Under GDPR, all organisations that handle personal data—regardless of size—must comply with the same core principles. This includes small businesses, sole traders, and independent developers. However, the regulation does introduce some flexibility depending on the scale and nature of processing. For instance, small businesses may not be required to appoint a Data Protection Officer (DPO) unless they process sensitive data on a large scale or carry out systematic monitoring. They are still required to ensure data is collected lawfully, stored securely, and only used for specific purposes. Transparency with users is essential, and consent must be explicit and informed. Even simple contact forms collecting names and email addresses count as personal data collection. Failing to comply can still result in fines, though regulators often consider the organisation’s size and resources when determining penalties. Therefore, even individual app developers or website owners must take GDPR obligations seriously, including updating privacy policies and ensuring secure data handling.

Biometric data is classified as special category data under GDPR and the UK Data Protection Act 2018. This means it is subject to stricter legal protections than ordinary personal data due to its sensitive and unique nature. Examples include fingerprints, iris scans, facial recognition, and voice patterns. To process biometric data legally, organisations must have a lawful basis under Article 6 of the GDPR, and also meet one of the specific conditions in Article 9 for processing special category data. Common lawful bases include explicit consent, employment law obligations, or reasons of substantial public interest. For example, using fingerprint access in workplaces or facial recognition in airports must be clearly justified, secure, and proportionate. Organisations must conduct a Data Protection Impact Assessment (DPIA) before introducing such technology to assess risks and privacy implications. Individuals must be clearly informed about how their biometric data is being used, and given the right to object or withdraw consent in most cases.

No, open-source software is not free from copyright or legal obligations. Although the source code is openly available, it is still protected by copyright and distributed under specific licences. Each licence defines what users can and cannot do. Common open-source licences include the MIT Licence, GNU General Public Licence (GPL), and Apache Licence. Some allow modification and redistribution with few restrictions, while others require derivative works to be licensed under the same terms (e.g. GPL). Failing to comply with the terms—such as omitting credit to the original authors or not sharing modified code—can result in copyright infringement. Commercial use is usually permitted under most open-source licences, but conditions must still be followed. Developers must always read the licence terms carefully before integrating open-source components into their software. Even accidentally breaching a licence can lead to takedown notices, legal action, or being required to release proprietary code publicly under certain circumstances.

User data collected through third-party cookies and trackers is legally considered personal data under GDPR if it can be used to identify or profile an individual, directly or indirectly. This includes IP addresses, browsing behaviour, location data, and device identifiers. Under the ePrivacy Directive (also known as the Cookie Law) and GDPR, consent must be informed, specific, and actively given before placing non-essential cookies on a user’s device. Websites must display a clear cookie banner explaining what data is collected, for what purposes, and by which third parties. Consent must not be pre-ticked or assumed by continued browsing. Users must also be able to withdraw consent easily. Many websites violate these rules by using cookie banners that are misleading or that make rejecting cookies more difficult than accepting them. Failing to comply can result in investigations and fines by data protection authorities, especially when tracking is used for behavioural advertising or profiling without proper consent.

Yes, there are significant legal consequences for organisations that fail to delete user data after a valid right to erasure request under GDPR. Also known as the “right to be forgotten”, this right allows individuals to request that their personal data be erased when it is no longer needed, when consent is withdrawn, or if the data was unlawfully processed. Organisations must respond to the request within one month, although this can be extended by two months for complex cases. If the request is denied, the organisation must provide a clear justification. Failure to comply without a lawful reason can lead to complaints to the national data protection authority (such as the ICO in the UK), legal action by the individual, and administrative fines. In serious cases, fines can reach up to 20 million euros or 4% of global annual turnover, whichever is higher. Data controllers must also ensure that data is erased from backups and shared systems where feasible.