---
title: GDPR Data Handling
category: product
entity_type: skill
price: $15
canonical: https://forgehouse.ai/skills/gdpr-data-handling/
lang: en
hreflang_alt: https://forgehouse.ai/tr/skiller/gdpr-data-handling/
last_updated: 2026-06-20
---

# GDPR Data Handling

> Implement GDPR-compliant data handling with consent management, data subject rights, and…

A practical implementation guide for GDPR-compliant data handling built on privacy-by-design, data minimization, and a full data-subject-rights workflow. It covers consent lifecycle management, access and erasure request handling, retention policy enforcement, and 72-hour breach notification with working code patterns. Designed to make compliance structural, so a leak or violation is caught at every layer rather than discovered after a fine.

## Use cases
- Building systems that process EU personal data with a lawful basis per activity
- Implementing opt-in consent management with full audit trails
- Handling data subject access, erasure, and portability requests within deadline
- Enforcing retention policies with anonymization or deletion at expiry
- Designing a privacy-first data model that separates and encrypts PII
- Running a 72-hour breach notification process for the authority and affected users

## Benefits
- Avoid fines of up to 4% of global revenue with structural, documented compliance
- Build user trust through transparent consent and fast response to deletion requests
- Respond to data subject requests inside the legal one-month window every time
- Limit breach exposure by minimizing data collected and encrypting what you keep

## What’s included
- Consent management data model and service with audit log and downstream events
- GDPR-compliant cookie consent UI with no pre-checked boxes
- Data subject access, erasure, and portability request handlers with legal-exception checks
- Retention policy engine with anonymize-or-delete logic per data category
- Privacy-by-design schema separating encrypted PII from pseudonymized analytics
- Breach notification handler with severity classification and authority reporting plus a compliance checklist

## Who it’s for
Engineers and compliance owners building systems that process EU personal data and need GDPR compliance baked into the architecture, not bolted on.

## How it runs
Compliance here is machinery, not a policy PDF. Every processing activity maps to an Article 6 basis, consent lives as a full lifecycle with proof, erasure stays honest about legal retention, and the 72-hour breach clock comes pre-coded.
1. Classifies every processing activity against the six Article 6 lawful bases first and records it (account is contract, tax records are legal obligation, marketing email is consent, security logs are legitimate interest), because consent chosen means a withdrawal right must exist.
2. Builds consent as a lifecycle, not a checkbox: each record stores purpose, granted flag, timestamp, source, policy version and IP as proof; withdrawal emits an event downstream so marketing stops and analytics tags drop, and pre-checked boxes are banned outright.
3. Implements data subject request handling against the 30 day legal clock: access requests collect from every data source into one structured export, portability ships machine readable JSON, and the deadline plus audit trail live on the request record itself.
4. Runs erasure the honest way: every data source is asked can_delete first; what can be deleted is deleted, what cannot (a 7 year tax retention, for example) is kept with the legal reason documented instead of silently skipped.
5. Enforces retention per data category: defined periods with a basis and a trigger date, archive-then-delete where required, and anonymization instead of deletion for analytics (user id, IP and device id nulled in place).
6. Keeps the 72 hour breach machinery pre-coded: detection starts the countdown, DPO and security are notified immediately, the authority report generator is ready, and HIGH/CRITICAL severity triggers individual user notification in parallel.

## FAQ
### We're based outside the EU, does this still apply to us?
If you process personal data of people in the EU, GDPR applies regardless of where your company sits. The guide helps you meet those obligations structurally, from consent lifecycle to data-subject request handling.

### How does it handle erasure requests in practice?
It ships request handlers for access, erasure, and portability with legal-exception checks, plus a retention engine that anonymizes or deletes expired data per category. Every consent change and request lands in an audit log.

### Does implementing this make us certified GDPR-compliant?
No. It gives you working code patterns and documented, structural compliance, but it isn't legal advice or a certification. The final compliance review still belongs with your legal counsel.

## Price
$15, one-time, no subscription. VAT included.

Related guide: [AI for application security](https://forgehouse.ai/guides/ai-application-security/)