Bridging the Gap: GDPR in Legal vs. Technical Due Diligence

Bridging the Gap: GDPR in Legal vs. Technical Due Diligence

Bridging the Gap: GDPR in Legal vs. Technical Due Diligence

In our recent Tech Due Diligence project for an investor, we had a discussion with the involved law firm about how to divide the assessment of GDPR related questions among the legal and us as the technical experts.  

When conducting legal/compliance due diligence and technical due diligence for GDPR, the focus differs, but they are deeply interconnected. The legal/compliance concerns imply the technical due diligence questions:

1. Data Processing & Legal Basis

Legal Focus:

  • What is the legal basis for processing personal data? (Consent, contractual necessity, legitimate interest, legal obligation)

  • Are Data Processing Agreements (DPAs) in place with subprocessors?

  • Are Standard Contractual Clauses (SCCs) used for international data transfers?

Implied Technical Questions:

  • How is user consent tracked and stored in the system?

  • How does the system ensure that data is only processed for its stated purpose?

  • Can the system automatically restrict processing when required?

2. Data Subject Rights & User Control

Legal Focus:

  • Can users exercise their GDPR rights (access, rectification, deletion, restriction, portability, objection)?

  • What is the internal process for handling Data Subject Access Requests (DSARs)?

Implied Technical Questions:

  • Does the system allow exporting user data in a structured, machine- and human readable format?

  • How does the company automate deletion requests? (Hard delete vs. anonymization)

  • How long does it take to process a DSAR request, and is it scalable?

3. Data Storage, Retention & Deletion

Legal Focus:

  • What are the data retention policies, and are they enforced?

  • Does the company delete personal data after the legal retention period?

Implied Technical Questions:

  • How does the system enforce data retention policies across different databases and backups?

  • Is there an automated data deletion process, or is it manual?

  • How does the system prevent accidental or unauthorized data retention or deletion?

4. Security & Data Breach Management

Legal Focus:

  • Are security measures in place to protect personal data? 

  • What is the company’s data breach response plan, and how quickly can it notify regulators?

Implied Technical Questions:

  • What security measures are in place to protect personal data? (Encryption, access control, logging)

  • Is personal data encrypted at rest and in transit?

  • How does the system detect and log unauthorized access or suspicious activities?

  • What is the incident response automation for detecting, containing, and reporting a breach?

5. Third-Party & Subprocessor Management

Legal Focus:

  • Does the company use third-party vendors or subprocessors, and are they GDPR-compliant?

  • Are Data Processing Agreements (DPAs) in place with vendors?

Implied Technical Questions:

  • How does the system track data flows to third-party providers?

  • Can the system automatically revoke access to subprocessors if needed?

  • What mechanisms exist to ensure third-party integrations do not expose personal data?

In short, legal due diligence ensures compliance with GDPR principles and policies, while technical due diligence verifies if these policies are actually implemented in software, infrastructure, and operations.

Here is how these GDPR related technical questions are woven in the assessment of Due Dive’s  Big 5 KPIs 1) Technical Value, 2) Technical Debts, 3) Team Competence, 4) Scalability, and 4) Team productivity and speed:

GDPR-related tech due diligence questions for a SaaS company's:

1./2. Technical value and depth

  • How is personal data stored, encrypted, and protected (both at rest and in transit)?

  • What access control measures are in place to prevent unauthorized access to personal data?

  • Are data anonymization or pseudonymization techniques used?

  • How is data minimization implemented in the system?

  • How does the system handle data portability requests? (Providing users with their data in a structured format)

  • Is the SaaS platform capable of automating GDPR compliance processes (e.g., consent management, DSAR handling)?

  • What logging and monitoring systems are in place for tracking access to personal data?

3. Technical Competences in the Team

  • Does the team have GDPR compliance training?

  • Is there a dedicated privacy/security expert involved in development decisions?

  • How does the team ensure that third-party integrations comply with GDPR?

  • What expertise does the team have in secure coding practices to prevent data leaks or breaches?

  • Are there internal audits or external GDPR compliance reviews performed on technical processes?

4. Scalability 

A company's scalability from a GDPR perspective should consider how increasing data volume, users, and system complexity impact compliance, security, and data protection. We distinguish 4a) Development Scalability, 4b) Performance Scalability, and 4c) Customer Scalability:

4a) Development Scalability, i.e., the ability to further develop the codebase and infrastructure, while maintaining the compliance with GDPR:

  • How does the company ensure that GDPR principles (Privacy by Design & Default) are maintained as the system evolves?

  • Are automated tools in place for GDPR compliance checks in CI/CD pipelines? (e.g., detecting personal data exposure in logs)

  • How is personal data handled when scaling databases (e.g., sharding, replication, multi-region setups)?

  • How does the system ensure consistent GDPR compliance when deploying new features across different environments?

  • Are data protection impact assessments (DPIAs) conducted when scaling to new features or markets?

  • How are third-party services (e.g., cloud providers, AI tools) reviewed for GDPR compliance as the system grows?

4b) Performance Scalability, i.e., the ability to hande increased data volume while maintaining GDPR compliance:

  • How does the company ensure efficient encryption at scale without performance trade-offs?

  • How are data retention policies enforced when processing large datasets?

  • How does the system handle and delete user data in a scalable way (batch processing, automation, etc.)?

  • How is real-time monitoring implemented to track unauthorized access or compliance violations at scale?

  • Does performance scaling introduce any risks of storing unnecessary personal data?

4c) Customer Scalability, i.e., more users, geographic expansion, while maintaining and GDPR compliance:

  • How does the company manage consent tracking at scale across different jurisdictions (e.g., EU vs. non-EU users)?

  • If expanding to new regions, how does the company ensure GDPR-compliant cross-border data transfers?

  • Can the system efficiently handle bulk data subject requests (DSARs) as the customer base grows?

  • How does the system prevent unauthorized access or data leakage when onboarding large numbers of enterprise customers?

  • Are there scalable tools for automating GDPR compliance reports for regulators or enterprise clients?

5. Productivity and Speed

Development, Maintenance, and Operations (Drift) Processes

  • How are GDPR principles integrated into the software development lifecycle (Privacy by Design & Default)?

  • Are Data Protection Impact Assessments (DPIAs) conducted for new features?

  • How is personal data handled in development and testing environments? (Is production data used in non-production environments?)

  • What procedures exist for patching vulnerabilities related to personal data security?

  • What is the process for handling a data breach? (Detection, reporting to authorities within 72 hours, notifying affected users)

  • How is compliance with data retention policies enforced in the system?