The Legal-Technical Gap

Lawyers write the Privacy Policy. Engineers write the Database Schema. If they don’t talk, you get sued. GDPR (General Data Protection Regulation) gives users rights:

Right to Access: “Show me what you know about me.”
Right to Erasure (Right to be Forgotten): “Delete everything about me.”
Right to Portability: “Give me a CSV of my data.” Most startups ignore this. “We’ll do it manually if someone asks.” Then a user asks. And you realize their data is scattered across Postgres, Salesforce, Stripe, Mailchimp, and S3 Logs. You spend 2 weeks deleting it manually. GDPR Compliance must be Automated Code.

Why Maison Code Discusses This

At Maison Code, we operate in the EU (Paris). GDPR is naturally part of our DNA. We help US companies launch in Europe. They are often shocked by the strictness (“Wait, I can’t just track everyone?”). We implement Privacy by Design. We architect the system so that “Deleting a User” cascades correctly to all systems. We talk about this because Privacy is the new Luxury. Respecting user data builds trust.

Technical Implementation: The Deletion Cascade

How to implement “Right to Erasure”? Bad Way: DELETE FROM users WHERE id = 1. This fails because of Foreign Keys (Orders table references User). Or it leaves “Orphaned Data” in analytics.

Good Way: Anonymization. You don’t delete the Order (you need it for Tax/Accounting). You scrub the PII (Personally Identifiable Information).

UPDATE users
SET 
  email = 'deleted-' || id || '@anon.com',
  name = 'Anonymous',
  phone = NULL,
  address = NULL
WHERE id = ?;

Now the financial stats stay correct (“We sold $100”), but the user is gone.

You cannot drop Google Analytics cookies until the user agrees. Google Consent Mode v2 is mandatory in 2024. It signals to Google tags whether they have permission to track storage.

Default: ad_storage: 'denied', analytics_storage: 'denied'.
User Clicks “Accept”:
Update: gtag('consent', 'update', { ... 'granted' }).

This logic must be hardcoded in your head script. Warning: If you load the GTM script before the consent check, you violated GDPR.

Data Residency

“Where is the server?” GDPR prefers data to stay in the EU. If you use AWS us-east-1 (Virginia), you are transferring data outside the EU. You need standard contractual clauses (SCCs) legal frameworks. Best Practice: Pick AWS Frankfurt (eu-central-1) or Paris (eu-west-3). Keep EU user data in the EU.

Logos and Backups

This is the hidden trap. You deleted the user from the Live DB. But their data is in the Backup created yesterday. And it’s in the Access Logs (nginx logs often contain IP addresses). Compliance Tip: You don’t need to scrub backups immediately (impossible). But you must have a process where unauthorized restoration of backups re-introduces deleted data. Usually, backups naturally expire after 30 days. This is compliant “putative deletion”. For Logs: Rotate them every 30 days. Anonymize IPs in logs (192.168.x.x).

7. The ROPA (Record of Processing Activities)

GDPR Article 30 requires you to document what you do. You need a Data Map.

Source: User Registration.
Data: Email, Name, IP.
Destination: Postgres (DB), Mailchimp (Marketing), Sentry (Logs).
Retention: Lifetime of account + 3 years. This document must be live. We automate this by tagging our database schemas (Prisma comments) and auto-generating the ROPA during CI/CD. “Documentation as Code”.

8. Employee Training: The Human Firewall

You can have the best encryption in the world. But if your support agent emails a CSV of users to their personal Gmail… you are breached. Phishing is the #1 vector. We mandate Data Minimization Hygiene.

Don’t Slack customer info. Use IDs.
Don’t put PII in Jira tickets.
Use “yubikeys” (2FA) for admin access. Technology cannot fix stupidity, but process can limit the damage.

10. Data Portability (The JSON Export)

User: “Give me my data.” You cannot send them a raw SQL dump. You must provide a “structured, commonly used and machine-readable format” (Article 20). We build a self-serve button: “Download My Data”. It triggers a Background Job.

Fetch Profile, Orders, Messages.
Sanitize internal flags (is_banned: true - maybe keep that internal).
Generate JSON.
Email Secure Link (expires in 24h). This satisfies the legal requirement without human intervention.

11. Vendor Risk Management (Subprocessors)

You are responsible for your vendors. If you send email via SendGrid, and SendGrid gets hacked, YOU are liable. GDPR requires you to list all “Subprocessors”. If you add a new one (e.g., switching to Klaviyo), you must technically inform users (update Privacy Policy). We maintain a “Subprocessor Registry” in the admin panel to track who has access to what data.

12. The Skeptic’s View

“It kills my analytics.” True. You will lose ~30% of data (users who deny cookies). Accept it. The data you do get is higher quality (high intent). Also, “Conversion Modeling” from Google helps fill the gaps using AI. Respecting privacy is a long-term brand asset. Being creepy is a liability.

FAQ

Q: Does CCPA (California) work the same? A: Mostly yes. If you are GDPR compliant, you are 95% CCPA compliant. GDPR is the “High Water Mark”. Aim for that.

Q: What about “Legitimate Interest”? A: You can store data without consent if it’s essential for the service (e.g., Shipping Address to deliver a package). You cannot use that address for Marketing execution without specific consent.

Conclusion

Compliance is engineering. It requires Data Mapping. It requires APIs. It requires treating “User Data” as a “Toxic Asset” that you want to hold as little of as possible. Minimize collection. Maximize trust.

Risk of Fines?

GDPR fines can be 4% of global turnover. Maison Code conducts Technical Compliance Audits. We map your data flows, implement Anonymization scripts, and secure your Consent Management.

Worried about fines?

We implement Technical GDPR Compliance (Right to Erasure, Data Anonymization, Cookie Consent) directly into your stack. Hire our Architects.