The General Data Protection Regulation (GDPR) in the European Union is the
most famous recently enacted privacy regulation. Despite of the regulation's
legal, political, and technological ramifications, relatively little research
has been carried out for better understanding the GDPR's practical implications
for requirements engineering and software architectures. Building on a grounded
theory approach with close ties to the Finnish software industry, this paper
contributes to the sealing of this gap in previous research. Three questions
are asked and answered in the context of software development organizations.
First, the paper elaborates nine practical constraints under which many small
and medium-sized enterprises (SMEs) often operate when implementing solutions
that address the new regulatory demands. Second, the paper elicits nine
regulatory requirements from the GDPR for software architectures. Third, the
paper presents an implementation for a software architecture that complies both
with the requirements elicited and the constraints elaborated.