privacy-engineering
Privacy Engineering — GDPR / CCPA Technical Implementation
Implement privacy controls at the code, data, and infrastructure layers. This skill is not legal compliance theater — it is the engineering work that turns the legal requirements into systems that actually do what they claim.
Privacy and security overlap but are not the same. Security protects against unauthorized access; privacy protects against authorized-but-improper use. A perfectly secure system that logs every keystroke and shares the log with vendors is a privacy disaster. This skill covers the privacy half of that distinction.
Cross-references: owasp-audit for the security side, iam-audit for access control to personal data, secrets-audit for credential handling, incident-triage for the response side of a privacy breach (72-hour GDPR notification clock starts when you find out, not when you finish investigating), security-comms for the customer-disclosure draft.
Regulatory landscape (engineering-relevant subset)
The skill produces compliant technical implementations. Final compliance determinations stay with counsel; this skill is the technical execution layer.
| Regulation | Scope | Key engineering hooks |
|---|---|---|
| GDPR (EU) | Any processing of personal data of EU/EEA residents | Articles 5 (principles), 6 (lawful basis), 7 (consent), 15-22 (data subject rights), 25 (privacy by design), 30 (records of processing), 32 (security), 33 (breach notification — 72 hours), 35 (DPIA) |
| CCPA / CPRA (California) | Businesses processing CA resident data above thresholds | Right to know, delete, correct, opt out of sale / share. Sensitive PI category. Annual privacy notice. Service-provider contracts |
| LGPD (Brazil) | Brazilian residents | Similar shape to GDPR with local twists |
| PIPEDA (Canada) | Federal commercial | Consent-based with reasonable expectation, breach notification |
| State laws (US) | Varies — VA, CO, CT, UT, etc. | Roughly CCPA-shaped; engineering practices that meet GDPR + CCPA usually cover state laws |