Data privacy and regulatory compliance specialist for GDPR, CCPA, HIPAA, and international data protection laws...
Comprehensive guidance for implementing data privacy compliance across GDPR, CCPA, HIPAA, and other global data protection regulations.
Use this skill when:
Scope: EU residents' data, regardless of where company is located Key Requirements:
Penalties: Up to €20M or 4% of global annual revenue
Scope: California residents' data Key Requirements:
Penalties: Up to $7,500 per intentional violation
Scope: Protected Health Information (PHI) in the US Key Requirements:
Penalties: Up to $1.5M per violation category per year
Request Handler:
async function handleAccessRequest(userId, email) {
// Verify identity
const verified = await verifyIdentity(email);
if (!verified) throw new Error('Identity verification failed');
// Collect all personal data
const userData = await collectUserData(userId);
// Format for readability
const report = {
personalInfo: userData.profile,
activityLogs: userData.activities,
preferences: userData.settings,
thirdPartySharing: userData.dataSharing,
retentionPeriod: '2 years from last activity',
dataProtectionOfficer: 'dpo@company.com'
};
// Generate downloadable report
const pdf = await generatePDFReport(report);
// Log request for compliance
await logAccessRequest(userId, 'completed');
return pdf;
}
Response Timeline:
Deletion Handler:
async function handleDeletionRequest(userId, email) {
// Verify identity
const verified = await verifyIdentity(email);
if (!verified) throw new Error('Identity verification failed');
// Check for legal obligations to retain
const mustRetain = await checkRetentionRequirements(userId);
if (mustRetain.required) {
return {
status: 'partial_deletion',
retained: mustRetain.data,
reason: mustRetain.legalBasis,
retentionPeriod: mustRetain.period
};
}
// Delete from all systems
await Promise.all([
deleteFromDatabase(userId),
deleteFromBackups(userId), // Mark for deletion in next backup cycle
deleteFromAnalytics(userId),
deleteFromThirdPartyServices(userId),
revokeAPIKeys(userId),
anonymizeHistoricalRecords(userId)
]);
// Confirm deletion
await sendDeletionConfirmation(email);
await logDeletionRequest(userId, 'completed');
return { status: 'deleted', timestamp: new Date() };
}
Exceptions (when deletion can be refused):
Export Handler:
async function handlePortabilityRequest(userId, format = 'json') {
const userData = await collectUserData(userId);
// Structure in machine-readable format
const portableData = {
exportDate: new Date().toISOString(),
userId: userId,
data: {
profile: userData.profile,
content: userData.userGeneratedContent,
settings: userData.preferences,
history: userData.activityHistory
}
};
// Support multiple formats
if (format === 'csv') {
return convertToCSV(portableData);
} else if (format === 'xml') {
return convertToXML(portableData);
}
return portableData; // JSON by default
}
Requirements:
Objection Handler:
async function handleObjectionRequest(userId, processingType) {
switch (processingType) {
case 'direct_marketing':
// Must stop immediately
await disableMarketing(userId);
await updateConsent(userId, 'marketing', false);
break;
case 'legitimate_interest':
// Assess if we have compelling grounds
const assessment = await assessLegitimateInterest(userId);
if (!assessment.compelling) {
await stopProcessing(userId, processingType);
}
return assessment;
case 'profiling':
await disableProfiling(userId);
await updateConsent(userId, 'profiling', false);
break;
default:
throw new Error('Invalid processing type');
}
await logObjectionRequest(userId, processingType, 'granted');
}
Valid Consent Must Be:
Consent Implementation:
<!-- Good: Granular consent -->
<form>
<h3>Privacy Preferences</h3>
<label>
<input type="checkbox" name="essential" checked disabled>
<strong>Essential cookies (Required)</strong>
<p>Necessary for website functionality</p>
</label>
<label>
<input type="checkbox" name="analytics" value="analytics">
<strong>Analytics cookies</strong>
<p>Help us improve our website by collecting usage data</p>
</label>
<label>
<input type="checkbox" name="marketing" value="marketing">
<strong>Marketing cookies</strong>
<p>Show you personalized ads based on your interests</p>
</label>
<button type="submit">Save Preferences</button>
<a href="/privacy-policy">Learn More</a>
</form>
Consent Record Storage:
const consentRecord = {
userId: 'user123',
timestamp: new Date().toISOString(),
consentVersion: '2.0',
purposes: {
essential: { granted: true, required: true },
analytics: { granted: true, purpose: 'Website improvement' },
marketing: { granted: false, purpose: 'Personalized advertising' }
},
ipAddress: '192.168.1.1', // For proof
userAgent: 'Mozilla/5.0...', // For context
method: 'explicit_opt_in' // or 'implicit', 'presumed'
};
await saveConsentRecord(consentRecord);
<div id="cookie-banner" role="dialog" aria-labelledby="cookie-title">
<h2 id="cookie-title">Cookie Preferences</h2>
<p>
We use cookies to enhance your experience. Choose which cookies you
allow us to use. You can change your preferences at any time.
</p>
<button onclick="acceptAll()">Accept All</button>
<button onclick="rejectNonEssential()">Reject Non-Essential</button>
<button onclick="showPreferences()">Manage Preferences</button>
</div>
<script>
// Must not load non-essential cookies until consent given
function acceptAll() {
setConsent({ analytics: true, marketing: true });
loadAnalyticsCookies();
loadMarketingCookies();
hideBanner();
}
function rejectNonEssential() {
setConsent({ analytics: false, marketing: false });
hideBanner();
}
</script>
Principle: Collect only data necessary for specified purpose
Implementation:
// ❌ Bad: Collecting unnecessary data
const userRegistration = {
email: req.body.email,
password: req.body.password,
fullName: req.body.fullName,
phoneNumber: req.body.phoneNumber, // Not needed
dateOfBirth: req.body.dateOfBirth, // Not needed
address: req.body.address, // Not needed
socialSecurityNumber: req.body.ssn // Definitely not needed!
};
// ✅ Good: Only essential data
const userRegistration = {
email: req.body.email,
password: hashPassword(req.body.password),
displayName: req.body.displayName // Optional
};
Principle: Use data only for specified, explicit purposes
Implementation:
// Document and enforce purpose
const dataProcessingPurpose = {
email: [
'account_authentication',
'order_confirmations',
'password_reset'
],
phoneNumber: [
'order_delivery_notifications'
// NOT: 'marketing_calls' (requires separate consent)
],
purchaseHistory: [
'order_fulfillment',
'customer_support'
// NOT: 'targeted_advertising' (requires separate consent)
]
};
async function processData(data, purpose) {
if (!isAllowedPurpose(data.type, purpose)) {
throw new Error('Purpose not authorized for this data');
}
// Proceed with processing
}
Principle: Retain data only as long as necessary
Implementation:
const retentionPolicy = {
userAccounts: {
active: 'indefinite',
inactive: '2 years',
deleted: '30 days grace period'
},
orderRecords: '7 years', // Legal requirement
supportTickets: '3 years',
analytics: '26 months',
marketingData: '1 year or until consent withdrawn'
};
// Automated data deletion
async function enforceRetentionPolicy() {
const now = new Date();
// Delete inactive accounts
await User.deleteMany({
lastActive: { $lt: subYears(now, 2) },
status: 'inactive'
});
// Anonymize old analytics
await Analytics.updateMany(
{ createdAt: { $lt: subMonths(now, 26) } },
{ $unset: { userId: 1, ipAddress: 1 } }
);
// Delete expired marketing consent
await MarketingConsent.deleteMany({
$or: [
{ expiresAt: { $lt: now } },
{ withdrawnAt: { $lt: subDays(now, 30) } }
]
});
}
// Schedule daily
cron.schedule('0 2 * * *', enforceRetentionPolicy);
When Required (GDPR Art. 35):
DPIA Template:
# Data Protection Impact Assessment
## Processing Overview
- **Purpose**: [Describe the processing activity]
- **Data Types**: [Personal data categories]
- **Data Subjects**: [Who is affected]
- **Recipients**: [Who receives the data]
## Necessity Assessment
- [ ] Is processing necessary for the stated purpose?
- [ ] Could the purpose be achieved with less data?
- [ ] Is the retention period justified?
## Risk Assessment
| Risk | Likelihood | Severity | Mitigation |
|------|------------|----------|------------|
| Data breach | Medium | High | Encryption, access controls |
| Unauthorized access | Low | High | 2FA, audit logs |
| Purpose creep | Medium | Medium | Purpose documentation, training |
## Safeguards
- [ ] Encryption at rest and in transit
- [ ] Access controls and authentication
- [ ] Regular security audits
- [ ] Data minimization applied
- [ ] Retention policies enforced
- [ ] DPO consulted
- [ ] Data subject rights mechanism in place
## Conclusion
Processing is/is not acceptable with proposed safeguards.
Signed: [Data Protection Officer]
Date: [Assessment Date]
Essential Elements:
# Privacy Policy
## 1. Identity of Controller
Company Name, Address, Contact Information
Data Protection Officer: dpo@company.com
## 2. Data We Collect
- Account data: email, name
- Usage data: pages visited, features used
- Technical data: IP address, browser type
## 3. Legal Basis for Processing
- **Consent**: Marketing communications
- **Contract**: Order fulfillment
- **Legitimate Interest**: Fraud prevention
- **Legal Obligation**: Tax records
## 4. How We Use Your Data
- Provide services you requested
- Improve our products
- Send important updates
- [Be specific, avoid vague statements]
## 5. Data Sharing
- Payment processors (Stripe, PayPal)
- Shipping providers (FedEx, UPS)
- Analytics (Google Analytics)
We do NOT sell your personal data.
## 6. Your Rights
- Right to access your data
- Right to correct inaccuracies
- Right to delete your data
- Right to object to processing
- Right to data portability
- Right to withdraw consent
Contact: privacy@company.com
## 7. Data Retention
- Account data: Until account deletion + 30 days
- Order history: 7 years (legal requirement)
- Marketing data: 1 year or until opt-out
## 8. Security
We use industry-standard security measures including
encryption, secure servers, and regular security audits.
## 9. International Transfers
Data may be transferred to US servers. We use Standard
Contractual Clauses approved by the EU Commission.
## 10. Changes to Policy
Last updated: [Date]
We will notify you of material changes via email.
## 11. Contact
Questions? Contact our Data Protection Officer at dpo@company.com
Within 72 Hours (GDPR):
1. **Detect & Contain** (0-4 hours)
- Identify scope of breach
- Isolate affected systems
- Prevent further data loss
2. **Assess** (4-24 hours)
- Determine data types affected
- Identify number of individuals
- Assess risk to rights and freedoms
- Document everything
3. **Notify Authority** (24-72 hours)
- Report to supervisory authority
- Include: nature, categories, approximate numbers,
likely consequences, measures taken
4. **Notify Data Subjects** (ASAP if high risk)
- Direct communication required
- Describe breach in clear language
- Provide recommendations for protection
Breach Notification Template:
Subject: Important Security Notice
Dear [Name],
We are writing to inform you of a data security incident that may
have affected your personal information.
WHAT HAPPENED:
On [date], we discovered that [brief description].
WHAT INFORMATION WAS INVOLVED:
[List specific data types: name, email, etc.]
[List what was NOT involved]
WHAT WE ARE DOING:
- [Immediate actions taken]
- [Ongoing security enhancements]
- [Resources provided to affected individuals]
WHAT YOU CAN DO:
- Change your password immediately
- Monitor your accounts for suspicious activity
- [Specific recommendations]
FOR MORE INFORMATION:
Contact our dedicated hotline: [phone]
Email: security@company.com
We sincerely apologize for this incident and the inconvenience
it may cause.
Sincerely,
[Name, Title]
Privacy compliance is an ongoing process, not a one-time checklist. Regularly review and update practices as regulations evolve and your data processing changes.
