The most expensive way to handle GDPR is retroactively: an audit finds problems, a lawyer writes an opinion, and developers rework a finished system. Privacy by design means making seven decisions at the start — most of them free.
Seven decisions before the first line
1. Minimisation: collect only fields you can justify with a purpose. 2. Retention: every table with personal data has a deadline and automatic deletion. 3. Access: roles and logs from day one, not “we'll add it later”. 4. Export: the right to portability means a button, not three days of manual work. 5. Anonymised test data — a production database on developers' laptops is a time bomb. 6. Encryption at rest and in transit. 7. Processing agreements with every third-party service, analytics included.
What the business gets besides peace of mind
Paradoxically, faster development: a system with clear roles and retention is easier to test and extend. And a sales edge with corporate clients — their procurement sends GDPR questionnaires, and the vendor with ready answers wins tenders.
Our standard: a privacy checklist is part of every discovery phase, and GDPR documentation at handover is included in the price, not an extra invoice.