Data Privacy Guide: GDPR, CCPA, and Privacy Engineering
Data privacy has become a core engineering concern. Regulations like GDPR (Europe), CCPA/CPRA (California), LGPD (Brazil), and PIPEDA (Canada) impose legal obligations on how organizations collect, process, store, and delete personal data. Non-compliance can result in fines up to 4% of global revenue under GDPR.
This guide covers the technical and organizational practices for building privacy-compliant systems: data classification, privacy by design, data protection impact assessments, consent management, and data subject rights handling.
Data Classification
Before you can protect data, you must understand what data you have. Data classification categorizes information based on sensitivity and regulatory requirements.
Classification Levels
A typical classification scheme has four levels:
- Public — Information that can be freely shared (marketing content, press releases)
- Internal — Information that should not be publicly exposed (internal documentation, organizational charts)
- Confidential — Information that would cause harm if disclosed (financial data, business strategies, source code)
- Restricted — Information regulated by law (PII, health records, payment card data)
Automated Classification
Manual classification does not scale. Use automated tools that scan databases, file shares, and APIs to discover and tag sensitive data. Regular expressions detect patterns like credit card numbers (Luhn algorithm), SSNs, and email addresses. Machine learning classifiers identify unstructured PII in documents and emails.
Data Mapping
Create a data flow map showing where personal data enters your system, where it is stored, how it is processed, who has access, and when it is deleted. Data mapping is required under GDPR Article 30 and is the foundation for Data Protection Impact Assessments. Tools like Okera, BigID, and Collibra automate data mapping at scale.
Privacy by Design and by Default
GDPR Article 25 requires that data protection is built into systems from the start, not added as an afterthought.
Core Principles
- Proactive not reactive — Prevent privacy issues before they occur rather than remediating after the fact
- Privacy as the default — The strictest privacy settings should apply automatically; users opt in to less private settings
- Privacy embedded into design — Privacy is not a bolt-on feature but an integral part of the architecture
- End-to-end security — Data is encrypted throughout its lifecycle
- Visibility and transparency — Data subjects know what data is collected and how it is used
- User-centric design — Privacy controls are accessible and understandable
Practical Implementation
- Data minimization — Collect only the data you need. If a feature works without an email address, do not ask for one
- Purpose limitation — Use data only for the purpose for which it was collected. Do not repurpose data without consent
- Storage limitation — Delete data when the purpose is fulfilled. Define retention schedules for every data category
- Encryption at rest and in transit — Use TLS 1.3 for transit and AES-256-GCM for storage. Encrypt backups as well
Data Anonymization and Pseudonymization
Anonymization removes PII irreversibly so the data can no longer identify an individual. Techniques include generalization (replacing exact ages with ranges), suppression (removing fields), perturbation (adding noise), and k-anonymity (making each record indistinguishable from at least k-1 others).
Pseudonymization replaces identifying fields with tokens. The mapping from token to original data is stored separately and protected. Pseudonymized data is still personal data under GDPR — unlike anonymized data — but the risk of re-identification is significantly reduced.
Differential privacy adds calibrated noise to query results, providing mathematical guarantees against re-identification. Apple and Google use differential privacy to collect usage statistics without learning about individual users.
Data Protection Impact Assessments (DPIA)
A DPIA is a systematic process for identifying and mitigating privacy risks. DPIAs are mandatory under GDPR when processing is likely to result in high risk to individuals — profiling, large-scale processing of sensitive data, or systematic monitoring of publicly accessible areas.
DPIA Process
- Describe the processing — What data is collected, for what purpose, by what means
- Assess necessity and proportionality — Is the data minimization principle followed? Is there a less privacy-invasive alternative?
- Identify risks — What harm could result from a data breach or misuse? Who could be affected?
- Mitigate risks — Technical controls (encryption, access control) and organizational controls (training, policies)
- Document the outcome — The DPIA is a living document that must be reviewed when processing changes
Consent Management
Consent must be freely given, specific, informed, and unambiguous. Pre-ticked boxes and implied consent are not valid under GDPR.
Consent Capture
Store consent records with timestamp, version of the privacy policy, what the user was told, and how consent was obtained. Provide granular consent options — a user might consent to marketing emails but not to behavioral profiling.
Consent Withdrawal
Withdrawing consent must be as easy as giving it. Provide a preference center where users can view and change their consents. When consent is withdrawn, stop processing immediately and delete data unless another legal basis applies.
Data Subject Rights
GDPR grants individuals several rights that your systems must support:
- Right of access — Users can request all data you hold about them. Respond within one month
- Right to rectification — Users can correct inaccurate data
- Right to erasure (right to be forgotten) — Users can request deletion of their data
- Right to restrict processing — Users can limit how their data is used
- Right to data portability — Users can receive their data in a machine-readable format
- Right to object — Users can object to processing for direct marketing or legitimate interests
Operationalizing Rights
Build APIs that allow your support team to execute data subject requests without direct database access. Automate the search for all data belonging to a user across your services. Track request SLAs and generate compliance reports.
Breach Notification
GDPR requires notification to the supervisory authority within 72 hours of becoming aware of a personal data breach. If the breach is likely to result in high risk to individuals, affected data subjects must also be notified.
Incident Response Plan
- Detect the breach through monitoring and alerts
- Contain the breach by isolating affected systems
- Assess the scope — what data was accessed, how many records, who is affected
- Notify the DPA and affected individuals with a description of the breach, the likely consequences, and the measures taken
- Document the incident for post-mortem analysis and regulatory inspection
Summary
Data privacy is a continuous engineering discipline, not a one-time compliance checkbox. Classify your data, build privacy into your architecture, conduct impact assessments for high-risk processing, manage consent properly, and operationalize data subject rights. The tools and practices exist — the challenge is integrating them into your development workflow.
FAQ
What is the difference between anonymization and pseudonymization? Anonymization irreversibly removes PII so re-identification is impossible. Pseudonymization replaces identifiers with tokens — re-identification is possible with access to the mapping. Anonymized data is not personal data under GDPR; pseudonymized data still is.
Do I need a Data Protection Officer (DPO)? Under GDPR Article 37, you need a DPO if you are a public authority, engage in large-scale systematic monitoring of individuals, or process sensitive data on a large scale.
How long should I keep personal data? Only as long as necessary for the purpose it was collected. Define retention schedules for each data category and automate deletion when the retention period expires.
What happens if I miss the 72-hour breach notification deadline? The supervisory authority can impose fines for delayed notification in addition to fines for the breach itself. Document your decision-making process even if you determine notification is not required.
Data Privacy Regulations
Data privacy is governed by an increasingly complex landscape of regulations. Understanding these frameworks is essential for any organization handling personal data:
GDPR (General Data Protection Regulation) — The EU regulation that set the global standard for data privacy. Key requirements include explicit consent for data processing, the right to be forgotten, data portability, breach notification within 72 hours, and Data Protection Officer (DPO) appointment for large-scale processing. Fines can reach 4% of global annual revenue or 20 million euros, whichever is higher.
CCPA/CPRA (California Consumer Privacy Act) — Grants California residents the right to know what personal data is collected, the right to delete personal data, the right to opt out of data sales, and the right to non-discrimination for exercising these rights. The CPRA (effective 2023) added sensitive data categories and expanded enforcement capabilities.
HIPAA (Health Insurance Portability and Accountability Act) — Governs protected health information (PHI) in the United States. Requires administrative, physical, and technical safeguards — including access controls, audit logs, encryption, and business associate agreements with third-party vendors handling PHI.
Data Privacy Engineering
Privacy by design embeds privacy protections into systems from the start. Key practices include:
- Data minimization — Collect only the data you need, retain it only as long as necessary, and delete it when no longer required
- Pseudonymization — Replace identifying fields with pseudonyms so data cannot be attributed to a specific individual without additional information
- Encryption at rest and in transit — Use AES-256 for storage, TLS 1.3 for transmission
- Access controls — Role-based access with audit logging for all personal data access
- Privacy Impact Assessments (PIA) — Evaluate privacy risks before deploying new systems or features that process personal data
Related: Security Compliance Guide | Identity and Access Management