Quick Navigation
Privacy Principles & FoundationsKey Privacy RegulationsGDPR Key ArticlesData Subject RightsData Lifecycle ManagementPrivacy Governance & RolesPrivacy Risk ManagementEncryption & CryptographyAnonymization & De-identificationPrivacy-Enhancing Technologies (PETs)Identity & Access Management for PrivacySecure Development & Privacy EngineeringNetwork & Infrastructure PrivacyMonitoring, Logging & Incident ResponseCross-Border Data TransfersAI/ML Privacy Considerations
Privacy Principles & Foundations
- Privacy by Design (PbD)
- Framework requiring privacy to be embedded into system design from the start. 7 principles: proactive not reactive, privacy as default, embedded into design, full functionality, end-to-end security, visibility/transparency, respect for user privacy.
- Privacy by Default
- Systems must be configured with the most privacy-protective settings by default. Users should not need to take action to protect their privacy — it should be automatic.
- Data Minimization
- Collect, process, and retain only the minimum personal data necessary for the specified purpose. Applies to volume, scope, and retention period.
- Purpose Limitation
- Personal data must be collected for specified, explicit, and legitimate purposes. Further processing must be compatible with the original purpose or have a new lawful basis.
- Storage Limitation
- Personal data should be kept only as long as necessary for the purpose it was collected. Requires defined retention periods and automated enforcement.
- Accuracy Principle
- Personal data must be accurate and, where necessary, kept up to date. Organizations must take reasonable steps to ensure inaccurate data is corrected or deleted.
- Lawfulness, Fairness, Transparency
- Processing must have a lawful basis, be fair to data subjects, and be transparent about what data is collected, why, and how it is used.
- Accountability Principle
- The data controller must demonstrate compliance with privacy principles. Requires documentation, policies, training, audits, and the ability to prove compliance on demand.
Key Privacy Regulations
- GDPR (EU)
- General Data Protection Regulation. Applies to processing of EU residents' data regardless of organization location. Opt-in consent model. Penalties up to 4% of global annual turnover or 20M EUR.
- CCPA/CPRA (California)
- California Consumer Privacy Act / California Privacy Rights Act. Opt-out model for sale/sharing of data. Applies to businesses meeting revenue/data volume thresholds. Right to delete, know, opt-out, and correct.
- LGPD (Brazil)
- Lei Geral de Protecao de Dados. Modeled after GDPR with 10 lawful bases for processing. Enforced by ANPD (national authority). Applies to processing of data of individuals in Brazil.
- PIPEDA (Canada)
- Personal Information Protection and Electronic Documents Act. Consent-based framework. Applies to commercial activities in Canada. Being updated by the proposed Consumer Privacy Protection Act (CPPA).
- HIPAA (US Healthcare)
- Health Insurance Portability and Accountability Act. Protects Protected Health Information (PHI). Applies to covered entities and business associates. Requires administrative, physical, and technical safeguards.
- APEC CBPR
- Asia-Pacific Economic Cooperation Cross-Border Privacy Rules. Voluntary certification framework for cross-border data transfers in the APEC region. Based on 9 privacy principles.
- ePrivacy Directive (EU)
- Governs electronic communications, cookies, and tracking technologies in the EU. Requires consent for non-essential cookies. Works alongside GDPR for online privacy.
GDPR Key Articles
- Article 5 — Processing Principles
- Lawfulness/fairness/transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity/confidentiality, accountability. The foundation of all GDPR compliance.
- Article 6 — Lawful Bases
- Six lawful bases: consent, contract, legal obligation, vital interests, public task, legitimate interests. At least one must apply before processing. Cannot retroactively change basis.
- Article 25 — Data Protection by Design/Default
- Controllers must implement appropriate technical and organizational measures (pseudonymization, minimization) at the time of design and by default. Privacy must be built in, not bolted on.
- Article 30 — Records of Processing (ROPA)
- Controllers and processors must maintain records of processing activities. Required for organizations with 250+ employees OR those processing sensitive data regardless of size.
- Article 32 — Security of Processing
- Implement appropriate technical/organizational measures: pseudonymization, encryption, confidentiality, integrity, availability, resilience, and regular testing of security measures.
- Article 35 — Data Protection Impact Assessment
- DPIA mandatory when processing is likely to result in high risk. Required for: systematic monitoring, large-scale sensitive data processing, and automated decision-making with legal effects.
- Article 44-49 — Cross-Border Transfers
- Transfers outside EU/EEA only with adequate safeguards: adequacy decision, SCCs, BCRs, or derogations. Transfer Impact Assessments may be required to evaluate destination country protections.
Data Subject Rights
- Right of Access (Art. 15)
- Data subjects can request confirmation of processing and a copy of their personal data. Must respond within 1 month. Free of charge for first request.
- Right to Rectification (Art. 16)
- Data subjects can request correction of inaccurate personal data or completion of incomplete data. Must be implemented without undue delay.
- Right to Erasure (Art. 17)
- Right to be forgotten. Data subjects can request deletion when data is no longer necessary, consent is withdrawn, or processing is unlawful. NOT absolute — exceptions exist for legal obligations.
- Right to Restriction (Art. 18)
- Data subjects can request limitation of processing while accuracy is contested, processing is unlawful, or data is needed for legal claims. Data is stored but not processed.
- Right to Data Portability (Art. 20)
- Data subjects can receive their data in a structured, commonly used, machine-readable format and transmit it to another controller. Applies only to data provided by the subject.
- Right to Object (Art. 21)
- Data subjects can object to processing based on legitimate interests or public task. For direct marketing, the right is absolute — processing must stop immediately.
- Automated Decision-Making (Art. 22)
- Right not to be subject to decisions based solely on automated processing that produce legal or significant effects. Exceptions: contract, law, explicit consent. Must provide human intervention on request.
Data Lifecycle Management
- Data Collection Controls
- Implement notice and consent mechanisms, minimize data collected, verify lawful basis, apply purpose limitation, and document collection practices in ROPA.
- Data Classification
- Categorize data by sensitivity: public, internal, confidential, restricted. Also classify by type: PII, sensitive PII (race, health, biometric), financial, PHI. Classification drives control requirements.
- Data Inventory & Mapping
- Document all personal data: what is collected, where stored, how it flows, who accesses it, what processing occurs, and retention periods. Foundation for ROPA and compliance.
- Data Retention Policies
- Define retention periods based on legal requirements, business need, and data type. Implement automated enforcement. Account for legal holds and regulatory preservation requirements.
- Data Sharing Controls
- Implement data sharing agreements (DSAs), data processing agreements (DPAs), and data use agreements (DUAs). Verify recipient privacy practices. Apply privacy-preserving sharing techniques.
- Consent Management Platforms
- Technical systems for collecting, storing, managing, and honoring consent preferences. Must support granular consent, withdrawal, preference changes, and audit trails.
- DSAR Fulfillment
- Data Subject Access Request processes: intake, identity verification, data search across all systems, response compilation, redaction of third-party data, delivery within legal timelines (30 days GDPR).
- Secure Data Disposal
- Methods: overwriting (NIST 800-88 guidelines), degaussing (magnetic media), cryptographic erasure (destroy encryption keys), physical destruction (shredding). Must verify and document destruction.
Privacy Governance & Roles
- Data Protection Officer (DPO)
- Mandatory under GDPR for public authorities, large-scale monitoring, or large-scale sensitive data processing. Must be independent, report to highest management, cannot be dismissed for performing duties.
- Data Controller
- Entity that determines the purposes and means of processing personal data. Bears primary responsibility for compliance, breach notification, and data subject rights fulfillment.
- Data Processor
- Entity that processes personal data on behalf of the controller. Must follow controller instructions, implement appropriate security, assist with DSARs, and notify controller of breaches.
- Privacy Program Components
- Strategy, policies, procedures, roles and responsibilities, training and awareness, monitoring and auditing, incident response, vendor management, and continuous improvement.
- Privacy Committee
- Cross-functional governance body with representatives from legal, IT, security, HR, marketing, and business units. Sets privacy strategy, reviews DPIAs, and resolves privacy issues.
- Privacy Training
- Role-based privacy awareness training for all employees. Developers need privacy engineering training. Annual refreshers plus event-driven training for new regulations or incidents.
Privacy Risk Management
- Privacy Impact Assessment (PIA)
- Broad assessment evaluating overall privacy impact of a project or initiative. Covers organizational, operational, and technical privacy considerations. Best practice for all new projects.
- Data Protection Impact Assessment (DPIA)
- GDPR-mandated (Art. 35) for high-risk processing. Must contain: description of processing, necessity assessment, risk assessment, and mitigation measures. Required BEFORE processing begins.
- Privacy Risk Assessment
- Systematic identification and evaluation of privacy risks. Uses risk matrices (likelihood x impact). Considers both organizational risks and risks to data subjects.
- Vendor Risk Assessment
- Evaluate third-party privacy practices: data handling, security controls, sub-processor management, breach notification capabilities, and cross-border transfer mechanisms.
- Data Processing Agreement (DPA)
- Contract between controller and processor. Must specify: processing scope, obligations, security measures, sub-processor rules, breach notification, audit rights, and data return/deletion on termination.
- Breach Notification — GDPR
- Notify supervisory authority within 72 hours of becoming aware. Notify data subjects without undue delay if high risk. Document all breaches regardless of notification. Include: nature, categories, consequences, measures.
- Transfer Impact Assessment (TIA)
- Required when using SCCs for cross-border transfers. Evaluates destination country's surveillance laws and data protection framework. Determines if supplementary measures are needed.
Encryption & Cryptography
- Symmetric Encryption (AES)
- Same key for encryption and decryption. Fast and efficient. AES-256 is the standard. Used for data at rest (disk encryption) and bulk data encryption.
- Asymmetric Encryption (RSA/ECC)
- Public key for encryption, private key for decryption. Slower but enables key exchange and digital signatures. RSA (2048+ bits) and ECC (256+ bits) are common.
- Encryption at Rest
- Protecting stored data: database encryption, full-disk encryption, file-level encryption. Uses symmetric encryption (AES-256). Key management is critical — keys must be stored separately.
- Encryption in Transit
- Protecting data during transmission: TLS 1.2/1.3 for web traffic, VPN for network tunnels, S/MIME or PGP for email. Prevents interception and man-in-the-middle attacks.
- Encryption in Use
- Protecting data during processing: homomorphic encryption (compute on encrypted data), secure enclaves (Intel SGX, ARM TrustZone), confidential computing. Most complex encryption state.
- Hashing
- One-way function producing fixed-length digest. Irreversible. Uses: password storage, data integrity verification, pseudonymization. Algorithms: SHA-256, SHA-3, bcrypt (passwords).
- Key Management
- Lifecycle management of encryption keys: generation, distribution, storage, rotation, revocation, and destruction. Keys must be stored separately from encrypted data. HSMs for high-security key storage.
- Cryptographic Erasure
- Destroying encryption keys to render encrypted data permanently unrecoverable. Faster than overwriting. Effective only if encryption was properly implemented with strong key management.
Anonymization & De-identification
- Anonymization
- Irreversibly removing all identifying information so data can NEVER be re-identified. Anonymized data is NOT personal data under GDPR. Techniques: aggregation, generalization, noise addition.
- Pseudonymization
- Replacing identifiers with tokens/pseudonyms. Reversible with the key. Data IS still personal data under GDPR. Key must be stored separately from data. Reduces but does not eliminate risk.
- k-Anonymity
- Each record is indistinguishable from at least k-1 other records based on quasi-identifiers (age, zip, gender). Prevents singling out individuals. Vulnerable to homogeneity and background knowledge attacks.
- l-Diversity
- Extension of k-anonymity requiring at least l well-represented values for sensitive attributes within each equivalence class. Protects against homogeneity attack where all k records share the same sensitive value.
- t-Closeness
- Extension of l-diversity requiring the distribution of sensitive attributes within each equivalence class to be within threshold t of the overall distribution. Prevents skewness attacks.
- Data Masking
- Replacing sensitive data with realistic but fake values while preserving format. Static masking (permanent) vs dynamic masking (on-the-fly). Used for non-production environments and limited access views.
- Tokenization
- Replacing sensitive data with non-sensitive tokens. Token-to-data mapping stored in a secure vault. Commonly used for payment card data (PCI DSS). Reversible only with vault access.
- Data Generalization
- Replacing specific values with broader categories. Example: exact age 34 becomes age range 30-40, exact address becomes city/region. Reduces precision to prevent identification.
Privacy-Enhancing Technologies (PETs)
- Differential Privacy
- Adds calibrated mathematical noise to query results. Prevents individual records from being inferred from aggregate statistics. Preserves statistical utility while protecting individuals. Used by Apple, Google, US Census.
- Homomorphic Encryption
- Enables computation on encrypted data without decrypting it. Results, when decrypted, match operations on plaintext. Significant performance overhead. Fully homomorphic (FHE) supports all operations.
- Secure Multi-Party Computation (SMPC)
- Multiple parties jointly compute a function over their inputs without revealing individual inputs to each other. Used for collaborative analytics, joint fraud detection, and private set intersection.
- Federated Learning
- ML training across decentralized devices without transferring raw data. Only model updates (gradients) are shared. Data stays local. Used for mobile keyboard prediction, healthcare AI.
- Trusted Execution Environments (TEE)
- Hardware-based secure enclaves (Intel SGX, ARM TrustZone) that isolate sensitive computations. Code and data inside the enclave are protected from the OS, hypervisor, and other processes.
- Synthetic Data Generation
- Creating artificial datasets that statistically mirror real data without containing actual personal information. Used for testing, development, and analytics without privacy risk.
- Zero-Knowledge Proofs
- Cryptographic method allowing one party to prove knowledge of a fact without revealing the fact itself. Used for identity verification without exposing personal data.
Identity & Access Management for Privacy
- Role-Based Access Control (RBAC)
- Access permissions assigned based on organizational roles. Users inherit permissions from their role. Simple to manage but may be too coarse for fine-grained privacy requirements.
- Attribute-Based Access Control (ABAC)
- Access decisions based on attributes: user attributes, resource attributes, environment attributes, and action attributes. Enables fine-grained, context-aware access policies for privacy.
- Purpose-Based Access Control
- Access granted only for specified, documented purposes. Implements purpose limitation principle technically. Users must declare the purpose of access, and the system enforces allowed purposes.
- Just-in-Time (JIT) Access
- Access provisioned only when needed and automatically revoked after use. Reduces standing access to sensitive data. Implements data minimization at the access level.
- Privileged Access Management (PAM)
- Controls and monitors access by privileged users (admins, DBAs). Session recording, approval workflows, credential vaulting, and time-limited access for sensitive data operations.
- Least Privilege
- Users and systems receive only the minimum permissions necessary for their function. Reduces exposure of personal data. Must be regularly reviewed and adjusted.
Secure Development & Privacy Engineering
- Privacy in SDLC
- Integrate privacy at every SDLC phase: requirements (privacy requirements), design (threat modeling, PbD), implementation (privacy controls), testing (privacy testing), deployment, and maintenance.
- Privacy Threat Modeling
- Identifying privacy threats in system design. Frameworks: LINDDUN (Linkability, Identifiability, Non-repudiation, Detectability, Disclosure, Unawareness, Non-compliance). Applied during design phase.
- API Privacy Controls
- Authentication (OAuth 2.0, API keys), authorization (scopes, permissions), rate limiting, input validation, output filtering (PII redaction), encryption (TLS), and API gateway privacy policies.
- Privacy Testing
- Testing for privacy compliance: data leakage testing, consent enforcement testing, access control testing, data retention testing, and DSAR process testing. Part of QA pipeline.
- Cookie & Tracking Management
- Technical implementation: consent management platform (CMP), cookie categories (necessary, functional, analytics, marketing), consent banners, server-side tracking, and privacy-preserving analytics.
- Consent Tagging
- Attaching consent metadata to data records: what consent was given, when, for what purpose, and by whom. Enables purpose-based access control and consent withdrawal enforcement.
Network & Infrastructure Privacy
- Network Segmentation
- Isolating networks containing personal data from general networks. VLANs, firewalls, and microsegmentation limit lateral movement and restrict access to privacy-sensitive systems.
- TLS Configuration
- TLS 1.2 minimum (TLS 1.3 preferred) for all data in transit. Strong cipher suites, certificate management, HSTS headers, and certificate pinning for mobile apps.
- VPN & Secure Tunnels
- Encrypted tunnels for remote access to privacy-sensitive systems. Site-to-site VPN for inter-office data transfers. Split tunneling risks: personal traffic may bypass corporate privacy controls.
- DNS Privacy
- DNS over HTTPS (DoH) or DNS over TLS (DoT) to prevent DNS query snooping. DNS queries can reveal browsing patterns and user behavior. Privacy concern for tracking.
- Cloud Privacy Architecture
- Shared responsibility model: cloud provider secures infrastructure, customer secures data and access. Data residency controls, BYOK encryption, cloud access security brokers (CASB), and cloud DLP.
- Data Residency & Sovereignty
- Legal requirement that data is stored and processed within specific geographic boundaries. Critical for cross-border compliance. Cloud region selection must align with regulatory requirements.
Monitoring, Logging & Incident Response
- Privacy-Preserving Logging
- Minimize PII in logs. Mask or hash identifiers in log entries. Define log retention periods. Restrict log access. Balance security monitoring needs with data minimization.
- Access Logging & Auditing
- Log all access to personal data: who, what, when, why, and from where. Supports compliance audits, breach investigations, and DSAR fulfillment. Tamper-evident log storage.
- Data Loss Prevention (DLP)
- Technical controls preventing unauthorized transmission of personal data. Network DLP (email, web), endpoint DLP (USB, print), and cloud DLP (SaaS, IaaS). Policy-based content inspection.
- Privacy Breach Response
- Incident response tailored for privacy: containment, assessment (scope of personal data affected), notification (regulatory timelines), remediation, and post-incident review. Must have pre-defined playbook.
- Privacy Monitoring Dashboards
- Real-time visibility into privacy metrics: DSAR volumes, consent rates, data inventory coverage, policy compliance, vendor risk scores, and breach incident tracking.
Cross-Border Data Transfers
- Adequacy Decisions
- European Commission determination that a non-EU country provides adequate data protection. Enables free data transfers without additional safeguards. Examples: Japan, South Korea, Canada (commercial), UK. UK adequacy was renewed December 2025 and runs through December 2031 — EU-to-UK transfers remain free without additional safeguards.
- Standard Contractual Clauses (SCCs)
- Pre-approved contract templates from the European Commission for international data transfers. Four modules: C2C, C2P, P2P, P2C. Must be supplemented with Transfer Impact Assessment.
- Binding Corporate Rules (BCRs)
- Internal privacy policies approved by EU supervisory authorities for intra-group international transfers. Expensive and time-consuming to establish. Requires consistency mechanism approval.
- Derogations (Art. 49)
- Exceptions allowing transfers without adequacy or safeguards: explicit consent, contract performance, important public interest, legal claims, vital interests. Must be used restrictively.
- Data Transfer Mechanisms Hierarchy
- Order of preference: 1) Adequacy decision, 2) Appropriate safeguards (SCCs, BCRs), 3) Derogations. Always use the strongest available mechanism. Derogations are last resort.
AI/ML Privacy Considerations
- Training Data Privacy
- AI models trained on personal data must comply with privacy regulations. Requires lawful basis for processing, data minimization in training sets, and documentation of data sources and processing activities.
- Model Privacy Risks
- Models can memorize and leak training data. Risks: model inversion (extracting training data), membership inference (determining if data was in training set), and unintended memorization of PII.
- AI Inference Privacy Risks
- Even without accessing training data, inference attacks (model inversion, membership inference) can reconstruct sensitive information from model outputs. Mitigation: differential privacy, output perturbation, query rate limits.
- AI Transparency & Explainability
- Privacy regulations require transparency about AI use in processing personal data. Data subjects have the right to meaningful information about the logic involved in automated decisions (GDPR Art. 22).
- Federated Learning for Privacy
- Train AI models across decentralized data without centralizing personal data. Model updates shared instead of raw data. Reduces privacy risk but gradient leakage remains a concern.