What data protection really means when building products — data minimisation, data processing agreements, third-country transfers.
Category · Security & Compliance
What the GDPR means in product building.
The General Data Protection Regulation governs how personal data may be processed. In product building that mainly means three things: data minimisation (only collect what's genuinely needed), purpose limitation (only use data for the original purpose) and a legal basis for every processing activity.
In practice that shows up in the data model itself: which fields are needed at all, how long they're stored, and how to delete them again reliably.
Where it earns its keep in a project.
As soon as external service providers process data — hosting, mail delivery, analytics — you need a data processing agreement (DPA). With US providers, the question of third-country transfers comes on top: without a sound legal basis, such tools don't belong in a production system.
We build deletion concepts, access and export paths in from the start rather than retrofitting them later. As an ISO 27001-certified operator, we know the difference between data protection on paper and in live operation.
What the GDPR isn't.
The GDPR is no obstacle to good products, and no licence for paralysis either. But it's no substitute for legal advice: we implement technical and organisational measures, while the legal assessment in the individual case remains a matter for data protection officers and lawyers.
