GDPR is not just a legal document. It requires specific technical measures — encryption, pseudonymization, data portability, right to erasure.

Key Requirements¶

• Encryption of personal data (at rest + in transit)
• Pseudonymization where possible
• Data minimization — collect only what is necessary
• Right to erasure — deletion upon request
• Data portability — export in machine-readable format
• Breach notification — 72 hours

Implementation¶

Pseudonymization¶

import hashlib def pseudonymize(email): return hashlib.sha256(email.encode() + SALT).hexdigest()

Right to erasure¶

async def delete_user_data(user_id): await db.users.delete(user_id) await db.orders.anonymize(user_id) # Anonymize, not delete await db.logs.redact(user_id) await search_index.delete(user_id) await backups.mark_for_deletion(user_id)

Data export (portability)¶

async def export_user_data(user_id): data = { “profile”: await db.users.get(user_id), “orders”: await db.orders.list(user_id), “preferences”: await db.prefs.get(user_id), } return json.dumps(data, indent=2)

Key Takeaway¶

Encrypt, pseudonymize, minimize data. Implement erasure and export APIs. Breach notification within 72 hours.