GDPR has been enforceable since 2018, yet enforcement actions keep increasing year after year. The problem isn't that developers don't care — it's that most compliance checks happen once, at launch, and then get forgotten. Here are five critical GDPR requirements that slip through the cracks on most SaaS products.
1. Data Processing Register (ROPA)
The GDPR requires all organisations processing personal data to maintain a Record of Processing Activities (Article 30). Most developers have never heard of it. Your ROPA must document:
- What data you collect and why
- The legal basis for processing (consent, legitimate interest, contract)
- Data retention periods
- Third-party processors (AWS, Stripe, Mixpanel — every one)
- Cross-border data transfers
The fine for not having one: up to €10M or 2% of global turnover.
2. Data Subject Request Automation
Under GDPR, users have the right to access, rectify, erase, and port their data — within 30 days. Most SaaS products handle these manually (or ignore them entirely). At scale, this becomes unmanageable.
// Minimum viable DSR handler
app.post('/api/dsr/erasure', authenticate, async (req, res) => {
const userId = req.user.id;
// Must delete from ALL systems — not just your main DB
await Promise.all([
db.users.delete(userId),
analyticsService.deleteUser(userId),
emailService.unsubscribeAll(userId),
backups.scheduleDataPurge(userId), // often forgotten
]);
res.json({ status: 'processing', deadline: addDays(new Date(), 30) });
});
3. Legitimate Interest Assessment (LIA)
"Legitimate interest" is the most used (and most abused) legal basis for data processing. Using it correctly requires a three-part balancing test: purpose test, necessity test, and balancing test. Using it incorrectly — for marketing without consent, for example — is a violation.
4. Cookie Consent That Actually Works
A cookie banner that says "We use cookies" with a single OK button is not GDPR-compliant. Compliant consent requires:
- Granular categories (functional, analytics, marketing)
- Equal ease of accepting vs rejecting
- No pre-ticked boxes
- Stored consent records with timestamp and version
- Re-consent when purposes change
5. Vendor Due Diligence
Every third-party service your app touches that handles personal data is a "data processor" under GDPR. You need:
- A signed Data Processing Agreement (DPA) with each
- Documented transfers under Article 46 (SCCs for US vendors)
- A way to revoke access if they're breached
Common oversight: using npm packages that phone home (analytics, error tracking, fonts) without documenting them.
Automating the Audit
Running these checks manually is error-prone and time-consuming. Tools like CompliPilot automate 200+ compliance checks across GDPR, HIPAA, CCPA, and NIS2 — giving you a scored audit report in under 60 seconds, with specific remediation steps for each finding.
The goal isn't perfect compliance overnight. It's knowing exactly where your gaps are so you can prioritise the highest-risk issues first.
Top comments (0)