Privacy & Compliance (GDPR, CCPA, HIPAA)

**GDPR (EU Regulation 2016/679)** applies to any org processing personal data of EU residents, regardless of org location. Core concepts: **controller** (decides why/how data is processed), **processor** (processes on controller's behalf), **data subject** (the person), **processing** (any operation on personal data — includes reading, storing, transferring).

Six lawful bases: consent (opt-in, withdrawable, granular), contract (necessary to perform a contract the subject is party to), legal obligation (tax, anti-money-laundering), vital interests (life-or-death), public task (government duties), legitimate interests (balanced test: your interest vs the subject's rights — most common basis for B2B).

Data subject rights: Access (copy of their data), Rectification (fix errors), Erasure ('right to be forgotten' — with carve-outs for legal retention), Portability (machine-readable export), Objection (stop processing), Restriction (suspend processing), No automated decision-making (right to human review). Response time: 1 month (extendable to 3 for complex cases).

**PII mapping & Records of Processing Activities (RoPA, GDPR Art. 30)** — a documented inventory of every processing activity: purpose, lawful basis, categories of data, subjects, recipients, retention, security measures. Mandatory for most orgs >250 people. Usually lives in a central tool (OneTrust, Osano, Collibra Privacy).

**DPIA (Art. 35)** — required for high-risk processing (biometrics, large-scale sensitive data, public-space monitoring, profiling with legal effects). Formal doc describing the processing, necessity/proportionality analysis, risk assessment, mitigations. Submit to DPA if residual risk remains high.

Breach notification (Art. 33/34) — notify supervisory authority within 72h of awareness, notify affected individuals 'without undue delay' if high risk. Practically: design a runbook; most orgs fail the 72h deadline because they don't have a pre-staged notification template and pre-identified decision-makers.

International transfers: post-Schrems II, transfers to the US require SCCs + Transfer Impact Assessment. Adequacy decisions (UK, Japan, Korea, Canada-commercial…) allow transfer without extra safeguards. Data residency requirements (keep EU data in the EU) are increasingly common for government / healthcare / finance sectors.

HIPAA (US, healthcare): protects PHI (Protected Health Information). Two rules — Privacy (who can see) and Security (how to protect). Covered entities + business associates (BAA contracts). Technical safeguards: access control, audit logs, integrity, transmission security, encryption. Breaches > 500 records → HHS + media notification.