GDPR in .NET Systems

GDPR is not just a legal requirement—it is an engineering specification for how personal data must be handled throughout its lifecycle. For .NET developers, GDPR demands that data models support deletion, APIs expose data subject rights, and workflows implement consent management and purpose limitation.

The gap between GDPR compliance and technical reality emerges in data architecture. Organizations check compliance boxes (privacy policies, cookie banners, consent forms) while systems fail to implement the engineering controls that actually enforce privacy. A deletion request arrives, but personal data persists across databases, logs, message queues, and caches because the system was never designed to support it.

Privacy as a First-Class Design Property

GDPR compliance requires rethinking how .NET systems manage personal data. Data models must separate personal information from operational data. APIs must expose data access and deletion endpoints. Logging must avoid capturing sensitive information. Retention policies must execute automatically, not manually.

ISO/IEC 27701 becomes essential—it translates GDPR obligations into systematic control requirements that developers can implement, test, and audit.

Nobody Runs Your Cleanup Script (And Regulators Know It)

Nobody Runs Your Cleanup Script (And Regulators Know It)

“Storage is cheap” — until your data retention strategy becomes evidence in a GDPR lawsuit.

After 15+ years in enterprise software, I’ve seen this pattern in project after project: elaborate wiki documentation, a cleanup script nobody runs, and production databases growing exponentially with personal data that should have been deleted years ago. The compliance checkbox is marked, but the actual deletion never happens.

When regulators investigate, they don’t want your policy documents. They want execution logs proving deletion actually happened. Azure Storage lifecycle policies, Cosmos DB TTL, and scheduled Functions give you exactly that — automated retention that runs without human intervention, with full audit trails.

Cookie Banners Won't Save You From ISO 27701

Cookie Banners Won't Save You From ISO 27701

That boolean column you call “consent”? Regulators will laugh at it.

ISO 27701 demands granular, auditable, expiring consent, not cookie theater. Here’s the complete .NET implementation with Entity Framework Core, middleware validation, and Azure Functions that survives an audit.