As a developer building a project for a company, you are likely classified as a Data Processor, while the company is the Data Controller.
The rules you must follow are primarily set out in UK GDPR Article 28 and Article 32, and they are almost always formalized in a Data Processing Agreement (DPA) with the Controller (the company).
Here are the key rules a developer (Data Processor) must follow under the UK GDPR:
1. Processing Only on Documented Instructions (Article 28(3)(a))
The most important rule is that you can only process personal data according to the documented instructions provided by the Data Controller.
You must follow the DPA, which defines the scope, purpose, and duration of your processing activities. This means you cannot use the data for your own purposes, share it with others, or process it in a way that wasn’t explicitly agreed upon by the Controller. Doing so could result in you being considered a Controller yourself, which carries significantly greater liability.
Any transfer of data outside the UK (for example, to a cloud server in another country) must also be done only under the Controller’s instructions and with appropriate legal safeguards in place.
2. Implementing Security Measures (Article 32)
As a developer, you have a direct and legal obligation to implement appropriate technical and organisational measures to protect the data you process. This is the core of your technical responsibility.
Technical measures include:
- Encrypting and pseudonymising personal data, both when stored and during transmission.
- Ensuring the ongoing confidentiality, integrity, availability, and resilience of your systems using firewalls, intrusion detection systems, and other security tools.
- Having the ability to restore access to personal data promptly in the event of a physical or technical incident through strong backup and disaster recovery systems.
- Regularly testing and evaluating the effectiveness of your security measures using penetration tests and vulnerability scans.
Organisational measures include:
- Ensuring all personnel authorised to process the data are bound by a duty of confidentiality, typically through employment contracts.
- Implementing strict access control measures such as Role-Based Access Control (RBAC), allowing only necessary personnel to access the data.
- Providing proper training to staff on data protection and security.
- Embedding privacy by design and default into your systems so that only the minimum amount of personal data necessary for the Controller’s purpose is processed.
3. Assisting the Controller (Article 28(3)(e), (f))
You must assist the Controller in meeting their UK GDPR obligations, especially in the following areas:
- Data Subject Requests: Help the Controller respond to requests from individuals exercising their GDPR rights, such as the right to access or delete their data. This means developing features that allow the Controller to easily retrieve, correct, or remove a user’s personal data.
- Security and DPIAs: Support the Controller in maintaining data security, reporting breaches, and performing Data Protection Impact Assessments (DPIAs) when necessary for the project.
4. Data Breach Notification (Article 33)
If you become aware of a personal data breach, you must notify the Controller without undue delay.
This is crucial because the Controller has only 72 hours to report the breach to the Information Commissioner’s Office (ICO) from the time they become aware of it. Your contract may specify an even shorter notification window, often within 24 hours.
5. Handling Sub-Processors (Article 28(2) & (4))
If you use another service provider (a sub-processor) to handle part of the data processing—such as a cloud host or analytics provider—you must:
- Obtain the Controller’s prior written authorisation, either specific or general.
- Impose the same data protection obligations on the sub-processor that exist in your agreement with the Controller.
- Remain fully liable to the Controller if the sub-processor fails to meet its obligations.
Note on Liability
If you process data beyond the Controller’s documented instructions, you may be considered a joint Controller. This means you become directly liable for GDPR violations and could face regulatory penalties or fines.
Developer GDPR Checklist
To stay compliant, every developer should:
- Process data only as instructed by the Controller.
- Use encryption for data at rest and in transit.
- Maintain detailed audit logs of access and data changes.
- Apply strict access controls using RBAC.
- Conduct regular vulnerability and penetration testing.
- Notify the Controller immediately in the event of a breach.
- Obtain written approval before engaging any sub-processor.
- Build privacy-friendly features such as delete/export data tools and consent management.
- Support data subject rights through system functionality.
- Incorporate privacy by design and default in every stage of development.
References
- UK Information Commissioner’s Office (ICO): https://ico.org.uk
- UK GDPR Official Text: https://www.legislation.gov.uk/eur/2016/679/contents
- National Cyber Security Centre (NCSC) Guidance: https://www.ncsc.gov.uk
Summary:
As a Data Processor, your job is to carry out the Controller’s instructions safely, securely, and lawfully. That means protecting user data through strong technical and organisational controls.
Privacy is not an afterthought—it’s part of your code.