported manually when needed (for example, you can send the personal details-on-demand). 
  5. It’s important to have a document describing everything that exists and everything that is still “in-progress” so in case of an audit you will be able to present it to the auditor. 
  6. Demonstrate awareness, alignment, a plan, and enough achievements with GDPR, you can probably get away even if you have some “hiccups” here and there.  

GDPR is fun actually.
No, seriously. It's fun, we just don’t know it yet.