GDPR, HIPAA, the EU AI Act, and SOC 2 all have AI-specific implications that go beyond standard software compliance. This lesson covers the concrete engineering work these regulations require — not the legal theory.
Select a regulation to see what it requires, what you must actually build, and a reference code pattern:
Jurisdiction
European Union (applies globally when processing EU residents' data)
Key Requirement for AI Systems
Right to erasure (Art. 17) and right to explanation for automated decisions (Art. 22).
What You Must Actually Build
Delete user data from vector store, logs, and cache with proof of deletion. Log retrieved context and model version used for every automated decision.
Reference Implementation
import chromadb
import hashlib
chroma = chromadb.HttpClient(host='localhost', port=8000)
def erase_user_data(user_id: str, collection_names: list[str]) -> dict:
"""
GDPR Art. 17 — Execute right-to-erasure request.
Must complete within 30 days of user request.
"""
erasure_report = {'user_id': user_id, 'collections_cleaned': []}
for collection_name in collection_names:
collection = chroma.get_collection(collection_name)
results = collection.get(where={'user_id': user_id})
ids = results['ids']
if ids:
collection.delete(ids=ids)
erasure_report['collections_cleaned'].append({
'collection': collection_name,
'documents_deleted': len(ids),
})
purge_conversation_history(user_id)
purge_user_cache_entries(user_id)
log_compliance_event({
'event': 'gdpr_erasure',
'user_id': hashlib.sha256(user_id.encode()).hexdigest(),
'timestamp': 'ISO8601',
'report': erasure_report,
})
return erasure_reportDoes the query contain PHI (Protected Health Information)?
├── YES → Does your LLM provider have a signed BAA (Business Associate Agreement)?
│ ├── YES (e.g., Azure OpenAI with BAA) → Proceed, log all PHI access
│ └── NO → REDACT all PHI before sending to LLM. Never send raw PHI to Anthropic API.
└── NO → Does the query contain PII (names, emails, SSNs)?
├── YES → Tokenize with PiiVault before sending. Detokenize response.
└── NO → Standard handling. Still scan output for accidental PII.Document your data flows before a compliance audit.Draw a data flow diagram: where does user data enter your system, where does it go (LLM API, vector store, logs), what PII does it contain, who can access it, and when is it deleted. Auditors ask for exactly this — having it ready saves weeks.
The EU AI Act is risk-tiered.General-purpose chatbots are typically “limited risk” (transparency requirements only). AI that makes decisions about employment, credit, healthcare, or law enforcement is “high risk” — mandatory conformity assessments, human oversight, and registration. Know your tier before you build.
The final lesson is the security capstone: build a defense-in-depth pipeline that integrates injection defense, PII redaction, tenant isolation, and audit logging into one production-grade system.