Top 10 recommendations for GDPR implementation

in the app, web and software development

Posted by CyberWise on July 15, 2020

EU companies as well as companies entering the EU market must be compliant with GDPR requirements since the regulation came into force 2 years ago.
It may be complicated for non-lawyers to understand what the company needs to do in order to make their digital product compliant.
To help you better understand GDPR requirements for digital products out specialists prepared the top 10 practical recommendations.

1.Data minimization principle

Before you start building any product, define what personal data you need to collect and the scope of it. GDPR requires you to collected and processed only data that required to provide your service. Data collection needs to be linked to fulfilling a specific purpose. In other words, avoid collection information if it’s not necessary for your service.

2.Explicit Consent

This means no more pre-ticked boxes. Remember, you need a legal basis to collect and process personal data of users. As for software and app provider in the majority of it will be consent. Make sure that you informed users and received explicit consent, where the user makes certain actions (e.g tick the box) in order to agree, not just agree by default.

3.Opt-in for marketing

If you collect users’ consent for different purposes, you must have separate consent for services as marketing and newsletter. Also, if the user signed for the newsletter, the unsubscribe button must be implemented.

4.Privacy policy - make it visible

Make sure policy is available for users on the main page on your website or in information about your application. The privacy policy must be up to date. If some processes regarding personal data collection are changed, it must be displayed in your policy.

5.Cybersecurity is important

You need to implement proper security measures for data transition and storage. To ensure protection data from loss, it’s a good idea to make periodic back-ups. If you collect personal data, in particular, the special category of personal data such as health data, biomedical data, racial or ethnic origin, political opinions, religious or philosophical beliefs, or other information that belong to sensitive data you need to make sure that measures are sufficient. This includes but not limited by implementing encryption, secure authorization methods, strong password policy, and implementing two-factor authentication, if applicable also data pseudonymization and other relevant methods.

6.Implement data subject rights

GDPR provides users with different rights related to their personal data. One of those rights is the right to data portability ( art.17 of GDPR ) that allows users to receive their data upon request in structured, commonly used and machine-readable format. Examples of those formats can be CSV, XML and JSON. If you use the proprietor-specific format it may be a good idea to change it.

7.Right to erasure

According to the art.17 of GDPR data subjects (users) have the right to erasure also known as “Right to be Forgotten”. It is your responsibility to provide your user with the possibility to execute this right and withdraw given consent. It’s also important to notice that procedure of withdrawing consent should not be more complicated compared to giving consent. For example, if for giving consent you ask a user to tick a box, you can not implement a procedure where in order to withdraw consent user must coming to your office in person. Also, if your user signed for the newsletter, these must be implemented unsubscribe button.


If you use cookies or similar tracking technology on your website or application, it’s a good idea to have a separate cookie policy. In addition, you must display a notification to inform the user and ask for consent to use cookies. This notification should be visible, for example, banner on your page. If using different types of cookies, necessary, marketing, research you must ask for consent separately for each of them.

9.Do not use security questions that disclose personal data

Some time ago those security questions were widely spread. However, times change and you need to implement new security measures. For instance, a question like “what is your mother’s maiden surname?” to restore your password is not only a bad practice but a privacy violation.

10.Manage the full cycle of data

After you finish your relationships with the client (e.g. end of subscription), you are obliged to delete personal data, unless there is a legal basis to process them. If the user deletes the account in your app or website you are also required to delete all their data from backups. Make sure you also delete unsubscribed user data and stopped sending the newsletter after they unsubscribed.

Thank you for reading our recommendations for GDPR implementation. We hope that our recommendations help you build compliant and secure digital product.