Compliance NFRs impose legally or contractually mandated constraints on how data is collected, stored, processed, and deleted. Key frameworks include GDPR (EU personal data, right to erasure, consent management), HIPAA (US healthcare, PHI protection, audit trails), PCI-DSS (cardholder data, 12 requirements including network segmentation), and SOC 2 Type II (trust service criteria: security, availability, processing integrity, confidentiality, privacy). Non-compliance carries severe penalties — GDPR fines reach €20M or 4% of global annual revenue, whichever is greater. Compliance must be designed into the system, not bolted on — privacy by design is both a GDPR requirement and the only engineering-sustainable approach.

Key Points

  • GDPR requires lawful basis for processing (consent, contract, legitimate interest), data minimization, purpose limitation, and breach notification within 72 hours.
  • HIPAA mandates PHI encryption at rest and in transit, minimum-necessary access, audit logging of all PHI access, and Business Associate Agreements with vendors.
  • PCI-DSS Level 1 (>6M card transactions/year) requires annual QSA audit, quarterly network scans, tokenization or point-to-point encryption for PAN data.
  • SOC 2 Type II audit covers a 6-12 month observation period proving controls operate continuously — vendors request this before sharing sensitive data or integrating deeply.
  • Data residency requirements (GDPR, China PIPL, Russia Federal Law 242-FZ) mandate data processing within specific geographies — design multi-region with data sovereignty controls.
  • Right to erasure (GDPR Art. 17) requires soft-delete + purge pipelines across all data stores including backups, caches, analytics warehouses, and third-party integrations.
  • Immutable audit logs (append-only, tamper-evident via cryptographic hash chains) satisfy HIPAA audit trail and SOC 2 security requirements simultaneously.
  • Compliance as code: embed policy checks in CI/CD (Open Policy Agent, AWS Config Rules) so non-compliant infrastructure cannot be deployed — shift compliance left.

Real-World Example

Amazon was fined €746M by Luxembourg's data protection authority in 2021 for GDPR violations in behavioral advertising — the largest GDPR fine at the time. This drove most large tech companies to implement privacy-by-design programs with dedicated compliance engineering teams embedded in product squads rather than as a gate-keeping function.