GDPR and CCPA: Data Privacy Architecture on AWS
Data privacy regulations have fundamentally changed how companies must handle personal information. If your application serves users in the European Union, you must comply with GDPR. If you handle data from California residents and meet the business thresholds, CCPA applies. For many companies -- especially SaaS platforms and companies with global user bases -- both regulations apply simultaneously.
The technical challenge is significant. GDPR and CCPA do not just require you to protect data. They require you to know where personal data exists across your entire infrastructure, delete it on request, export it in portable formats, restrict its processing, track consent, and control where it is stored geographically. These are not features you bolt on after launch. They are architectural requirements that affect your data layer, your application logic, and your operational processes.
This course covers the architecture patterns for building GDPR and CCPA compliant infrastructure on AWS. You will learn how to discover and classify personal data, implement data subject rights at the infrastructure level, manage data residency across AWS regions, and build consent management into your application architecture.
Key Requirements​
GDPR vs CCPA Comparison​
| Aspect | GDPR | CCPA |
|---|---|---|
| Jurisdiction | EU residents (applies globally to processors) | California residents |
| Who must comply | Any organization processing EU personal data | Businesses with $25M+ revenue, 100K+ consumers' data, or 50%+ revenue from data sales |
| Personal data scope | Broad: any data relating to an identified or identifiable person | Broad: information that identifies, relates to, or could be linked to a consumer or household |
| Lawful basis required | Yes (consent, contract, legitimate interest, etc.) | No lawful basis required, but must disclose purposes |
| Right to deletion | Yes (Right to Erasure) | Yes (Right to Delete) |
| Right to portability | Yes (structured, machine-readable format) | Yes (readily usable format) |
| Breach notification | 72 hours to supervisory authority | No specific timeline, but "expedient" notification required |
| Cross-border transfers | Restricted (requires adequacy decisions, SCCs, or BCRs) | No cross-border restrictions |
| Maximum penalty | 4% of global revenue or 20M euros | $7,500 per intentional violation |
Data Subject Rights​
Both frameworks grant individuals rights over their personal data. Your architecture must support:
- Right to access -- Provide individuals with a copy of all personal data you hold about them
- Right to deletion -- Delete personal data across all systems, including backups and derived data
- Right to portability -- Export personal data in a structured, machine-readable format
- Right to restrict processing -- Stop processing personal data while a dispute is resolved
- Right to rectification -- Correct inaccurate personal data (GDPR)
- Right to opt out -- Allow consumers to opt out of data sales (CCPA)
Data Residency​
GDPR restricts transferring personal data outside the EU/EEA unless adequate protections are in place. This has direct implications for which AWS regions you deploy to and how you architect multi-region systems.
What This Course Covers​
| Module | Topic |
|---|---|
| 1 | GDPR and CCPA requirements mapping -- detailed comparison of obligations and how they translate to technical controls |
| 2 | PII discovery and classification with Macie -- automated scanning of S3 data stores, custom data identifiers, and classification taxonomies |
| 3 | Data residency controls and regional deployment -- multi-region architecture patterns, S3 replication controls, and preventing data leakage across regions |
| 4 | Right to deletion implementation across S3, DynamoDB, and RDS -- deletion workflows, cascading deletes, backup handling, and verification |
| 5 | Data portability and subject access request automation -- export pipelines, data aggregation across services, and response automation within regulatory timelines |
| 6 | Consent management architecture -- consent storage, propagation to downstream services, preference centers, and audit trails for consent changes |
Complete GDPR/CCPA Architecture Guide
Get the complete data privacy architecture guide with PII discovery configurations, deletion workflow templates, data portability pipelines, consent management patterns, and regional deployment architectures for GDPR and CCPA compliance on AWS.