This is not legal advice — consult counsel for your specific obligations. It is, however, a useful starting map for engineering teams trying to understand what each framework actually asks of a system.

Data subject rights

GDPR grants a broad right to erasure and data portability. HIPAA does not grant a general erasure right for medical records — retention requirements often apply instead.

Breach notification

GDPR requires notification to the relevant authority within 72 hours of becoming aware of a breach. HIPAA's Breach Notification Rule generally allows up to 60 days, with different thresholds based on the number of records affected.

Where engineering effort concentrates

For GDPR: consent management, data portability exports, and erasure workflows. For HIPAA: access logging, encryption at rest and in transit, and Business Associate Agreements with every vendor touching PHI.

Our Compliance & Risk Consulting team can help translate either framework into an engineering backlog.