Data Privacy Compliance
Comprehensive guidance for implementing data privacy compliance across GDPR, CCPA, HIPAA, and other global data protection regulations.
When to Use This Skill
Use this skill when:
- •Implementing GDPR, CCPA, or HIPAA compliance
- •Conducting Data Protection Impact Assessments (DPIA)
- •Managing data subject rights (access, deletion, portability)
- •Implementing consent management systems
- •Drafting privacy policies and notices
- •Handling data breaches and incident response
- •Designing privacy-by-design systems
- •Conducting privacy audits and assessments
Key Regulations Overview
GDPR (General Data Protection Regulation)
Scope: EU residents' data, regardless of where company is located Key Requirements:
- •Lawful basis for processing (consent, contract, legitimate interest, etc.)
- •Data subject rights (access, deletion, portability, objection)
- •Data Protection Impact Assessments for high-risk processing
- •72-hour breach notification requirement
- •Records of processing activities
- •Privacy by design and by default
Penalties: Up to €20M or 4% of global annual revenue
CCPA/CPRA (California Consumer Privacy Act)
Scope: California residents' data Key Requirements:
- •Right to know what data is collected
- •Right to delete personal information
- •Right to opt-out of sale/sharing
- •Right to correct inaccurate information
- •Right to limit use of sensitive personal information
Penalties: Up to $7,500 per intentional violation
HIPAA (Health Insurance Portability and Accountability Act)
Scope: Protected Health Information (PHI) in the US Key Requirements:
- •Privacy Rule (patient rights and information uses)
- •Security Rule (safeguards for ePHI)
- •Breach Notification Rule (60-day notification)
- •Business Associate Agreements (BAAs)
Penalties: Up to $1.5M per violation category per year
Data Subject Rights Implementation
1. Right to Access (GDPR Art. 15 / CCPA § 1798.100)
Request Handler:
async function handleAccessRequest(userId, email) {
// Verify identity
const verified = await verifyIdentity(email);
if (!verified) throw new Error('Identity verification failed');
// Collect all personal data
const userData = await collectUserData(userId);
// Format for readability
const report = {
personalInfo: userData.profile,
activityLogs: userData.activities,
preferences: userData.settings,
thirdPartySharing: userData.dataSharing,
retentionPeriod: '2 years from last activity',
dataProtectionOfficer: 'dpo@company.com'
};
// Generate downloadable report
const pdf = await generatePDFReport(report);
// Log request for compliance
await logAccessRequest(userId, 'completed');
return pdf;
}
Response Timeline:
- •GDPR: 1 month (extendable to 3 months)
- •CCPA: 45 days (extendable to 90 days)
2. Right to Deletion (GDPR Art. 17 / CCPA § 1798.105)
Deletion Handler:
async function handleDeletionRequest(userId, email) {
// Verify identity
const verified = await verifyIdentity(email);
if (!verified) throw new Error('Identity verification failed');
// Check for legal obligations to retain
const mustRetain = await checkRetentionRequirements(userId);
if (mustRetain.required) {
return {
status: 'partial_deletion',
retained: mustRetain.data,
reason: mustRetain.legalBasis,
retentionPeriod: mustRetain.period
};
}
// Delete from all systems
await Promise.all([
deleteFromDatabase(userId),
deleteFromBackups(userId), // Mark for deletion in next backup cycle
deleteFromAnalytics(userId),
deleteFromThirdPartyServices(userId),
revokeAPIKeys(userId),
anonymizeHistoricalRecords(userId)
]);
// Confirm deletion
await sendDeletionConfirmation(email);
await logDeletionRequest(userId, 'completed');
return { status: 'deleted', timestamp: new Date() };
}
Exceptions (when deletion can be refused):
- •Legal obligations (tax records, contracts)
- •Public interest/scientific research
- •Defense of legal claims
- •Exercise of freedom of expression
3. Right to Data Portability (GDPR Art. 20)
Export Handler:
async function handlePortabilityRequest(userId, format = 'json') {
const userData = await collectUserData(userId);
// Structure in machine-readable format
const portableData = {
exportDate: new Date().toISOString(),
userId: userId,
data: {
profile: userData.profile,
content: userData.userGeneratedContent,
settings: userData.preferences,
history: userData.activityHistory
}
};
// Support multiple formats
if (format === 'csv') {
return convertToCSV(portableData);
} else if (format === 'xml') {
return convertToXML(portableData);
}
return portableData; // JSON by default
}
Requirements:
- •Structured, commonly used, machine-readable format
- •Ability to transmit directly to another controller
- •Only applies to data provided by data subject
- •Only for automated processing based on consent or contract
4. Right to Object (GDPR Art. 21)
Objection Handler:
async function handleObjectionRequest(userId, processingType) {
switch (processingType) {
case 'direct_marketing':
// Must stop immediately
await disableMarketing(userId);
await updateConsent(userId, 'marketing', false);
break;
case 'legitimate_interest':
// Assess if we have compelling grounds
const assessment = await assessLegitimateInterest(userId);
if (!assessment.compelling) {
await stopProcessing(userId, processingType);
}
return assessment;
case 'profiling':
await disableProfiling(userId);
await updateConsent(userId, 'profiling', false);
break;
default:
throw new Error('Invalid processing type');
}
await logObjectionRequest(userId, processingType, 'granted');
}
Consent Management
Consent Requirements (GDPR)
Valid Consent Must Be:
- •Freely given (no coercion)
- •Specific (for each purpose)
- •Informed (clear language)
- •Unambiguous (clear affirmative action)
- •Withdrawable (as easy to withdraw as to give)
Consent Implementation:
<!-- Good: Granular consent -->
<form>
<h3>Privacy Preferences</h3>
<label>
<input type="checkbox" name="essential" checked disabled>
<strong>Essential cookies (Required)</strong>
<p>Necessary for website functionality</p>
</label>
<label>
<input type="checkbox" name="analytics" value="analytics">
<strong>Analytics cookies</strong>
<p>Help us improve our website by collecting usage data</p>
</label>
<label>
<input type="checkbox" name="marketing" value="marketing">
<strong>Marketing cookies</strong>
<p>Show you personalized ads based on your interests</p>
</label>
<button type="submit">Save Preferences</button>
<a href="/privacy-policy">Learn More</a>
</form>
Consent Record Storage:
const consentRecord = {
userId: 'user123',
timestamp: new Date().toISOString(),
consentVersion: '2.0',
purposes: {
essential: { granted: true, required: true },
analytics: { granted: true, purpose: 'Website improvement' },
marketing: { granted: false, purpose: 'Personalized advertising' }
},
ipAddress: '192.168.1.1', // For proof
userAgent: 'Mozilla/5.0...', // For context
method: 'explicit_opt_in' // or 'implicit', 'presumed'
};
await saveConsentRecord(consentRecord);
Cookie Banner (GDPR Compliant)
<div id="cookie-banner" role="dialog" aria-labelledby="cookie-title">
<h2 id="cookie-title">Cookie Preferences</h2>
<p>
We use cookies to enhance your experience. Choose which cookies you
allow us to use. You can change your preferences at any time.
</p>
<button onclick="acceptAll()">Accept All</button>
<button onclick="rejectNonEssential()">Reject Non-Essential</button>
<button onclick="showPreferences()">Manage Preferences</button>
</div>
<script>
// Must not load non-essential cookies until consent given
function acceptAll() {
setConsent({ analytics: true, marketing: true });
loadAnalyticsCookies();
loadMarketingCookies();
hideBanner();
}
function rejectNonEssential() {
setConsent({ analytics: false, marketing: false });
hideBanner();
}
</script>
Privacy by Design Principles
1. Data Minimization
Principle: Collect only data necessary for specified purpose
Implementation:
// ❌ Bad: Collecting unnecessary data
const userRegistration = {
email: req.body.email,
password: req.body.password,
fullName: req.body.fullName,
phoneNumber: req.body.phoneNumber, // Not needed
dateOfBirth: req.body.dateOfBirth, // Not needed
address: req.body.address, // Not needed
socialSecurityNumber: req.body.ssn // Definitely not needed!
};
// ✅ Good: Only essential data
const userRegistration = {
email: req.body.email,
password: hashPassword(req.body.password),
displayName: req.body.displayName // Optional
};
2. Purpose Limitation
Principle: Use data only for specified, explicit purposes
Implementation:
// Document and enforce purpose
const dataProcessingPurpose = {
email: [
'account_authentication',
'order_confirmations',
'password_reset'
],
phoneNumber: [
'order_delivery_notifications'
// NOT: 'marketing_calls' (requires separate consent)
],
purchaseHistory: [
'order_fulfillment',
'customer_support'
// NOT: 'targeted_advertising' (requires separate consent)
]
};
async function processData(data, purpose) {
if (!isAllowedPurpose(data.type, purpose)) {
throw new Error('Purpose not authorized for this data');
}
// Proceed with processing
}
3. Storage Limitation
Principle: Retain data only as long as necessary
Implementation:
const retentionPolicy = {
userAccounts: {
active: 'indefinite',
inactive: '2 years',
deleted: '30 days grace period'
},
orderRecords: '7 years', // Legal requirement
supportTickets: '3 years',
analytics: '26 months',
marketingData: '1 year or until consent withdrawn'
};
// Automated data deletion
async function enforceRetentionPolicy() {
const now = new Date();
// Delete inactive accounts
await User.deleteMany({
lastActive: { $lt: subYears(now, 2) },
status: 'inactive'
});
// Anonymize old analytics
await Analytics.updateMany(
{ createdAt: { $lt: subMonths(now, 26) } },
{ $unset: { userId: 1, ipAddress: 1 } }
);
// Delete expired marketing consent
await MarketingConsent.deleteMany({
$or: [
{ expiresAt: { $lt: now } },
{ withdrawnAt: { $lt: subDays(now, 30) } }
]
});
}
// Schedule daily
cron.schedule('0 2 * * *', enforceRetentionPolicy);
Data Protection Impact Assessment (DPIA)
When Required (GDPR Art. 35):
- •Systematic and extensive profiling
- •Large-scale processing of sensitive data
- •Systematic monitoring of publicly accessible areas
- •New technologies with high privacy risks
DPIA Template:
# Data Protection Impact Assessment ## Processing Overview - **Purpose**: [Describe the processing activity] - **Data Types**: [Personal data categories] - **Data Subjects**: [Who is affected] - **Recipients**: [Who receives the data] ## Necessity Assessment - [ ] Is processing necessary for the stated purpose? - [ ] Could the purpose be achieved with less data? - [ ] Is the retention period justified? ## Risk Assessment | Risk | Likelihood | Severity | Mitigation | |------|------------|----------|------------| | Data breach | Medium | High | Encryption, access controls | | Unauthorized access | Low | High | 2FA, audit logs | | Purpose creep | Medium | Medium | Purpose documentation, training | ## Safeguards - [ ] Encryption at rest and in transit - [ ] Access controls and authentication - [ ] Regular security audits - [ ] Data minimization applied - [ ] Retention policies enforced - [ ] DPO consulted - [ ] Data subject rights mechanism in place ## Conclusion Processing is/is not acceptable with proposed safeguards. Signed: [Data Protection Officer] Date: [Assessment Date]
Privacy Policy Requirements
Essential Elements:
# Privacy Policy ## 1. Identity of Controller Company Name, Address, Contact Information Data Protection Officer: dpo@company.com ## 2. Data We Collect - Account data: email, name - Usage data: pages visited, features used - Technical data: IP address, browser type ## 3. Legal Basis for Processing - **Consent**: Marketing communications - **Contract**: Order fulfillment - **Legitimate Interest**: Fraud prevention - **Legal Obligation**: Tax records ## 4. How We Use Your Data - Provide services you requested - Improve our products - Send important updates - [Be specific, avoid vague statements] ## 5. Data Sharing - Payment processors (Stripe, PayPal) - Shipping providers (FedEx, UPS) - Analytics (Google Analytics) We do NOT sell your personal data. ## 6. Your Rights - Right to access your data - Right to correct inaccuracies - Right to delete your data - Right to object to processing - Right to data portability - Right to withdraw consent Contact: privacy@company.com ## 7. Data Retention - Account data: Until account deletion + 30 days - Order history: 7 years (legal requirement) - Marketing data: 1 year or until opt-out ## 8. Security We use industry-standard security measures including encryption, secure servers, and regular security audits. ## 9. International Transfers Data may be transferred to US servers. We use Standard Contractual Clauses approved by the EU Commission. ## 10. Changes to Policy Last updated: [Date] We will notify you of material changes via email. ## 11. Contact Questions? Contact our Data Protection Officer at dpo@company.com
Incident Response
Data Breach Response Plan
Within 72 Hours (GDPR):
1. **Detect & Contain** (0-4 hours)
- Identify scope of breach
- Isolate affected systems
- Prevent further data loss
2. **Assess** (4-24 hours)
- Determine data types affected
- Identify number of individuals
- Assess risk to rights and freedoms
- Document everything
3. **Notify Authority** (24-72 hours)
- Report to supervisory authority
- Include: nature, categories, approximate numbers,
likely consequences, measures taken
4. **Notify Data Subjects** (ASAP if high risk)
- Direct communication required
- Describe breach in clear language
- Provide recommendations for protection
Breach Notification Template:
Subject: Important Security Notice Dear [Name], We are writing to inform you of a data security incident that may have affected your personal information. WHAT HAPPENED: On [date], we discovered that [brief description]. WHAT INFORMATION WAS INVOLVED: [List specific data types: name, email, etc.] [List what was NOT involved] WHAT WE ARE DOING: - [Immediate actions taken] - [Ongoing security enhancements] - [Resources provided to affected individuals] WHAT YOU CAN DO: - Change your password immediately - Monitor your accounts for suspicious activity - [Specific recommendations] FOR MORE INFORMATION: Contact our dedicated hotline: [phone] Email: security@company.com We sincerely apologize for this incident and the inconvenience it may cause. Sincerely, [Name, Title]
Compliance Checklist
GDPR Compliance
- • Lawful basis documented for all processing
- • Privacy policy published and accessible
- • Consent mechanism implements granular controls
- • Data subject rights request process established
- • Records of processing activities maintained
- • Data Protection Officer appointed (if required)
- • DPIA conducted for high-risk processing
- • Data breach notification procedure in place
- • Vendor contracts include data processing agreements
- • International data transfer safeguards implemented
- • Staff training on data protection completed
CCPA Compliance
- • "Do Not Sell My Personal Information" link on homepage
- • Privacy policy discloses data collection and sales
- • Mechanisms for verifiable consumer requests
- • Process for opt-out requests (48-hour response)
- • Annual report on requests and compliance
- • Service provider agreements updated
- • Notice at collection provided
HIPAA Compliance
- • Risk assessment completed
- • Security policies and procedures documented
- • Workforce trained on HIPAA requirements
- • Business Associate Agreements signed
- • Access controls and audit trails implemented
- • Encryption for ePHI
- • Breach notification procedures established
- • Contingency plan and disaster recovery
Privacy compliance is an ongoing process, not a one-time checklist. Regularly review and update practices as regulations evolve and your data processing changes.