GDPR Compliance Support
Many SMEs use bespoke systems to store customer, student or staff data. I help align those systems with UK GDPR and data protection best practice in a practical, proportionate way — across your .NET web app, SQL Server database, integrations and (where relevant) Android apps.
I’m not a law firm, but I can implement the technical and process changes your legal/compliance adviser recommends, and I can flag common risks I see in real-world systems.
Data mapping
What data you hold, where it lives, who can access it, and why.
Retention
Clear retention rules with deletion/archiving routines that actually run.
SAR exports
Practical data export features for Subject Access Requests.
Access control
Least privilege, audit trails, and safer admin tooling.
A practical approach that works for SMEs
GDPR work is most effective when it’s grounded in reality: the data you genuinely need, the workflows your staff actually use, and the risks that are plausible for your organisation. The goal is measurable improvement — not box-ticking.
Proportionate controls
- Focus on the most sensitive data sets first
- Reduce data collection where it isn’t needed (data minimisation)
- Make access control and auditing consistent across the system
- Ensure policies are supported by features (not undermined by the software)
Typical GDPR-related work (technical & practical)
- Identify what personal data is collected, where it’s stored, and who can access it
- Map how it moves through the system (forms, APIs, imports/exports, integrations)
- Highlight hidden stores: spreadsheets, email inboxes, file shares, logs, backups
- Clarify “purpose” in a practical way (why each data field exists)
- Implement data retention and deletion routines within SQL Server
- Decide on soft delete vs hard delete (based on audit/compliance needs)
- Archiving strategies for older records (reduce exposure and improve performance)
- Consider backups and exports (deletion in the app doesn’t instantly remove historic backups)
- Add or improve SAR export features (structured exports and supporting documents)
- Reduce manual effort by making data retrieval consistent and repeatable
- Capture “context” where useful (timestamps, notes, audit trail entries)
- Ensure exports are secure (access-controlled, time-limited links where appropriate)
- Correction workflows that are auditable (who changed what, and when)
- “Restrict processing” flags where the business process requires it
- Right-to-erasure features where appropriate (with clear business rules)
- Practical handling of linked records (documents, messages, logs)
- Ensure logs and debug data don’t contain unnecessary personal data
- Introduce audit trails for sensitive actions (exports, permission changes, deletions)
- Mask or minimise personal data in admin views where appropriate
- Make incident investigation easier without creating new privacy risks
Technical measures that support compliance
Compliance is helped enormously by solid security fundamentals — because many GDPR incidents are effectively security incidents. Where useful, I’ll help articulate technical controls for DPIAs and policy documents.
Security foundations
- Role-based access control and least privilege
- Secure authentication (and MFA for admin users where appropriate)
- Encryption in transit (HTTPS/TLS) and sensible secrets management
- Defences against common web risks (SQL injection, XSS, CSRF)
Resilience & recoverability
- Backups and restore testing (availability is part of data protection)
- Monitoring and alerting for suspicious access patterns
- Change control and audit evidence for “what changed”
- Documented incident response steps (who does what)
Android & mobile data considerations
If personal data is visible on mobile devices, you’ll want clarity on what’s stored locally, how long it persists, and what happens when a device is lost or a staff member leaves.
On-device minimisation
- Minimise cached data and offline storage to what’s genuinely needed
- Secure storage for tokens/credentials (no secrets hard-coded in the app)
- Clear rules for offline mode and sync behaviour
Access & incident readiness
- Session timeouts and token revocation where appropriate
- Role-aware screens (avoid “everyone sees everything”)
- Audit trails for sensitive actions performed via mobile
Working with your legal or compliance advisers
I’m happy to work alongside your DPO, legal adviser or compliance consultant to implement GDPR-related changes in your bespoke systems, so the technology supports the policies rather than fighting against them. If you already have recommendations, I can translate them into practical features, scripts, and operational changes.
Discuss GDPR work on your system
If you’d like a pragmatic review of how your bespoke system handles personal data — or you need help implementing recommendations from your legal/compliance adviser — I can help.