jpskill.com
📦 その他 コミュニティ

data-privacy-compliance

GDPR、CCPA、HIPAAなどのデータ保護法規制に対応し、プライバシー管理の実施、影響評価、法令遵守、データ主体の権利管理を支援、同意管理やデータ最小化原則に基づいたプライバシー設計を行うSkill。

📜 元の英語説明(参考)

Data privacy and regulatory compliance specialist for GDPR, CCPA, HIPAA, and international data protection laws. Use when implementing privacy controls, conducting data protection impact assessments, ensuring regulatory compliance, or managing data subject rights. Expert in consent management, data minimization, and privacy-by-design principles.

🇯🇵 日本人クリエイター向け解説

一言でいうと

GDPR、CCPA、HIPAAなどのデータ保護法規制に対応し、プライバシー管理の実施、影響評価、法令遵守、データ主体の権利管理を支援、同意管理やデータ最小化原則に基づいたプライバシー設計を行うSkill。

※ jpskill.com 編集部が日本のビジネス現場向けに補足した解説です。Skill本体の挙動とは独立した参考情報です。

⚡ おすすめ: コマンド1行でインストール(60秒)

下記のコマンドをコピーしてターミナル(Mac/Linux)または PowerShell(Windows)に貼り付けてください。 ダウンロード → 解凍 → 配置まで全自動。

🍎 Mac / 🐧 Linux 
mkdir -p ~/.claude/skills && cd ~/.claude/skills && curl -L -o data-privacy-compliance.zip https://jpskill.com/download/18380.zip && unzip -o data-privacy-compliance.zip && rm data-privacy-compliance.zip
🪟 Windows (PowerShell) 
$d = "$env:USERPROFILE\.claude\skills"; ni -Force -ItemType Directory $d | Out-Null; iwr https://jpskill.com/download/18380.zip -OutFile "$d\data-privacy-compliance.zip"; Expand-Archive "$d\data-privacy-compliance.zip" -DestinationPath $d -Force; ri "$d\data-privacy-compliance.zip"

完了後、Claude Code を再起動 → 普通に「動画プロンプト作って」のように話しかけるだけで自動発動します。

💾 手動でダウンロードしたい(コマンドが難しい人向け)
  1. 1. 下の青いボタンを押して data-privacy-compliance.zip をダウンロード
  2. 2. ZIPファイルをダブルクリックで解凍 → data-privacy-compliance フォルダができる
  3. 3. そのフォルダを C:\Users\あなたの名前\.claude\skills\(Win)または ~/.claude/skills/(Mac)へ移動
  4. 4. Claude Code を再起動
⬇ .zip でダウンロード(推奨) ⬇ .skill 形式(上級者用) 元のソース ↗

⚠️ ダウンロード・利用は自己責任でお願いします。当サイトは内容・動作・安全性について責任を負いません。

🎯 このSkillでできること

下記の説明文を読むと、このSkillがあなたに何をしてくれるかが分かります。Claudeにこの分野の依頼をすると、自動で発動します。

📦 インストール方法 (3ステップ)

  1. 1. 上の「ダウンロード」ボタンを押して .skill ファイルを取得
  2. 2. ファイル名の拡張子を .skill から .zip に変えて展開(macは自動展開可)
  3. 3. 展開してできたフォルダを、ホームフォルダの .claude/skills/ に置く
    • · macOS / Linux: ~/.claude/skills/
    • · Windows: %USERPROFILE%\.claude\skills\

Claude Code を再起動すれば完了。「このSkillを使って…」と話しかけなくても、関連する依頼で自動的に呼び出されます。

詳しい使い方ガイドを見る →
最終更新
2026-05-18
取得日時
2026-05-18
同梱ファイル
1

📖 Skill本文(日本語訳)

※ 原文(英語/中国語)を Gemini で日本語化したものです。Claude 自身は原文を読みます。誤訳がある場合は原文をご確認ください。

データプライバシーコンプライアンス

GDPR、CCPA、HIPAA、およびその他のグローバルなデータ保護規制にわたるデータプライバシーコンプライアンスを実装するための包括的なガイダンスです。

この Skill を使用するタイミング

この Skill は、以下の場合に使用します。

  • GDPR、CCPA、または HIPAA コンプライアンスを実装する場合
  • データ保護影響評価 (DPIA) を実施する場合
  • データ主体の権利 (アクセス、削除、ポータビリティ) を管理する場合
  • 同意管理システムを実装する場合
  • プライバシーポリシーおよび通知を作成する場合
  • データ侵害およびインシデント対応を処理する場合
  • プライバシー・バイ・デザインのシステムを設計する場合
  • プライバシー監査および評価を実施する場合

主要な規制の概要

GDPR (一般データ保護規則)

適用範囲: 企業の所在地に関係なく、EU 居住者のデータ 主な要件:

  • 処理の法的根拠 (同意、契約、正当な利益など)
  • データ主体の権利 (アクセス、削除、ポータビリティ、異議申し立て)
  • 高リスク処理のためのデータ保護影響評価
  • 72 時間以内の侵害通知義務
  • 処理活動の記録
  • プライバシー・バイ・デザインおよびプライバシー・バイ・デフォルト

罰則: 最大 2,000 万ユーロまたはグローバル年間収益の 4%

CCPA/CPRA (カリフォルニア州消費者プライバシー法)

適用範囲: カリフォルニア州居住者のデータ 主な要件:

  • 収集されるデータを知る権利
  • 個人情報を削除する権利
  • 販売/共有をオプトアウトする権利
  • 不正確な情報を修正する権利
  • センシティブな個人情報の利用を制限する権利

罰則: 意図的な違反 1 件あたり最大 7,500 ドル

HIPAA (医療保険の携行性と責任に関する法律)

適用範囲: 米国における保護された医療情報 (PHI) 主な要件:

  • プライバシー規則 (患者の権利と情報の利用)
  • セキュリティ規則 (ePHI の保護)
  • 侵害通知規則 (60 日以内の通知)
  • ビジネスアソシエイト契約 (BAA)

罰則: 違反カテゴリごとに年間最大 150 万ドル

データ主体の権利の実装

1. アクセス権 (GDPR Art. 15 / CCPA § 1798.100)

リクエストハンドラー:

async function handleAccessRequest(userId, email) {
  // Verify identity
  const verified = await verifyIdentity(email);
  if (!verified) throw new Error('Identity verification failed');

  // Collect all personal data
  const userData = await collectUserData(userId);

  // Format for readability
  const report = {
    personalInfo: userData.profile,
    activityLogs: userData.activities,
    preferences: userData.settings,
    thirdPartySharing: userData.dataSharing,
    retentionPeriod: '2 years from last activity',
    dataProtectionOfficer: 'dpo@company.com'
  };

  // Generate downloadable report
  const pdf = await generatePDFReport(report);

  // Log request for compliance
  await logAccessRequest(userId, 'completed');

  return pdf;
}

応答タイムライン:

  • GDPR: 1 か月 (3 か月まで延長可能)
  • CCPA: 45 日 (90 日まで延長可能)

2. 削除権 (GDPR Art. 17 / CCPA § 1798.105)

削除ハンドラー:

async function handleDeletionRequest(userId, email) {
  // Verify identity
  const verified = await verifyIdentity(email);
  if (!verified) throw new Error('Identity verification failed');

  // Check for legal obligations to retain
  const mustRetain = await checkRetentionRequirements(userId);
  if (mustRetain.required) {
    return {
      status: 'partial_deletion',
      retained: mustRetain.data,
      reason: mustRetain.legalBasis,
      retentionPeriod: mustRetain.period
    };
  }

  // Delete from all systems
  await Promise.all([
    deleteFromDatabase(userId),
    deleteFromBackups(userId), // Mark for deletion in next backup cycle
    deleteFromAnalytics(userId),
    deleteFromThirdPartyServices(userId),
    revokeAPIKeys(userId),
    anonymizeHistoricalRecords(userId)
  ]);

  // Confirm deletion
  await sendDeletionConfirmation(email);
  await logDeletionRequest(userId, 'completed');

  return { status: 'deleted', timestamp: new Date() };
}

例外 (削除を拒否できる場合):

  • 法的義務 (税務記録、契約)
  • 公益/科学研究
  • 法的請求の弁護
  • 表現の自由の行使

3. データポータビリティ権 (GDPR Art. 20)

エクスポートハンドラー:

async function handlePortabilityRequest(userId, format = 'json') {
  const userData = await collectUserData(userId);

  // Structure in machine-readable format
  const portableData = {
    exportDate: new Date().toISOString(),
    userId: userId,
    data: {
      profile: userData.profile,
      content: userData.userGeneratedContent,
      settings: userData.preferences,
      history: userData.activityHistory
    }
  };

  // Support multiple formats
  if (format === 'csv') {
    return convertToCSV(portableData);
  } else if (format === 'xml') {
    return convertToXML(portableData);
  }

  return portableData; // JSON by default
}

要件:

  • 構造化され、一般的に使用される、機械可読形式
  • 別の管理者に直接送信する機能
  • データ主体によって提供されたデータにのみ適用
  • 同意または契約に基づく自動処理のみ

4. 異議申し立て権 (GDPR Art. 21)

異議申し立てハンドラー:

async function handleObjectionRequest(userId, processingType) {
  switch (processingType) {
    case 'direct_marketing':
      // Must stop immediately
      await disableMarketing(userId);
      await updateConsent(userId, 'marketing', false);
      break;

    case 'legitimate_interest':
      // Assess if we have compelling grounds
      const assessment = await assessLegitimateInterest(userId);
      if (!assessment.compelling) {
        await stopProcessing(userId, processingType);
      }
      return assessment;

    case 'profiling':
      await disableProfiling(userId);
      await updateConsent(userId, 'profiling', false);
      break;

    default:
      throw new Error('Invalid processing type');
  }

  await logObjectionRequest(userId, processingType, 'granted');
}

同意管理

(原文はここで切り詰められています)

📜 原文 SKILL.md(Claudeが読む英語/中国語)を展開

Data Privacy Compliance

Comprehensive guidance for implementing data privacy compliance across GDPR, CCPA, HIPAA, and other global data protection regulations.

When to Use This Skill

Use this skill when:

  • Implementing GDPR, CCPA, or HIPAA compliance
  • Conducting Data Protection Impact Assessments (DPIA)
  • Managing data subject rights (access, deletion, portability)
  • Implementing consent management systems
  • Drafting privacy policies and notices
  • Handling data breaches and incident response
  • Designing privacy-by-design systems
  • Conducting privacy audits and assessments

Key Regulations Overview

GDPR (General Data Protection Regulation)

Scope: EU residents' data, regardless of where company is located Key Requirements:

  • Lawful basis for processing (consent, contract, legitimate interest, etc.)
  • Data subject rights (access, deletion, portability, objection)
  • Data Protection Impact Assessments for high-risk processing
  • 72-hour breach notification requirement
  • Records of processing activities
  • Privacy by design and by default

Penalties: Up to €20M or 4% of global annual revenue

CCPA/CPRA (California Consumer Privacy Act)

Scope: California residents' data Key Requirements:

  • Right to know what data is collected
  • Right to delete personal information
  • Right to opt-out of sale/sharing
  • Right to correct inaccurate information
  • Right to limit use of sensitive personal information

Penalties: Up to $7,500 per intentional violation

HIPAA (Health Insurance Portability and Accountability Act)

Scope: Protected Health Information (PHI) in the US Key Requirements:

  • Privacy Rule (patient rights and information uses)
  • Security Rule (safeguards for ePHI)
  • Breach Notification Rule (60-day notification)
  • Business Associate Agreements (BAAs)

Penalties: Up to $1.5M per violation category per year

Data Subject Rights Implementation

1. Right to Access (GDPR Art. 15 / CCPA § 1798.100)

Request Handler:

async function handleAccessRequest(userId, email) {
  // Verify identity
  const verified = await verifyIdentity(email);
  if (!verified) throw new Error('Identity verification failed');

  // Collect all personal data
  const userData = await collectUserData(userId);

  // Format for readability
  const report = {
    personalInfo: userData.profile,
    activityLogs: userData.activities,
    preferences: userData.settings,
    thirdPartySharing: userData.dataSharing,
    retentionPeriod: '2 years from last activity',
    dataProtectionOfficer: 'dpo@company.com'
  };

  // Generate downloadable report
  const pdf = await generatePDFReport(report);

  // Log request for compliance
  await logAccessRequest(userId, 'completed');

  return pdf;
}

Response Timeline:

  • GDPR: 1 month (extendable to 3 months)
  • CCPA: 45 days (extendable to 90 days)

2. Right to Deletion (GDPR Art. 17 / CCPA § 1798.105)

Deletion Handler:

async function handleDeletionRequest(userId, email) {
  // Verify identity
  const verified = await verifyIdentity(email);
  if (!verified) throw new Error('Identity verification failed');

  // Check for legal obligations to retain
  const mustRetain = await checkRetentionRequirements(userId);
  if (mustRetain.required) {
    return {
      status: 'partial_deletion',
      retained: mustRetain.data,
      reason: mustRetain.legalBasis,
      retentionPeriod: mustRetain.period
    };
  }

  // Delete from all systems
  await Promise.all([
    deleteFromDatabase(userId),
    deleteFromBackups(userId), // Mark for deletion in next backup cycle
    deleteFromAnalytics(userId),
    deleteFromThirdPartyServices(userId),
    revokeAPIKeys(userId),
    anonymizeHistoricalRecords(userId)
  ]);

  // Confirm deletion
  await sendDeletionConfirmation(email);
  await logDeletionRequest(userId, 'completed');

  return { status: 'deleted', timestamp: new Date() };
}

Exceptions (when deletion can be refused):

  • Legal obligations (tax records, contracts)
  • Public interest/scientific research
  • Defense of legal claims
  • Exercise of freedom of expression

3. Right to Data Portability (GDPR Art. 20)

Export Handler:

async function handlePortabilityRequest(userId, format = 'json') {
  const userData = await collectUserData(userId);

  // Structure in machine-readable format
  const portableData = {
    exportDate: new Date().toISOString(),
    userId: userId,
    data: {
      profile: userData.profile,
      content: userData.userGeneratedContent,
      settings: userData.preferences,
      history: userData.activityHistory
    }
  };

  // Support multiple formats
  if (format === 'csv') {
    return convertToCSV(portableData);
  } else if (format === 'xml') {
    return convertToXML(portableData);
  }

  return portableData; // JSON by default
}

Requirements:

  • Structured, commonly used, machine-readable format
  • Ability to transmit directly to another controller
  • Only applies to data provided by data subject
  • Only for automated processing based on consent or contract

4. Right to Object (GDPR Art. 21)

Objection Handler:

async function handleObjectionRequest(userId, processingType) {
  switch (processingType) {
    case 'direct_marketing':
      // Must stop immediately
      await disableMarketing(userId);
      await updateConsent(userId, 'marketing', false);
      break;

    case 'legitimate_interest':
      // Assess if we have compelling grounds
      const assessment = await assessLegitimateInterest(userId);
      if (!assessment.compelling) {
        await stopProcessing(userId, processingType);
      }
      return assessment;

    case 'profiling':
      await disableProfiling(userId);
      await updateConsent(userId, 'profiling', false);
      break;

    default:
      throw new Error('Invalid processing type');
  }

  await logObjectionRequest(userId, processingType, 'granted');
}

Consent Management

Consent Requirements (GDPR)

Valid Consent Must Be:

  1. Freely given (no coercion)
  2. Specific (for each purpose)
  3. Informed (clear language)
  4. Unambiguous (clear affirmative action)
  5. Withdrawable (as easy to withdraw as to give)

Consent Implementation:

<!-- Good: Granular consent -->
<form>
  <h3>Privacy Preferences</h3>

  <label>
    <input type="checkbox" name="essential" checked disabled>
    <strong>Essential cookies (Required)</strong>
    <p>Necessary for website functionality</p>
  </label>

  <label>
    <input type="checkbox" name="analytics" value="analytics">
    <strong>Analytics cookies</strong>
    <p>Help us improve our website by collecting usage data</p>
  </label>

  <label>
    <input type="checkbox" name="marketing" value="marketing">
    <strong>Marketing cookies</strong>
    <p>Show you personalized ads based on your interests</p>
  </label>

  <button type="submit">Save Preferences</button>
  <a href="/privacy-policy">Learn More</a>
</form>

Consent Record Storage:

const consentRecord = {
  userId: 'user123',
  timestamp: new Date().toISOString(),
  consentVersion: '2.0',
  purposes: {
    essential: { granted: true, required: true },
    analytics: { granted: true, purpose: 'Website improvement' },
    marketing: { granted: false, purpose: 'Personalized advertising' }
  },
  ipAddress: '192.168.1.1', // For proof
  userAgent: 'Mozilla/5.0...', // For context
  method: 'explicit_opt_in' // or 'implicit', 'presumed'
};

await saveConsentRecord(consentRecord);

Cookie Banner (GDPR Compliant)

<div id="cookie-banner" role="dialog" aria-labelledby="cookie-title">
  <h2 id="cookie-title">Cookie Preferences</h2>
  <p>
    We use cookies to enhance your experience. Choose which cookies you
    allow us to use. You can change your preferences at any time.
  </p>

  <button onclick="acceptAll()">Accept All</button>
  <button onclick="rejectNonEssential()">Reject Non-Essential</button>
  <button onclick="showPreferences()">Manage Preferences</button>
</div>

<script>
// Must not load non-essential cookies until consent given
function acceptAll() {
  setConsent({ analytics: true, marketing: true });
  loadAnalyticsCookies();
  loadMarketingCookies();
  hideBanner();
}

function rejectNonEssential() {
  setConsent({ analytics: false, marketing: false });
  hideBanner();
}
</script>

Privacy by Design Principles

1. Data Minimization

Principle: Collect only data necessary for specified purpose

Implementation:

// ❌ Bad: Collecting unnecessary data
const userRegistration = {
  email: req.body.email,
  password: req.body.password,
  fullName: req.body.fullName,
  phoneNumber: req.body.phoneNumber, // Not needed
  dateOfBirth: req.body.dateOfBirth, // Not needed
  address: req.body.address, // Not needed
  socialSecurityNumber: req.body.ssn // Definitely not needed!
};

// ✅ Good: Only essential data
const userRegistration = {
  email: req.body.email,
  password: hashPassword(req.body.password),
  displayName: req.body.displayName // Optional
};

2. Purpose Limitation

Principle: Use data only for specified, explicit purposes

Implementation:

// Document and enforce purpose
const dataProcessingPurpose = {
  email: [
    'account_authentication',
    'order_confirmations',
    'password_reset'
  ],
  phoneNumber: [
    'order_delivery_notifications'
    // NOT: 'marketing_calls' (requires separate consent)
  ],
  purchaseHistory: [
    'order_fulfillment',
    'customer_support'
    // NOT: 'targeted_advertising' (requires separate consent)
  ]
};

async function processData(data, purpose) {
  if (!isAllowedPurpose(data.type, purpose)) {
    throw new Error('Purpose not authorized for this data');
  }
  // Proceed with processing
}

3. Storage Limitation

Principle: Retain data only as long as necessary

Implementation:

const retentionPolicy = {
  userAccounts: {
    active: 'indefinite',
    inactive: '2 years',
    deleted: '30 days grace period'
  },
  orderRecords: '7 years', // Legal requirement
  supportTickets: '3 years',
  analytics: '26 months',
  marketingData: '1 year or until consent withdrawn'
};

// Automated data deletion
async function enforceRetentionPolicy() {
  const now = new Date();

  // Delete inactive accounts
  await User.deleteMany({
    lastActive: { $lt: subYears(now, 2) },
    status: 'inactive'
  });

  // Anonymize old analytics
  await Analytics.updateMany(
    { createdAt: { $lt: subMonths(now, 26) } },
    { $unset: { userId: 1, ipAddress: 1 } }
  );

  // Delete expired marketing consent
  await MarketingConsent.deleteMany({
    $or: [
      { expiresAt: { $lt: now } },
      { withdrawnAt: { $lt: subDays(now, 30) } }
    ]
  });
}

// Schedule daily
cron.schedule('0 2 * * *', enforceRetentionPolicy);

Data Protection Impact Assessment (DPIA)

When Required (GDPR Art. 35):

  • Systematic and extensive profiling
  • Large-scale processing of sensitive data
  • Systematic monitoring of publicly accessible areas
  • New technologies with high privacy risks

DPIA Template:

# Data Protection Impact Assessment

## Processing Overview
- **Purpose**: [Describe the processing activity]
- **Data Types**: [Personal data categories]
- **Data Subjects**: [Who is affected]
- **Recipients**: [Who receives the data]

## Necessity Assessment
- [ ] Is processing necessary for the stated purpose?
- [ ] Could the purpose be achieved with less data?
- [ ] Is the retention period justified?

## Risk Assessment
| Risk | Likelihood | Severity | Mitigation |
|------|------------|----------|------------|
| Data breach | Medium | High | Encryption, access controls |
| Unauthorized access | Low | High | 2FA, audit logs |
| Purpose creep | Medium | Medium | Purpose documentation, training |

## Safeguards
- [ ] Encryption at rest and in transit
- [ ] Access controls and authentication
- [ ] Regular security audits
- [ ] Data minimization applied
- [ ] Retention policies enforced
- [ ] DPO consulted
- [ ] Data subject rights mechanism in place

## Conclusion
Processing is/is not acceptable with proposed safeguards.

Signed: [Data Protection Officer]
Date: [Assessment Date]

Privacy Policy Requirements

Essential Elements:

# Privacy Policy

## 1. Identity of Controller
Company Name, Address, Contact Information
Data Protection Officer: dpo@company.com

## 2. Data We Collect
- Account data: email, name
- Usage data: pages visited, features used
- Technical data: IP address, browser type

## 3. Legal Basis for Processing
- **Consent**: Marketing communications
- **Contract**: Order fulfillment
- **Legitimate Interest**: Fraud prevention
- **Legal Obligation**: Tax records

## 4. How We Use Your Data
- Provide services you requested
- Improve our products
- Send important updates
- [Be specific, avoid vague statements]

## 5. Data Sharing
- Payment processors (Stripe, PayPal)
- Shipping providers (FedEx, UPS)
- Analytics (Google Analytics)

We do NOT sell your personal data.

## 6. Your Rights
- Right to access your data
- Right to correct inaccuracies
- Right to delete your data
- Right to object to processing
- Right to data portability
- Right to withdraw consent

Contact: privacy@company.com

## 7. Data Retention
- Account data: Until account deletion + 30 days
- Order history: 7 years (legal requirement)
- Marketing data: 1 year or until opt-out

## 8. Security
We use industry-standard security measures including
encryption, secure servers, and regular security audits.

## 9. International Transfers
Data may be transferred to US servers. We use Standard
Contractual Clauses approved by the EU Commission.

## 10. Changes to Policy
Last updated: [Date]
We will notify you of material changes via email.

## 11. Contact
Questions? Contact our Data Protection Officer at dpo@company.com

Incident Response

Data Breach Response Plan

Within 72 Hours (GDPR):

1. **Detect & Contain** (0-4 hours)
   - Identify scope of breach
   - Isolate affected systems
   - Prevent further data loss

2. **Assess** (4-24 hours)
   - Determine data types affected
   - Identify number of individuals
   - Assess risk to rights and freedoms
   - Document everything

3. **Notify Authority** (24-72 hours)
   - Report to supervisory authority
   - Include: nature, categories, approximate numbers,
     likely consequences, measures taken

4. **Notify Data Subjects** (ASAP if high risk)
   - Direct communication required
   - Describe breach in clear language
   - Provide recommendations for protection

Breach Notification Template:

Subject: Important Security Notice

Dear [Name],

We are writing to inform you of a data security incident that may
have affected your personal information.

WHAT HAPPENED:
On [date], we discovered that [brief description].

WHAT INFORMATION WAS INVOLVED:
[List specific data types: name, email, etc.]
[List what was NOT involved]

WHAT WE ARE DOING:
- [Immediate actions taken]
- [Ongoing security enhancements]
- [Resources provided to affected individuals]

WHAT YOU CAN DO:
- Change your password immediately
- Monitor your accounts for suspicious activity
- [Specific recommendations]

FOR MORE INFORMATION:
Contact our dedicated hotline: [phone]
Email: security@company.com

We sincerely apologize for this incident and the inconvenience
it may cause.

Sincerely,
[Name, Title]

Compliance Checklist

GDPR Compliance

  • [ ] Lawful basis documented for all processing
  • [ ] Privacy policy published and accessible
  • [ ] Consent mechanism implements granular controls
  • [ ] Data subject rights request process established
  • [ ] Records of processing activities maintained
  • [ ] Data Protection Officer appointed (if required)
  • [ ] DPIA conducted for high-risk processing
  • [ ] Data breach notification procedure in place
  • [ ] Vendor contracts include data processing agreements
  • [ ] International data transfer safeguards implemented
  • [ ] Staff training on data protection completed

CCPA Compliance

  • [ ] "Do Not Sell My Personal Information" link on homepage
  • [ ] Privacy policy discloses data collection and sales
  • [ ] Mechanisms for verifiable consumer requests
  • [ ] Process for opt-out requests (48-hour response)
  • [ ] Annual report on requests and compliance
  • [ ] Service provider agreements updated
  • [ ] Notice at collection provided

HIPAA Compliance

  • [ ] Risk assessment completed
  • [ ] Security policies and procedures documented
  • [ ] Workforce trained on HIPAA requirements
  • [ ] Business Associate Agreements signed
  • [ ] Access controls and audit trails implemented
  • [ ] Encryption for ePHI
  • [ ] Breach notification procedures established
  • [ ] Contingency plan and disaster recovery

Privacy compliance is an ongoing process, not a one-time checklist. Regularly review and update practices as regulations evolve and your data processing changes.