Compliance RGPD is not just a subject for lawyers and DPOs. It begins in the code editor, in the architecture choices and in the design of the database. For development teams, ignoring it does not mean protecting themselves from it - it means silently accumulating a regulatory debt that always ends up costing dearly.
Here's what you really need to put in place, without unnecessary legal jargon.
Why the RGPD directly concerns your development teams
What the law actually requires of software publishers and developers
Le General Data Protection Regulation applies to any organisation that collects, stores or processes personal data European residents, whatever its size or location. For a software publisher or Belgian SME that develops an application, this translates into very concrete obligations: documenting processing, securing data, informing users, and being able to demonstrate compliance at any time.
This last point is often underestimated. The RGPD doesn't just ask you to be compliant - it requires you to be able to prove it. This is known as the principle of’accountability, He is the one who is transforming compliance into an engineering discipline.
Privacy by design: integrating compliance at the design stage, not afterwards
Le privacy by design is one of the founding principles of the RGPD. It requires data protection to be taken into account right from the design phase of a software application, not once the product has been delivered. In practice, this means asking the right questions before writing the first line of code: what data is really needed? Who will have access to it? How long will it be kept? How will it be deleted?
Integrating these issues upstream is infinitely less expensive than overhauling the architecture of a company. personal data web application already in production. This is the same logic as shift-left security applied to data protection. As we saw with on-premise and european cloud solutions, The hosting and architecture choices you make from the outset largely determine your actual level of compliance.
Real penalties for non-compliance
Penalties RGPD are not theoretical. The Belgian Data Protection Authority (DPA) has already imposed significant fines on companies of all sizes. The regulation provides for penalties of up to €20 million or 4% of annual worldwide turnover, whichever is higher. Beyond the fine, it is the reputational risk and loss of customer confidence that are often the real cost of a compliance incident.
RGPD checklist: the 3 non-negotiable pillars of your software
Collection, consent and user rights
First pillar: collect only what is strictly necessary. The principle of data minimisation RGPD forbids storing information “in case it is useful one day”. Every form field, every log, every piece of data in a database must have an explicit, documented purpose.
Le user consent RGPD must be free, informed, specific and revocable. A pre-ticked box, a box buried in the T&Cs or a grouped consent are not valid. Your interface must allow users to give their consent granularly, and to withdraw it as easily as they gave it.
Finally, your software must technically implement user rights: right to erasure (complete deletion of data, including backups), right to portability (export in a readable format), right of access and right of rectification. These functionalities are not options: they are compulsory, and their absence constitutes a blatant non-compliance.
Technical security: encryption, pseudonymisation and access control
Second pillar: technical data security. The RGPD imposes “appropriate” measures without detailing an exhaustive list, which means that you must demonstrate that you have applied the state of the art. In practice, this covers data encryption at rest and in transit, the pseudonymisation sensitive data in test and development environments, fine-tuned management of access rights according to the principle of least privilege, and the implementation of audit logs to trace access to personal data.
La data security development also implies that you should never use real personal data in your test environments, a practice that is still widespread but clearly non-compliant. Visit new cyber security threats make it all the more urgent to treat these issues as engineering priorities, not administrative constraints.
Subcontractors, third-party APIs and data processing register
The third pillar, which is often overlooked, is that your responsibility does not stop at the boundaries of your code. Each third-party service that you integrate, whether it's an analytics API, a support tool, an emailing service or a payment solution, constitutes a processor within the meaning of the RGPD. You must conclude a data processing contract with each of them, check their compliance guarantees and ensure that they do not use your data for their own purposes.
This point takes on a particular dimension with the LLM cloud and AI tools. As soon as you send user data to an external API for processing, you must ensure that the supplier complies with the European framework. The question of data confidentiality with ChatGPT in the workplace is a perfect illustration of this risk, which many companies discover after industrialising their uses.
Le register of RGPD processing operations is the central tool for your compliance: it documents the purpose, categories of data, recipients, retention periods and security measures for each processing operation. Compulsory for organisations with more than 250 employees, it is strongly recommended for all others: it is your first line of defence in the event of an audit.
The most common errors in software development
Application logs containing personal data
This is one of the most widespread non-compliances. Visit application logs frequently contain email addresses, identifiers, browsing data or session information, without anyone really deciding to do so. This data is rarely documented in the data-processing register, kept for an unlimited period and accessible to third parties unnecessarily. A log audit is often the first surprise of a compliance exercise.
Cookies and trackers deposited without valid consent
The regulations on cookies are among the most closely monitored by the European data protection authorities. Submitting analytics or advertising cookies before collecting consent, using a dark pattern to direct users to “accept everything”, or failing to offer an opt-out option that is as accessible as acceptance are offences that have been documented and punished. Your RGPD software development must incorporate technically flawless consent management that is not just aesthetically acceptable.
Cloud hosting outside the EU with no contractual guarantees
Hosting the personal data of European citizens on servers located outside the European Union without an appropriate legal framework constitutes an unlawful transfer of data. The dependence on the US cloud is a growing concern for European businesses, especially as successive rulings by the European Court of Justice have undermined several transfer mechanisms. If you use US cloud services, make sure that valid standard contractual clauses are in place and document this.
Iterates, your partner for compliant software development
RGPD compliance audit of your existing applications
We carry out technical compliance audits RGPD on your existing applications: analysis of data flows, review of documented processes, identification of priority non-compliances and an actionable remediation plan. The aim is not to produce a report: it's to give you a concrete roadmap for your development team.
Integrating privacy by design into your new projects
For your new projects, we take into account the following requirements RGPD from the design phase: data modelling, choice of architecture, definition of retention periods, implementation of user rights and selection of subcontractors. This tailor-made approach to the business application guarantees that compliance is built into the product, not added on top of it.
Ongoing support for regulatory changes
The regulatory framework is constantly evolving: AI Act, new guidelines from the supervisory authorities, case law on data transfers. We help our customers to keep abreast of the latest regulations and continually adapt their development practices to ensure that they remain compliant over the long term.
Ready to make your software RGPD compliant?
La RGPD compliance is not a destination: it's an ongoing discipline. Teams that integrate it into their development process from the outset do not suffer from it. They turn it into a competitive advantage, particularly in the face of key account customers and public tenders, which now systematically require it.
→ Discuss your project with Iterates
