Aimed at project leads and architects scoping a new system. The choices in this series shape everything downstream — what data you collect, where it lives, who can reach it, and what your default posture is when an auditor or a data subject asks. Read this before the host-hardening and app-deployment tracks; the implementation guides assume these decisions have already been made.
Privacy by Design for a New Server Build
Applies to: any new Linux server intended for production where you will store, process, or transit personal data — including the metadata kind (IP addresses, user agents, login timestamps), which counts under GDPR whether or not your application has a “users” table. Why this matters GDPR Article 25 — Data protection by design and by default — is the legal text that turns “we should think about privacy” into “you must demonstrate that you thought about privacy, on paper, before you started processing.” It applies whether or not you have a website with a signup form. An Nginx access log with full client IPs is processing personal data. ...