Data Privacy Compliance
Comprehensive guidance for implementing data privacy compliance across GDPR, CCPA, HIPAA, and other global data protection regulations.
When to Use This Skill
Use this skill when:
- Implementing GDPR, CCPA, or HIPAA compliance
- Conducting Data Protection Impact Assessments (DPIA)
- Managing data subject rights (access, deletion, portability)
- Implementing consent management systems
- Drafting privacy policies and notices
- Handling data breaches and incident response
- Designing privacy-by-design systems
- Conducting privacy audits and assessments
Key Regulations Overview
GDPR (General Data Protection Regulation)
Scope: EU residents' data, regardless of where company is located Key Requirements:
- Lawful basis for processing (consent, contract, legitimate interest, etc.)
- Data subject rights (access, deletion, portability, objection)
- Data Protection Impact Assessments for high-risk processing
- 72-hour breach notification requirement
- Records of processing activities
- Privacy by design and by default
Penalties: Up to €20M or 4% of global annual revenue
CCPA/CPRA (California Consumer Privacy Act)
Scope: California residents' data Key Requirements:
- Right to know what data is collected
- Right to delete personal information
- Right to opt-out of sale/sharing
- Right to correct inaccurate information
- Right to limit use of sensitive personal information
Penalties: Up to $7,500 per intentional violation
HIPAA (Health Insurance Portability and Accountability Act)
Scope: Protected Health Information (PHI) in the US Key Requirements:
- Privacy Rule (patient rights and information uses)
- Security Rule (safeguards for ePHI)
- Breach Notification Rule (60-day notification)
- Business Associate Agreements (BAAs)
Penalties: Up to $1.5M per violation category per year
Data Subject Rights Implementation
1. Right to Access (GDPR Art. 15 / CCPA § 1798.100)
Request Handler:
async function handleAccessRequest(userId, email) { // Verify identity const verified = await verifyIdentity(email); if (!verified) throw new Error('Identity verification failed'); // Collect all personal data const userData = await collectUserData(userId); // Format for readability const report = { personalInfo: userData.profile, activityLogs: userData.activities, preferences: userData.settings, thirdPartySharing: userData.dataSharing, retentionPeriod: '2 years from last activity', dataProtectionOfficer: '[email protected]' }; // Generate downloadable report const pdf = await generatePDFReport(report); // Log request for compliance await logAccessRequest(userId, 'completed'); return pdf; }
Response Timeline:
- GDPR: 1 month (extendable to 3 months)
- CCPA: 45 days (extendable to 90 days)
2. Right to Deletion (GDPR Art. 17 / CCPA § 1798.105)
Deletion Handler:
async function handleDeletionRequest(userId, email) { // Verify identity const verified = await verifyIdentity(email); if (!verified) throw new Error('Identity verification failed'); // Check for legal obligations to retain const mustRetain = await checkRetentionRequirements(userId); if (mustRetain.required) { return { status: 'partial_deletion', retained: mustRetain.data, reason: mustRetain.legalBasis, retentionPeriod: mustRetain.period }; } // Delete from all systems await Promise.all([ deleteFromDatabase(userId), deleteFromBackups(userId), // Mark for deletion in next backup cycle deleteFromAnalytics(userId), deleteFromThirdPartyServices(userId), revokeAPIKeys(userId), anonymizeHistoricalRecords(userId) ]); // Confirm deletion await sendDeletionConfirmation(email); await logDeletionRequest(userId, 'completed'); return { status: 'deleted', timestamp: new Date() }; }
Exceptions (when deletion can be refused):
- Legal obligations (tax records, contracts)
- Public interest/scientific research
- Defense of legal claims
- Exercise of freedom of expression
3. Right to Data Portability (GDPR Art. 20)
Export Handler:
async function handlePortabilityRequest(userId, format = 'json') { const userData = await collectUserData(userId); // Structure in machine-readable format const portableData = { exportDate: new Date().toISOString(), userId: userId, data: { profile: userData.profile, content: userData.userGeneratedContent, settings: userData.preferences, history: userData.activityHistory } }; // Support multiple formats if (format === 'csv') { return convertToCSV(portableData); } else if (format === 'xml') { return convertToXML(portableData); } return portableData; // JSON by default }
Requirements:
- Structured, commonly used, machine-readable format
- Ability to transmit directly to another controller
- Only applies to data provided by data subject
- Only for automated processing based on consent or contract
4. Right to Object (GDPR Art. 21)
Objection Handler:
async function handleObjectionRequest(userId, processingType) { switch (processingType) { case 'direct_marketing': // Must stop immediately await disableMarketing(userId); await updateConsent(userId, 'marketing', false); break; case 'legitimate_interest': // Assess if we have compelling grounds const assessment = await assessLegitimateInterest(userId); if (!assessment.compelling) { await stopProcessing(userId, processingType); } return assessment; case 'profiling': await disableProfiling(userId); await updateConsent(userId, 'profiling', false); break; default: throw new Error('Invalid processing type'); } await logObjectionRequest(userId, processingType, 'granted'); }
Consent Management
Consent Requirements (GDPR)
Valid Consent Must Be:
- Freely given (no coercion)
- Specific (for each purpose)
- Informed (clear language)
- Unambiguous (clear affirmative action)
- Withdrawable (as easy to withdraw as to give)
Consent Implementation:
<!-- Good: Granular consent --> <form> <h3>Privacy Preferences</h3> <label> <input type="checkbox" name="essential" checked disabled> <strong>Essential cookies (Required)</strong> <p>Necessary for website functionality</p> </label> <label> <input type="checkbox" name="analytics" value="analytics"> <strong>Analytics cookies</strong> <p>Help us improve our website by collecting usage data</p> </label> <label> <input type="checkbox" name="marketing" value="marketing"> <strong>Marketing cookies</strong> <p>Show you personalized ads based on your interests</p> </label> <button type="submit">Save Preferences</button> <a href="/privacy-policy">Learn More</a> </form>
Consent Record Storage:
const consentRecord = { userId: 'user123', timestamp: new Date().toISOString(), consentVersion: '2.0', purposes: { essential: { granted: true, required: true }, analytics: { granted: true, purpose: 'Website improvement' }, marketing: { granted: false, purpose: 'Personalized advertising' } }, ipAddress: '192.168.1.1', // For proof userAgent: 'Mozilla/5.0...', // For context method: 'explicit_opt_in' // or 'implicit', 'presumed' }; await saveConsentRecord(consentRecord);
Cookie Banner (GDPR Compliant)
<div id="cookie-banner" role="dialog" aria-labelledby="cookie-title"> <h2 id="cookie-title">Cookie Preferences</h2> <p> We use cookies to enhance your experience. Choose which cookies you allow us to use. You can change your preferences at any time. </p> <button onclick="acceptAll()">Accept All</button> <button onclick="rejectNonEssential()">Reject Non-Essential</button> <button onclick="showPreferences()">Manage Preferences</button> </div> <script> // Must not load non-essential cookies until consent given function acceptAll() { setConsent({ analytics: true, marketing: true }); loadAnalyticsCookies(); loadMarketingCookies(); hideBanner(); } function rejectNonEssential() { setConsent({ analytics: false, marketing: false }); hideBanner(); } </script>
Privacy by Design Principles
1. Data Minimization
Principle: Collect only data necessary for specified purpose
Implementation:
// ❌ Bad: Collecting unnecessary data const userRegistration = { email: req.body.email, password: req.body.password, fullName: req.body.fullName, phoneNumber: req.body.phoneNumber, // Not needed dateOfBirth: req.body.dateOfBirth, // Not needed address: req.body.address, // Not needed socialSecurityNumber: req.body.ssn // Definitely not needed! }; // ✅ Good: Only essential data const userRegistration = { email: req.body.email, password: hashPassword(req.body.password), displayName: req.body.displayName // Optional };
2. Purpose Limitation
Principle: Use data only for specified, explicit purposes
Implementation:
// Document and enforce purpose const dataProcessingPurpose = { email: [ 'account_authentication', 'order_confirmations', 'password_reset' ], phoneNumber: [ 'order_delivery_notifications' // NOT: 'marketing_calls' (requires separate consent) ], purchaseHistory: [ 'order_fulfillment', 'customer_support' // NOT: 'targeted_advertising' (requires separate consent) ] }; async function processData(data, purpose) { if (!isAllowedPurpose(data.type, purpose)) { throw new Error('Purpose not authorized for this data'); } // Proceed with processing }
3. Storage Limitation
Principle: Retain data only as long as necessary
Implementation:
const retentionPolicy = { userAccounts: { active: 'indefinite', inactive: '2 years', deleted: '30 days grace period' }, orderRecords: '7 years', // Legal requirement supportTickets: '3 years', analytics: '26 months', marketingData: '1 year or until consent withdrawn' }; // Automated data deletion async function enforceRetentionPolicy() { const now = new Date(); // Delete inactive accounts await User.deleteMany({ lastActive: { $lt: subYears(now, 2) }, status: 'inactive' }); // Anonymize old analytics await Analytics.updateMany( { createdAt: { $lt: subMonths(now, 26) } }, { $unset: { userId: 1, ipAddress: 1 } } ); // Delete expired marketing consent await MarketingConsent.deleteMany({ $or: [ { expiresAt: { $lt: now } }, { withdrawnAt: { $lt: subDays(now, 30) } } ] }); } // Schedule daily cron.schedule('0 2 * * *', enforceRetentionPolicy);
Data Protection Impact Assessment (DPIA)
When Required (GDPR Art. 35):
- Systematic and extensive profiling
- Large-scale processing of sensitive data
- Systematic monitoring of publicly accessible areas
- New technologies with high privacy risks
DPIA Template:
# Data Protection Impact Assessment ## Processing Overview - **Purpose**: [Describe the processing activity] - **Data Types**: [Personal data categories] - **Data Subjects**: [Who is affected] - **Recipients**: [Who receives the data] ## Necessity Assessment - [ ] Is processing necessary for the stated purpose? - [ ] Could the purpose be achieved with less data? - [ ] Is the retention period justified? ## Risk Assessment | Risk | Likelihood | Severity | Mitigation | |------|------------|----------|------------| | Data breach | Medium | High | Encryption, access controls | | Unauthorized access | Low | High | 2FA, audit logs | | Purpose creep | Medium | Medium | Purpose documentation, training | ## Safeguards - [ ] Encryption at rest and in transit - [ ] Access controls and authentication - [ ] Regular security audits - [ ] Data minimization applied - [ ] Retention policies enforced - [ ] DPO consulted - [ ] Data subject rights mechanism in place ## Conclusion Processing is/is not acceptable with proposed safeguards. Signed: [Data Protection Officer] Date: [Assessment Date]
Privacy Policy Requirements
Essential Elements:
# Privacy Policy ## 1. Identity of Controller Company Name, Address, Contact Information Data Protection Officer: [email protected] ## 2. Data We Collect - Account data: email, name - Usage data: pages visited, features used - Technical data: IP address, browser type ## 3. Legal Basis for Processing - **Consent**: Marketing communications - **Contract**: Order fulfillment - **Legitimate Interest**: Fraud prevention - **Legal Obligation**: Tax records ## 4. How We Use Your Data - Provide services you requested - Improve our products - Send important updates - [Be specific, avoid vague statements] ## 5. Data Sharing - Payment processors (Stripe, PayPal) - Shipping providers (FedEx, UPS) - Analytics (Google Analytics) We do NOT sell your personal data. ## 6. Your Rights - Right to access your data - Right to correct inaccuracies - Right to delete your data - Right to object to processing - Right to data portability - Right to withdraw consent Contact: [email protected] ## 7. Data Retention - Account data: Until account deletion + 30 days - Order history: 7 years (legal requirement) - Marketing data: 1 year or until opt-out ## 8. Security We use industry-standard security measures including encryption, secure servers, and regular security audits. ## 9. International Transfers Data may be transferred to US servers. We use Standard Contractual Clauses approved by the EU Commission. ## 10. Changes to Policy Last updated: [Date] We will notify you of material changes via email. ## 11. Contact Questions? Contact our Data Protection Officer at [email protected]
Incident Response
Data Breach Response Plan
Within 72 Hours (GDPR):
1. **Detect & Contain** (0-4 hours) - Identify scope of breach - Isolate affected systems - Prevent further data loss 2. **Assess** (4-24 hours) - Determine data types affected - Identify number of individuals - Assess risk to rights and freedoms - Document everything 3. **Notify Authority** (24-72 hours) - Report to supervisory authority - Include: nature, categories, approximate numbers, likely consequences, measures taken 4. **Notify Data Subjects** (ASAP if high risk) - Direct communication required - Describe breach in clear language - Provide recommendations for protection
Breach Notification Template:
Subject: Important Security Notice
Dear [Name],
We are writing to inform you of a data security incident that may
have affected your personal information.
WHAT HAPPENED:
On [date], we discovered that [brief description].
WHAT INFORMATION WAS INVOLVED:
[List specific data types: name, email, etc.]
[List what was NOT involved]
WHAT WE ARE DOING:
- [Immediate actions taken]
- [Ongoing security enhancements]
- [Resources provided to affected individuals]
WHAT YOU CAN DO:
- Change your password immediately
- Monitor your accounts for suspicious activity
- [Specific recommendations]
FOR MORE INFORMATION:
Contact our dedicated hotline: [phone]
Email: [email protected]
We sincerely apologize for this incident and the inconvenience
it may cause.
Sincerely,
[Name, Title]
Compliance Checklist
GDPR Compliance
- Lawful basis documented for all processing
- Privacy policy published and accessible
- Consent mechanism implements granular controls
- Data subject rights request process established
- Records of processing activities maintained
- Data Protection Officer appointed (if required)
- DPIA conducted for high-risk processing
- Data breach notification procedure in place
- Vendor contracts include data processing agreements
- International data transfer safeguards implemented
- Staff training on data protection completed
CCPA Compliance
- "Do Not Sell My Personal Information" link on homepage
- Privacy policy discloses data collection and sales
- Mechanisms for verifiable consumer requests
- Process for opt-out requests (48-hour response)
- Annual report on requests and compliance
- Service provider agreements updated
- Notice at collection provided
HIPAA Compliance
- Risk assessment completed
- Security policies and procedures documented
- Workforce trained on HIPAA requirements
- Business Associate Agreements signed
- Access controls and audit trails implemented
- Encryption for ePHI
- Breach notification procedures established
- Contingency plan and disaster recovery
Privacy compliance is an ongoing process, not a one-time checklist. Regularly review and update practices as regulations evolve and your data processing changes.