What Is GDPR? How the EU Privacy Regulation Affects Your Software and Business

What is GDPR?

GDPR (General Data Protection Regulation), known in the Netherlands as AVG (Algemene Verordening Gegevensbescherming), is the European privacy regulation that has been in effect since May 25, 2018. It governs how organizations must collect, process, store, and protect personal data of EU citizens and residents. The GDPR applies to every organization that processes personal data of individuals in the EU, regardless of where that organization is headquartered, giving it a genuinely global reach and impact.

How does GDPR work technically?

The GDPR is built on seven processing principles: lawfulness, fairness, and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; and accountability. These principles must be translated into concrete technical and organizational measures in every application that handles personal data. Privacy by design and privacy by default are mandatory design principles. This means data protection must be engineered into the software architecture from the earliest design phase, not bolted on afterwards. By default, an application should collect only the minimum personal data necessary and use the most privacy-friendly settings. Organizations must have a lawful basis for every data processing activity. The six legal bases are: explicit consent from the data subject, performance of a contract, legal obligation, vital interests, public interest, and legitimate interest. A Records of Processing Activities (ROPA) document catalogs all processing activities, including their purpose, categories of personal data, retention periods, and security measures. Data Protection Impact Assessments (DPIAs) are mandatory for high-risk processing operations such as large-scale profiling, biometric identification, or processing special category data (health records, criminal records). Data breaches must be reported to the supervisory authority within 72 hours of discovery, and if the breach poses a high risk to individuals, those individuals must also be notified directly. Technical security measures include data encryption at rest (AES-256) and in transit (TLS 1.3), pseudonymization and where possible anonymization, role-based access control (RBAC) ensuring staff only see data relevant to their function, comprehensive audit logging of all processing activities, the right to erasure (automated data deletion on request), data portability (export in machine-readable formats like JSON or CSV), and cookie consent management compliant with the ePrivacy Directive. Violations can result in fines of up to 20 million euros or 4% of global annual turnover, whichever is higher.

How does MG Software apply GDPR in practice?

MG Software builds GDPR-compliant software by embedding privacy by design as a core principle in every project. We implement data encryption (AES-256 at rest, TLS 1.3 in transit), role-based access control through Supabase Row Level Security, and comprehensive audit logging that records every read and write operation on personal data. Cookie consent management is built to ePrivacy Directive standards, with granular controls for analytics, marketing, and functional cookies. The right to erasure is implemented as an automated deletion workflow that removes or anonymizes all personal data within the legal timeframe. For data portability, we build export functionality in JSON and CSV formats. Every application we deliver includes a processing register template and technical documentation that the client can use for compliance audits with their Data Protection Officer or supervisory authority.

Why does GDPR matter?

GDPR compliance is not merely a legal checkbox; it is a tangible competitive advantage. Customers and partners increasingly choose organizations that demonstrably handle personal data with care, particularly in sectors like healthcare, finance, and e-commerce where trust is paramount. Non-compliance carries not only potentially severe financial penalties (up to 4% of global annual revenue) but also significant reputational damage that can erode customer confidence for years. Proactive compliance also reduces the risk of costly data breach incidents: the average cost of a data breach in Europe exceeds four million euros according to the IBM Cost of a Data Breach Report. By treating privacy by design as a standard practice, you avoid expensive retrofit projects and build lasting trust with users, partners, and regulatory authorities.

Common mistakes with GDPR

A common mistake is treating GDPR compliance as a one-time project rather than an ongoing process. Privacy regulations evolve, software changes, and new data processing activities require fresh assessment. Without regular reviews, your compliance posture deteriorates quickly. Another pitfall is relying on generic cookie consent banners that do not meet supervisory authority requirements: consent must be specific, informed, and unambiguous, and pre-ticked checkboxes are prohibited. Many organizations also neglect to sign data processing agreements (DPAs) with all sub-processors (cloud providers, email services, analytics tools), which creates a direct compliance gap. Finally, teams underestimate the technical complexity of the right to erasure: deleting personal data from all systems, backups, and connected services requires a thoughtful data architecture that accounts for deletion from the very beginning of the design process.

What are some examples of GDPR?

• A SaaS platform displaying a GDPR-compliant cookie consent banner on first visit, giving users granular control over analytics, marketing, and functional cookies. No tracking pixel or analytics script loads until the user has given active, informed consent. The consent choice is stored and can be modified at any time through a privacy preferences center.
• A customer portal offering a "delete my account" feature that triggers an automated workflow. All personal data is deleted or anonymized within 30 days, related records in connected systems are synchronized via API calls, and the user receives a confirmation email when the process is complete and irreversible.
• A healthcare application storing patient data with AES-256 encryption, implementing role-based access control so nurses, doctors, and administrative staff see only the data relevant to their role, and logging every data access event in an immutable audit trail for NEN 7510 and GDPR compliance audits.
• An HR platform that has completed a Data Protection Impact Assessment for employee data processing, signed data processing agreements with all sub-processors (payroll provider, pension administrator, benefits platform), and provides a privacy dashboard where employees can view and export their stored personal information.
• An e-commerce platform that automatically anonymizes personal data after the statutory retention period (seven years for billing data under tax legislation). Order history is retained for reporting, but names, addresses, and email addresses are irreversibly deleted or replaced with cryptographic hashes.

Related terms