One Tool, Three Frameworks
A privacy team processes EU customer files under GDPR on Monday. Healthcare records under HIPAA on Tuesday. California consumer data under CCPA on Wednesday.
Each law has different rules. Each document needs a different setup.
Switching between three rule sets every day creates errors. The wrong setup on the wrong file causes a compliance failure or data loss.
Named compliance profiles fix this. One saved setup per law. No manual reconfiguration.
GDPR — What It Covers
GDPR covers all personal data. It applies to any EU individual who can be identified. There is no fixed list of what counts. Any information that relates to a person is in scope.
Special categories — health data, religious beliefs, political views — get extra protection under Article 9.
Common entity types for document work: names, addresses, national IDs, emails, phone numbers, IP addresses, credit cards.
The right call depends on context. GDPR has no fixed list.
HIPAA — What It Covers
HIPAA Safe Harbor defines exactly 18 identifier types. All 18 must be removed from health records.
Two rules catch teams by surprise:
- Dates reduce to year only. Month and day are removed. The year stays.
- Geographic areas smaller than a state must be removed.
These rules apply only to covered entities and their business partners.
CCPA — What It Covers
CCPA covers personal information linked to California residents. The scope is wide. It includes direct identifiers, internet activity, purchase history, geolocation data, biometric data, and profile inferences.
For document work, focus on direct identifiers: names, SSNs, driver's licenses, passport numbers, emails, account numbers, IP addresses, device IDs.
Purchase history and browsing logs rarely appear as plain text in a document.
Why Manual Switching Fails
Manual switching creates errors. A GDPR file run with a HIPAA setup picks up date rules that GDPR does not need. A HIPAA file run with a GDPR setup misses the geographic rules Safe Harbor requires.
Studies show manual framework switches produce errors about 15% of the time. Every error is a compliance miss or a data loss event.
Staff must keep three rule sets in mind and apply the right one each time. That is not a process. It is a guess made daily.
Three Named Setups
"GDPR Standard — EU Customers"
Detects: names, addresses, national IDs, emails, phone numbers, IP addresses, credit cards.
Method: Redact.
Exclude dates unless date-of-birth is in scope. Include IP addresses for online data work.
"HIPAA Safe Harbor — Healthcare"
Detects: person names, dates, sub-state locations, phone, fax, email, SSN, medical record numbers, health plan IDs, account numbers, certificate numbers, vehicle IDs, device IDs, URLs, IP addresses, biometric IDs. That covers all 18 Safe Harbor types.
Method: Redact. For dates: keep the year. Remove the month and day.
Add a custom pattern for your facility's medical record number format.
"CCPA — California Consumer"
Detects: names, addresses, phone numbers, emails, SSNs, driver's licenses, passport numbers, credit cards, IP addresses, URLs, account numbers, device IDs.
Method: Replace (best for analytics) or Redact.
Each saved setup locks in the compliance decision. The operator picks the profile that fits the document's legal context. No entity list to build. No method to choose.
Error Rates Before and After
Before named profiles: Staff reconfigure by hand for each law. Error rate is near 15%. Annual audits find framework-application findings each year.
After named profiles: Staff pick a saved profile. The setup is fixed. Error rate drops below 2%. Remaining errors come from picking the wrong profile. QA review catches those. Audits pass without findings.
The key shift: the compliance decision moves from daily execution to profile creation. A specialist decides once. Every operator applies it without thinking.
Running a Multi-Framework Team
Assign ownership. One lead per law. The GDPR lead owns the GDPR profile. The HIPAA officer owns the HIPAA setup. Each lead reviews their profile every quarter.
Route by source. EU customer data uses the GDPR profile. US healthcare data uses the HIPAA profile. California consumer data uses the CCPA profile.
Log every run. Processing logs record which profile was used on each batch. When an auditor asks how a file was handled, the answer is a profile name, a date, and a config log.
Push updates. When EDPB issues new guidance, the GDPR lead updates the shared setup. All future runs pick up the change. No one needs to be told.
For a deeper look at profile governance and audit evidence, see anonymization presets and GDPR audit consistency. For HIPAA Safe Harbor entity coverage in detail, see HIPAA Safe Harbor de-identification for healthcare research.
Conclusion
Three laws. Three saved profiles. One tool.
The complexity lives at the profile definition level. Not in daily processing. Operators do not need to know HIPAA date rules. They need to know which profile fits the document in front of them.
Named setups cut cognitive load. They reduce errors. They make compliance provable.