Data Privacy & Compliance
As of 2026-05-29
Privacy is a design input, not a finishing step — in EMEA that means GDPR. The principles shape modelling: lawful basis (analytics on personal data is processing), purpose limitation, data minimisation, storage limitation (tension with statutory retention, M071), right to erasure. Pseudonymisation keeps data personal; true anonymisation is hard because aggregates can re-identify (small cells = personal data dressed as statistics) — apply k-anonymity thinking. Article 9 special-category data (health/biometrics) raises the bar — flag it early (pharma M100, HR). Enforce privacy by design through the stack: catalog classification (M080) + access controls (M081) + masking + retention (M071) + lineage for the DPIA (M077). Data residency drives landscape design. The EU AI Act era rewards privacy-competent designers.
Full module available to members.