General Data Protection Regulation is meant to provide protection of people with regard to personal data. For large organizations meeting GPRD requirements, even in the scope of notifying clients and providing them with or moving their data, is not trivial.
We have encountered two challenges. First, rapid requirement changes as no one knew how to implement GPRD regulations (during implementation time regulations were fluid as they were subject of emerging country-level legislation and legal interpretations) and no approved codes of conduct had been established. Second, very strict security requirements, because the system is a public entry point to all kind of personal data that flows through large scale organization.
We provided a custom solution capable of integration with many different data sources and services. Implementation was based on modern JVM stack with Kotlin, Spring and Hibernate. After just 3 months, the core system was running and clients were able to move or get their personal data on email.
Application security was achieved thanks to: encryption, limiting library dependencies, heavy sandboxing, deployed java security, network zones with limited connection initiation permissions, proxy servers.