wpo

Your Website is a Legal Ticking Time Bomb (If You Lack Data Engineering)

José Javier Sanahuja
José Javier Sanahuja - Digital Partner

Making a beautiful website is easy. Anyone can put three photos and a text. But what happens to the data that website swallows daily? Names, IPs, emails, sessions, carts…


Most SME websites are data graveyards (or digital Diogenes syndrome): they accumulate information eternally because no one programmed its cleanup. And that, my friend, is not just dirty. It is illegal.


1. The Right to be Forgotten: Engineering vs. Bureaucracy

The “Manual Delete” Problem


Imagine a client asks to exercise their Right to be Forgotten (GDPR). You have 30 days.


The Amateur Method (The Chaos): You search their email in your database and delete a line. Then you search in the marketing Excel. Then in the server logs… and you miss half of it because you are human and you fail. Result: The data is still alive in a hidden copy and you get fined.


The SanahujaDev Method (Engineering): We create Destruction Endpoints (/api/forget-user). When the protocol is activated, the system scans all tables, logs, backups, and caches, and pulverizes the data linked to that ID. No human intervention. No errors. No traces.

Cascading data deletion diagram

2. Data with Expiration Date (The Concept of Self-Destruction)

Here we apply the concept of Programmed Expiration (TTL - Time To Live). It’s not about “clearing cache”, it’s about designing your data to self-destruct when it is no longer needed.

  • Session Cleanup

    Access tokens for users who haven’t logged in for months? They delete themselves. Less weight, less risk of hacking dormant accounts.
  • Logs and Temps

    Technical activity records (logs) are programmed to disappear after 30 days. Your server doesn’t fill up with “digital trash”. Automatic hygiene.
  • Native GDPR Compliance

    The ‘Data Retention Limitation’ principle is not met by deleting manually when you remember. It is met by programming the death of the datum from the moment it is born.

3. The Invisible Architecture

🍪 Cookies: Real Block

We don’t use a “cover-up” banner to look legal. We use Consent Mode V2 at the code level. If the user says “No”, the tracking script doesn’t even load. Zero data transfer. Real privacy.

🛡️ Armored DB

Databases out of public reach. No open ports. Only your application (backend) can speak to the data.

⚡ Performance

A self-cleaning database (TTL) is a light and fast database. WPO and Legality go hand in hand.

Stop Accumulating Debt (and Risk)


Having a website that doesn’t know how to manage its data is like having a restaurant that never cleans the kitchen: sooner or later the inspection arrives or someone gets poisoned. Do you want a website that manages itself, complies with the law by design, and flies?

Etiquetas:

#GDPR #Data Engineering #Automation #Compliance #Security