Our code review checklist looks like this:
Have GDPR annotations been added for all fields? (all fields that are stored persistently count)
Do interactions with the user happen that should be recorded as events?
Is data collected for later use (logging doesn’t count, anything in a database does)? Are there reports or some other way to find this data?
Are there no unencrypted credentials in any files?
Are there notable changes that should be recorded in an ADR?
(I replaced the links with public alternatives)
Our code review checklist looks like this:
Have GDPR annotations been added for all fields? (all fields that are stored persistently count)
Do interactions with the user happen that should be recorded as events?
Is data collected for later use (logging doesn’t count, anything in a database does)? Are there reports or some other way to find this data?
Are there no unencrypted credentials in any files?
Are there notable changes that should be recorded in an ADR?
(I replaced the links with public alternatives)