Data Privacy Compliance
Comprehensive guidance for implementing data privacy compliance across GDPR, CCPA, HIPAA, and other global data protection regulations.
When to Use This Skill
Use this skill when:
- Implementing GDPR, CCPA, or HIPAA compliance
- Conducting Data Protection Impact Assessments (DPIA)
- Managing data subject rights (access, deletion, portability)
- Implementing consent management systems
- Drafting privacy policies and notices
- Handling data breaches and incident response
- Designing privacy-by-design systems
- Conducting privacy audits and assessments
Key Regulations Overview
GDPR (General Data Protection Regulation)
Scope: EU residents' data, regardless of where company is located
Key Requirements:
- Lawful basis for processing (consent, contract, legitimate interest, etc.)
- Data subject rights (access, deletion, portability, objection)
- Data Protection Impact Assessments for high-risk processing
- 72-hour breach notification requirement
- Records of processing activities
- Privacy by design and by default
Penalties: Up to β¬20M or 4% of global annual revenue
CCPA/CPRA (California Consumer Privacy Act)
Scope: California residents' data
Key Requirements:
- Right to know what data is collected
- Right to delete personal information
- Right to opt-out of sale/sharing
- Right to correct inaccurate information
- Right to limit use of sensitive personal information
Penalties: Up to $7,500 per intentional violation
HIPAA (Health Insurance Portability and Accountability Act)
Scope: Protected Health Information (PHI) in the US
Key Requirements:
- Privacy Rule (patient rights and information uses)
- Security Rule (safeguards for ePHI)
- Breach Notification Rule (60-day notification)
- Business Associate Agreements (BAAs)
Penalties: Up to $1.5M per violation category per year
Data Subject Rights Implementation
1. Right to Access (GDPR Art. 15 / CCPA Β§ 1798.100)
Request Handler:
async function handleAccessRequest(userId, email) {
const verified = await verifyIdentity(email);
if (!verified) throw new Error('Identity verification failed');
const userData = await collectUserData(userId);
const report = {
personalInfo: userData.profile,
activityLogs: userData.activities,
preferences: userData.settings,
thirdPartySharing: userData.dataSharing,
retentionPeriod: '2 years from last activity',
dataProtectionOfficer: '[email protected]'
};
const pdf = await generatePDFReport(report);
await logAccessRequest(userId, 'completed');
return pdf;
}
Response Timeline:
- GDPR: 1 month (extendable to 3 months)
- CCPA: 45 days (extendable to 90 days)
2. Right to Deletion (GDPR Art. 17 / CCPA Β§ 1798.105)
Deletion Handler:
async function handleDeletionRequest(userId, email) {
const verified = await verifyIdentity(email);
if (!verified) throw new Error('Identity verification failed');
const mustRetain = await checkRetentionRequirements(userId);
if (mustRetain.required) {
return {
status: 'partial_deletion',
retained: mustRetain.data,
reason: mustRetain.legalBasis,
retentionPeriod: mustRetain.period
};
}
await Promise.all([
deleteFromDatabase(userId),
deleteFromBackups(userId),
deleteFromAnalytics(userId),
deleteFromThirdPartyServices(userId),
revokeAPIKeys(userId),
anonymizeHistoricalRecords(userId)
]);
await sendDeletionConfirmation(email);
await logDeletionRequest(userId, 'completed');
return { status: 'deleted', timestamp: new Date() };
}
Exceptions (when deletion can be refused):
- Legal obligations (tax records, contracts)
- Public interest/scientific research
- Defense of legal claims
- Exercise of freedom of expression
3. Right to Data Portability (GDPR Art. 20)
Export Handler:
async function handlePortabilityRequest(userId, format = 'json') {
const userData = await collectUserData(userId);
const portableData = {
exportDate: new Date().toISOString(),
userId: userId,
data: {
profile: userData.profile,
content: userData.userGeneratedContent,
settings: userData.preferences,
history: userData.activityHistory
}
};
if (format === 'csv') {
return convertToCSV(portableData);
} else if (format === 'xml') {
return convertToXML(portableData);
}
return portableData;
}
Requirements:
- Structured, commonly used, machine-readable format
- Ability to transmit directly to another controller
- Only applies to data provided by data subject
- Only for automated processing based on consent or contract
4. Right to Object (GDPR Art. 21)
Objection Handler:
async function handleObjectionRequest(userId, processingType) {
switch (processingType) {
case 'direct_marketing':
await disableMarketing(userId);
await updateConsent(userId, 'marketing', false);
break;
case 'legitimate_interest':
const assessment = await assessLegitimateInterest(userId);
if (!assessment.compelling) {
await stopProcessing(userId, processingType);
}
return assessment;
