Compliance regime · European Union (plus UK GDPR mirror in the United Kingdom)

GDPR compliance — what GateTest actually catches

General Data Protection Regulation

Regulators in 2025-26 have moved past warning letters — Meta, TikTok, and Amazon have each been fined nine figures. The fastest way to fail a GDPR review is logging request bodies that contain personal data, or hardcoding credentials in a public repo. Both are code-level findings, not policy ones.

Run a scan →See the modules

The regime

General Data Protection Regulation — European Union (plus UK GDPR mirror in the United Kingdom). Effective since May 2018.

Maximum penalty: Up to €20 million or 4% of total worldwide annual turnover, whichever is higher (Art. 83(5) GDPR).

Authoritative source: https://gdpr-info.eu/

The 3 modules that do the heaviest lifting for GDPR

Linked to each module's page for the full finding list.

Technical findings GateTest catches for GDPR

Each item ties a specific code-level pattern to a clause or principle of GDPR. These are the findings auditors sample.

Personal data (req.body, req.user, headers, cookies) logged in plaintext via console.log / logger.info — violates Art. 5(1)(f) integrity-and-confidentiality.
Hardcoded database credentials or API keys in committed source — Art. 32 security-of-processing failure.
Database migrations that drop columns containing personal data with no documented retention basis — Art. 5(1)(e) storage limitation.
Missing TLS validation (rejectUnauthorized: false, verify=False) on calls that move personal data between services — Art. 32(1)(a).
Cookies set without httpOnly / Secure / SameSite on endpoints handling identifiers — Art. 32 + ePrivacy Directive interaction.
Stale credentials in repository older than 90 days (likely leaked via prior contributors) — Art. 32 risk-based-controls failure.
PII included in error messages or stack traces returned to the client — Art. 5(1)(f).
Wildcard CORS (Access-Control-Allow-Origin: *) with credentials: true on endpoints exposing user data — Art. 32.

Out of scope — what you still need humans for

GateTest is a code scanner. GDPR compliance is a programme, not a tool. These items will never be answerable from source code alone.

Appointing a Data Protection Officer (Art. 37) — that is an organisational requirement.
Drafting your Record of Processing Activities (Art. 30) — needs human review of business processes.
Data Protection Impact Assessments (Art. 35) — requires risk reasoning a scanner cannot perform.
Vendor / sub-processor contracts and Standard Contractual Clauses — legal documents, not code.
Responding to Subject Access Requests within 30 days — operational, not code-level.

Where this regime applies

Country-specific guides:

eu uk

How GateTest fits a compliance programme

GateTest is a code-quality and security scanner. It belongs in your CI pipeline, not in your auditor's office. We catch the technical findings auditors look for — secrets, missing rotation, weak TLS, PII in logs, dangerous dependencies — so the audit becomes a paperwork exercise instead of an emergency.