What is GDPR?

General Data Protection Regulation (GDPR) is perhaps the most strict privacy law in the world and was introduced by the European Union. Since it was put to effect on May 25, 2018, GDPR has been directly and constantly affecting web development.

Simply put, the purpose of GDPR is to ensure that the personal data of EU citizens are protected at all costs when collecting and processing them. Even though it was passed by the EU, it applies to every organization around the globe who collect or target personal data of EU citizens. Furthermore, very high fines are issued as penalty for violation of GDPR. €20 million or 4% of the violating company’s global revenue (whichever is higher) will be applied as penalty. And the data subjects are given the right to seek compensation for the damage.

What is Personal Data?

Personal data is defined as “any information relating to an identified or identifiable natural person”. In addition, sensitive personal data such as health data, sexual orientation, past crime convictions, religious beliefs, etc. should be protected. These sensitive personal data needs more protection than generic personal data.

What’s more which concerns web development?
GDPR also protects personal data including genetic data, biometric data, location data, online identifiers, etc. This is more important for web developers since it includes data such as IP addresses, finger prints, cookies, user account information or any other data which can be used to identify an individual on the web.

Data protection principles mentioned below are defined by GDPR and should be followed when accessing, collecting, processing and storing personal data.

Lawfulness, fairness and transparency

Subjects should be aware about the data collection and processing. This is typically informed in the privacy policy of the website. It is important that the privacy policy is up to date.

Purpose limitation

Data should be used only for legitimate purposes which are specified to the subject prior to collection.

Data Minimization

No more than absolutely required amount of data for the specified purpose should be collected.


Collected data should be accurate and up to date.

Integrity and confidentiality

Actions such as data encryption and two-factor authentication, etc. should be used to ensure integrity and confidentiality.


The data controller is responsible for being able to demonstrate GDPR compliance with all of these principles. Which means that the data controller should be able to show how the system complies GDPR and actions taken to protect personal data.

Consent of the data subject

GDPR specifically mentions how consent of data subject for data collection and storing should be provided.

  1. Consent should be “freely given, specific, informed and unambiguous”

  2. Requesting for consent must be in clear language and should be specific to the subjected matter.

  3. Data subjects are allowed to withdraw previously given consent whenever they need and data controller should respect the decision.

  4. For children under 13 years, data processing should only be done with the consent of a parent.

  5. And above all, evidence of the consent should be documented.

Data subject’s privacy rights

  1. Right to be informed — Consent of the data subject plays a huge role here

  2. Right of accesss— Data subjects are allowed to request their data in a commonly used data format whenever necessary

  3. Right to rectification — Data subjects should be given the opportunity to change incomplete or incorrect data

  4. Right to erasure — Data subjects can have their data completely removed. Also known as “right to be forgotten”

  5. Right to restrict processing — Data subjects can restrict the controller from processing data even though they are allowed to store the data

  6. Right to data portability — Individuals are allowed to obtain and reuse their personal data for their own purposes

  7. Right to object — Data subjects can object the data being used for purposes of direct marketing, research and statistics, etc.

  8. Rights in relation to automated decision making and profiling — Automated decision making and profiling can be carried out only when it is necessary for the entry into or performance of a contract or, authorized by domestic law applicable to the controller or, based on the individual’s explicit consent


This website does not track any details relating to normal users. Session information is stored for administrator access only. 

There are no 3rd party tracking tools installed on this website.

Would you like to know more?

Maybe you would like to find out more about me. Why not This email address is being protected from spambots. You need JavaScript enabled to view it.

All rights reserved
AIM Development