Protección de datos

Data Protection: Ensuring Compliance in Production Data Environments

The Data Protection Law was established to give citizens greater control over their personal data. However, understanding how to comply with the Data Protection Law and taking the necessary steps can be a hassle for companies.

This is especially true in more complex data processing contexts, such as in production data environments.

We'll tell you everything you need to know about complying with the Data Protection Law in the context of software production.

How Does the Data Protection Law Affect Databases?

The Data Protection Law (General Data Protection Regulation or GDPR) came into effect on May 25, 2018, providing a unified legal framework for the protection of personal data across Europe.

From the citizens' perspective, it aimed to enhance the security of their personal data.

Thus, since its enactment, the law requires companies dealing with personal data of European Union citizens to comply with a series of requirements outlined in the regulation.

Right to Erasure

Data Protection focuses on a key concept: the right to erasure. It is defined as the right to "delete, hide, and cancel past information or events from people's lives."

In practice, the right to erasure allows citizens to require companies to remove records with personal data or leave no trace on the web (in the latter case, when applied to search engines like Google, it's referred to as the "right to be forgotten").

The Data Protection Law also specifies the circumstances and situations under which this right is protected, including when:

a) Personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

b) The data subject withdraws consent on which the processing is based according to Article 6(1)(a) or Article 9(2)(a), and there is no other legal ground for the processing;

c) The data subject objects to the processing pursuant to Article 21(1), and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);

d) The personal data have been unlawfully processed;

e) The personal data must be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;

f) The personal data have been collected in relation to the offer of information society services referred to in Article 8(1).

Data Lifecycle

The concept of a data lifecycle arises because, according to the Data Protection Law, companies are allowed to retain data only for the duration specified in the previous section.

Thus, once the commercial relationship ends or the citizen withdraws their consent, access to the data must be blocked. After the blocking period, the data must be completely deleted. This process is known as the lifecycle management of each person's data structure (or seed).


The Data Protection regulation established a series of sanctions to ensure compliance with the law: the fine can reach up to 4% of the global annual turnover or 20 million euros (whichever is greater).

In this sense, some fines that have already been imposed on companies that have breached the regulation include:

  • A report from the European Commission revealed significant data a year after the regulation's implementation: Google was fined 50 million euros for lack of consent in its ads; and a social network operator paid a 20,000€ fine.
  • 2022 data from the DLA Piper law firm quantified almost 1.1 billion euros collected in GDPR sanctions in a single year.

How to Comply with the Data Protection Law?

For companies, complying with the Data Protection Law involves using the right software to process the large number of personal data they hold and generate all the required suppressions.

Specialized GDPR compliance software allows you to:

  • Select personal data to be suppressed
  • Put them in a blocking state
  • Apply necessary actions, from verification to restitution (for possible errors), dissociation, or physical data deletion

Moreover, the right software will offer the option to perform these actions manually or automatically, and to execute the data from the graphical interface and through specific requests.


Anonymization processes transform personal data sets into anonymous information, that is, not related to a physical person.

This generates a new data set in which there is no possibility of identifying the physical persons part of the data, being this an irreversible process.

On the other hand, pseudonymization generates two data sets: one with pseudonymized information, and another with information that could potentially reverse the anonymization.

Difference Between icaria TDM and icaria GDPR

At icaria Technology, we work to help companies manage their data efficiently, securely, and in accordance with the law.

In this sense, we have developed two software solutions:

  • icaria TDM, aimed at GDPR compliance in pre-production environments, such as testing environments. This tool carries out processes of mass dissociation and data segmentation, generating complete, coherent, and correct data sets for testing.
  • icaria GDPR facilitates companies' compliance with the right to erasure. To this end, the tool manages the blocking period and suppression. The software also coordinates the lifecycle of each seed and promotes actions such as extraction, storage, dissociation, restoration, and data deletion in the corresponding environment, among other operations, automatically and planned.

Thus, at icaria, we stand by companies, facilitating their compliance with the law while also generating trust in clients and suppliers, and avoiding potential sanctions. Want to know more about Data Protection and how to comply with the law in a test data environment? Request a free demo and see firsthand how our software facilitates these processes.