You're building a feature that collects and stores users' personal data. What does GDPR require you to think about as the engineer, beyond just 'we have a privacy policy'?

technical-conceptual · Junior level · cloud-devops-security

What the interviewer is really asking

Assesses whether the candidate can translate GDPR principles into concrete engineering decisions — data minimization, purpose limitation, supporting data-subject rights, and privacy by design — rather than treating compliance as a legal-team document.

What to say

What to avoid

Example answers

Strong: Beyond the privacy policy, GDPR pushes real engineering decisions. Data minimization means I only store the fields the feature needs — if we don't need a date of birth, we don't collect it. I'd design so we can honor data-subject rights: locate, export, and delete one user's data on request, including the right to erasure, which means thinking about where copies land in logs and backups. And I'd default to privacy by design: encrypt the personal fields, lock down access, and set a retention window so data doesn't live forever.

Weak: GDPR is mostly a legal thing, so the privacy team handles it. On the engineering side I'd just store whatever user data we collect normally and add a checkbox for the privacy policy. If someone wants their data deleted we can run a query and remove it when that comes up.

Want questions matched to your role? Paste a job title, job description, or CV and get a personalized set, or go Pro to unlock the full bank.