FrEnCookies manager
  1. Home
  2. GDPR developer's guide

GDPR developer's guide

The Developer's Guide to GDPR provides a first approach to the main principles of GDPR and the different points of attention to consider when developing and deploying applications that respect the privacy of users.

If you have a GitHub account, you can participate in the Developer's Guide to GDPR. Your contribution will be reviewed by the CNIL before publication.

Sheet n°0: Develop in compliance with the GDPR

The following steps will help you in the developing privacy-friendly applications or websites: Be aware of the GDPR core principles If you work in a team, we recommend that you identify a person responsible for monitoring compliance…

Sheet n°1: Identify personal data

Definition The notion of personal data is defined in the General Data Protection Regulation (GDPR) as “any information relating to an identified or identifiable natural person (referred to as "data subject")”. It covers a broad scope that…

Sheet n°2: Prepare your development

Methodological choices Put privacy protection at the center of your developments by adopting a Privacy By Design methodology. If you use agile methods for your developments, consider integrating security at the center of your process. The…

Sheet n°3: Secure your development environment

Assess your risks and adopt the appropriate security measures Assess the risks in the tools and processes used for your developments. Make an inventory of your existing security measures and define an action plan to improve your risk coverage…

Sheet n°4: Manage your source code

Set up your version control system efficiently, thinking about its security A version control system is a software program that allows you to store all your source code and associated files, while keeping the chronology of all changes that…

Sheet n°5: Make an informed choice of architecture

Examining life cycle of data and processes, from collection to erasure Represent and describe how the product generally works before starting your project, with a diagram of data flows and a detailed description of the processes carried out. …

Sheet n°6: Secure your websites, applications and servers

Securing communication networks Implement TLS version 1.2 or 1.3 (replacing SSL) on all websites and for data transmissions of your mobile applications, for example with LetsEncrypt, using only the most recent versions and checking its correct…

Sheet n°7: Minimize the data collection

Before collection, think about the different types of data you need to collect and try to limit your collection to what is strictly necessary Think about the different types of data that will need to be collected before an application is…

Sheet n°8: Manage user profiles

Good practices for user management It all starts with the use of unique and individual identifiers, whether they are users of your application or collaborators in development. Make sure to impose authentication before any access to personal…

Sheet n°09: Control your libraries and SDKs

Make an informed choice Assess the value of adding each dependency. Some commonly used software bricks are only a few lines long. However, each added element is an increase in your system’s attack surface. In the case where a single library…

Sheet n°10: Ensure quality of the code and its documentation

Document code and architecture Documentation is sometimes left out during development, due to lack of time or visibility on the project. However, it is crucial for the maintainability of your project: it allows you to understand how the code…

Sheet n°11: Test your applications

Automate testing The development tests (unit, functional, etc.) will verify the adequacy between the specifications and the functioning of the product. The security tests (random data tests also called “fuzzing”, scan of vulnerabilities, etc.)…

Sheet n°12: Inform users

Who to inform and when? Data subjects must be informed: both in the case of direct data collection i.e. when data are collected directly from individuals (examples: form, online purchase, subscription of a contract, opening of a…

Sheet n°13: Prepare for the exercise of people’s rights

Minimum measures to be put in place All organisations that use personal data have the obligation to indicate where and how individuals can exercise their rights in relation to this data. For example, you can mention an e-mail address or a web…

Sheet n°14: Define a data retention period

Data retention cycles The personal data retention cycle can be divided into three distinct successive phases: The active database; Intermediate archiving; Final archiving or deletion. The mechanisms for deleting personal…

Sheet n°15: Take into account the legal basis in the technical implementation

Definition of the legal bases in the RGPD In the context of a development for a private organization (companies, associations, etc.), the legal basis often used are: The contract: the processing is necessary for the performance or…

Sheet n°16: Use analytics on your websites and applications

Obtaining consent Generally speaking, before depositing or reading a cookie or tracer, editors of sites or applications must: inform Internet users of the purpose of cookies; obtain their consent; provide them with a means of…

Contributing to the GDPR Developer's Guide

Github version