FromZero2AI
CoursesPlaygroundBlog
Support on Ko-fi
LLM Security & Production Hardening • Module B: Governance & ComplianceLesson 5: AI Compliance — GDPR, HIPAA & the EU AI Act
PreviousNext

Lesson 5: AI Compliance — GDPR, HIPAA & the EU AI Act

Map AI system components to regulatory requirements. Understand right-to-erasure implications for vector databases, HIPAA constraints on clinical AI, and the EU AI Act risk tiers.

Built with AI for beginners. Free forever.

Support on Ko-fi•About•Blog•Privacy Policy•Terms of Service

GDPR, HIPAA, the EU AI Act, and SOC 2 all have AI-specific implications that go beyond standard software compliance. This lesson covers the concrete engineering work these regulations require — not the legal theory.

Regulation Explorer

Select a regulation to see what it requires, what you must actually build, and a reference code pattern:

GDPR

Jurisdiction

European Union (applies globally when processing EU residents' data)

Key Requirement for AI Systems

Right to erasure (Art. 17) and right to explanation for automated decisions (Art. 22).

What You Must Actually Build

Delete user data from vector store, logs, and cache with proof of deletion. Log retrieved context and model version used for every automated decision.

Reference Implementation

import chromadb
import hashlib

chroma = chromadb.HttpClient(host='localhost', port=8000)

def erase_user_data(user_id: str, collection_names: list[str]) -> dict:
    """
    GDPR Art. 17 — Execute right-to-erasure request.
    Must complete within 30 days of user request.
    """
    erasure_report = {'user_id': user_id, 'collections_cleaned': []}

    for collection_name in collection_names:
        collection = chroma.get_collection(collection_name)
        results = collection.get(where={'user_id': user_id})
        ids = results['ids']
        if ids:
            collection.delete(ids=ids)
            erasure_report['collections_cleaned'].append({
                'collection': collection_name,
                'documents_deleted': len(ids),
            })

    purge_conversation_history(user_id)
    purge_user_cache_entries(user_id)

    log_compliance_event({
        'event': 'gdpr_erasure',
        'user_id': hashlib.sha256(user_id.encode()).hexdigest(),
        'timestamp': 'ISO8601',
        'report': erasure_report,
    })

    return erasure_report

PHI / PII Handling Decision Tree

Does the query contain PHI (Protected Health Information)?
├── YES → Does your LLM provider have a signed BAA (Business Associate Agreement)?
│   ├── YES (e.g., Azure OpenAI with BAA) → Proceed, log all PHI access
│   └── NO → REDACT all PHI before sending to LLM. Never send raw PHI to Anthropic API.
└── NO → Does the query contain PII (names, emails, SSNs)?
    ├── YES → Tokenize with PiiVault before sending. Detokenize response.
    └── NO → Standard handling. Still scan output for accidental PII.

Document your data flows before a compliance audit.Draw a data flow diagram: where does user data enter your system, where does it go (LLM API, vector store, logs), what PII does it contain, who can access it, and when is it deleted. Auditors ask for exactly this — having it ready saves weeks.

The EU AI Act is risk-tiered.General-purpose chatbots are typically “limited risk” (transparency requirements only). AI that makes decisions about employment, credit, healthcare, or law enforcement is “high risk” — mandatory conformity assessments, human oversight, and registration. Know your tier before you build.

The final lesson is the security capstone: build a defense-in-depth pipeline that integrates injection defense, PII redaction, tenant isolation, and audit logging into one production-grade system.