Eighteen months is an honest amount of time. Eighteen months after GDPR took effect, the initial rush is over — the cookie banners are up, the privacy policies have been signed off by the lawyers, the data-processing agreements are filed. What remains is your engineering team's phone calls: "our backup system doesn't delete people", "our CRM doesn't know the field 'consent withdrawn'", "our analytics provider sits in a US data centre".

Those calls aren't compliance problems. They are architecture problems. They can't be solved with a cookie-banner plug-in and a lawyer — only by building GDPR into the code: into the data model, into the pipelines, into the storage topology.

Six patterns that I have collected over the past few years in regulated data contexts. Each pattern with a key question and a GDPR-article anchor.

1. Data Minimization by Default

Key question: Which personal fields does your application actually collect, and which of them does it really need?

GDPR anchor: Art. 5(1)(c) ("data minimisation").

Data minimisation is the GDPR's default position, not the ideal one. Whoever collects more carries the burden of justification. Three filter levels: do we need the field? At this granularity? Even after the contract ends?

At a mid-market insurance company we reduced the onboarding form from 47 fields to 12. Form-completion rate rose from 41 % to 67 %. Privacy and conversion are not enemies here.

2. Consent as a First-Class Citizen

Key question: Do you store every consent with timestamp, version, and purpose — and can you retrieve it in an audit-proof way?

GDPR anchor: Art. 6(1)(a), Art. 7.

Consent is not a checkbox; it is a record. A dedicated consents table with user_id, purpose, granted_at, withdrawn_at, legal_text_version, and evidence. Without that granularity, a supervisory request cannot be answered honestly.

3. PII Zones

Key question: For every data field in your system, do you know which sensitivity zone it lives in?

GDPR anchor: Art. 25 ("Privacy by Design"), Art. 32 ("Security of processing").

Four zones with clear transition rules:

Public Product copy · press releases Internal anonymous metrics · aggregated logs Sensitive PII name · email · address · IP Restricted (Art. 9) health · biometric data religion · payment data explicit processing ↑ pseudonymisation aggregation ↓
Four PII zones with transition rules. Data can move downward only via pseudonymisation or aggregation to k ≥ N; upward movement is never automatic.

Every data field carries a zone tag. Pipelines inherit the highest zone tag among their inputs. Doing this cleanly avoids the most common audit finding: "you are processing Sensitive data in a pipeline designed for Internal data."

4. Right-to-Be-Forgotten Paths

Key question: Can you erase every trace of a person within thirty days — including backups, caches, and third-party syncs?

GDPR anchor: Art. 17 ("Right to erasure").

The naïve solution DELETE FROM users WHERE id = ? fails on backups, replicas, caches, analytics warehouses, and CRM syncs. The honest path addresses each layer individually — and idempotence is mandatory, because a forgotten replica may still surface 90 days later.

5. Audit Trail by Construction

Key question: For every processing of personal data, can you retroactively show actor, time, and legal basis?

GDPR anchor: Art. 5(2) ("accountability"), Art. 30.

Audit has to fall out of every write structurally. Event sourcing solves the problem as a side effect; CRUD stacks need a parallel domain_events model. Log the processing, not the data itself.

6. Cross-Border Discipline

Key question: For every external service in your supply chain, do you know which jurisdiction its servers sit in?

GDPR anchor: Chapter V (Art. 44-50).

It is not just about hosting providers. An embedded SDK, an NPM package with telemetry, a font from a US CDN — all of that is a data transfer. A service inventory with provider, processing_country, and legal_basis is the first honest step.

What you can take away today

Six patterns, no random order. They reinforce one another: Pattern 3 (zones) makes Pattern 6 (cross-border) honestly assessable; Pattern 4 (erasure) and Pattern 5 (audit) form a pair — without audit, no proof of deletion; without erasure, no complete audit picture.

Three rules of thumb from practice:

  • Data minimisation first. What you don't have, you don't have to protect, delete, or disclose.
  • Audit by construction, not as an appendix. A retrofitted audit trail isn't evidence.
  • Third countries are a single point of failure. A commercially convenient US dependency can topple your entire data-protection construct.

If you want to go deeper

The short book "GDPR by Architecture — Six Patterns for Clean Data Protection in Code" develops each pattern over its own chapter, with vignettes, code sketches, and GDPR-article anchors. Three diagrams carry the method visually. The book ends with a worked-through application of all six patterns to a typical onboarding form, plus a cheatsheet to pin on the wall. Around 90 pages, 90 minutes of reading. Published November 2019 as paperback and eBook via epubli.

About Anouk Schierl

Anouk Schierl is a security engineer focused on EU-sovereign architectures and DevSecOps practice in the mid-market. She has built identity platforms, established vulnerability-management workflows, and writes about the intersection of compliance requirements and real engineering practice. She lives in Munich.