Compliance Component

The Compliance component handles GDPR data deletion workflows across the Alan platform. It provides a centralized system for managing member data deletion requests and coordinating deletion processes across different data buckets.

🚀 Quick Start for Teams

Adding Your Component to GDPR Deletion Process

If your team manages user data that needs to be deleted for GDPR compliance, follow these steps:

1. Add Your Component as a Dependency

First, update the dependencies.yml file to include your component:

# Path: components/*
dependencies:
- global_profile
- your_component_name  # Add your component here

This allows the compliance component to import and use code from your component.

2. Implement Required Methods in Your Component

Create two methods in your component's business logic:

Method 1: Find Members Ready for Deletion

# Example: components/your_component/internal/business_logic/queries/gdpr_deletion.py

import uuid
from typing import List

def get_profiles_ready_for_deletion() -> List[uuid.UUID]:
    """
    Return a list of global profile IDs that are ready for deletion.
    We use global profile IDs, because user IDs are not unique between apps (FR/ES/BE)

    This method should implement your business logic to determine which
    members can be safely deleted (e.g., no active claims, contracts expired, etc.)

    Returns:
        List[uuid.UUID]: List of global profile IDs ready for deletion
    """
    # Your business logic here
    # Example:
    # - Check for expired contracts
    # - Verify no pending claims
    # - Ensure retention period has passed

    return [profile_id_1, profile_id_2, ...]

Method 2: Execute Member Deletion

# Example: components/your_component/internal/business_logic/actions/gdpr_deletion.py

import uuid
from typing import List

def delete_member_data(global_profile_id: uuid.UUID) -> None:
    """
    Delete all data related to a specific member.

    This method should permanently delete or anonymize all data
    related to the given global profile ID.
    See method above why we decide to user global profile ID.

    Args:
        global_profile_id: The global profile ID to delete data for
    """
    # Your deletion logic here
    # Example:
    # - Delete member records
    # - Anonymize historical data
    # - Remove PII from logs
    # - Update related tables

    pass

3. Register Your Methods in Compliance Rules

Update the compliance rules to include your methods:

# File: components/compliance/internal/business_logic/rules/gdpr_compliance_rules.py

# Update the appropriate data bucket with your methods
def get_callable_rules_to_get_profiles_to_record_deletion(
    bucket_type: ComplianceDataBucketType,
) -> list[Callable[[Any], list[uuid.UUID]]]:
    # Import your method here
    from components.your_component.internal.business_logic.queries.gdpr_deletion import (
        get_profiles_ready_for_deletion as your_component_get_profiles_ready_for_deletion,
    )

    compliance_data_buckets_methods: dict[
        ComplianceDataBucketType, list[Callable[[Any], list[uuid.UUID]]]
    ] = {
        ComplianceDataBucketType.health_claims: [
            your_component_get_profiles_ready_for_deletion,  # Add your method here if related to health claims
        ],
        ComplianceDataBucketType.health_services: [
            # Add methods for health services if applicable
        ],
        ComplianceDataBucketType.prevoyance_claims: [],
        ComplianceDataBucketType.medical_data: [],
    }
    # ... rest of the method

def get_callable_rules_to_delete_profiles(
    bucket_type: ComplianceDataBucketType,
) -> list[Callable[[Any], list[uuid.UUID]]]:
    # Import your method here
    from components.your_component.internal.business_logic.actions.gdpr_deletion import (
        delete_member_data as your_component_delete_member_data,
    )

    compliance_data_buckets_methods: dict[
        ComplianceDataBucketType, list[Callable[[Any], list[uuid.UUID]]]
    ] = {
        ComplianceDataBucketType.health_claims: [
            your_component_delete_member_data,  # Add your deletion method here if related to health claims
        ],
        ComplianceDataBucketType.health_services: [
            # Add deletion methods for health services if applicable
        ],
        ComplianceDataBucketType.prevoyance_claims: [],
        ComplianceDataBucketType.medical_data: [],
    }
    # ... rest of the method

4. Choose the Right Data Bucket Type

Select the appropriate bucket type for your data:

• health_claims: Claims data, reimbursements, medical expenses
• health_services: Clinic appointments, medical consultations
• prevoyance_claims: Insurance claims, death/disability benefits
• medical_data: Medical records, health assessments

📋 GDPR Deletion Process Overview

Workflow Steps

1. Identification: Teams implement methods to identify members ready for deletion
2. Record Creation: Deletion records are created for eligible members
3. Batch Creation: Records are grouped into batches for review
4. Review Process: Batches are reviewed and approved/rejected
5. Execution: Approved batches trigger async deletion jobs
6. Completion: Data is permanently deleted across all systems

Key Components

• GdprDeletionRecord: Individual deletion request for a member
• GdprDeletionBatch: Collection of deletion records for review
• ComplianceProfile: Links global profiles to compliance processes

🛠 Available Commands

Create Deletion Records

# Identify and create deletion records for a data bucket
alan compliance create-gdpr-deletion-records-for-data-bucket --bucket-type health_claims

# Dry run mode (recommended for testing)
alan compliance create-gdpr-deletion-records-for-data-bucket --bucket-type health_claims --dry-run

Create Review Batch

# Group deletion records into a batch for review
alan compliance create-gdpr-deletion-batch-for-data-bucket --bucket-type health_claims

# Dry run mode
alan compliance create-gdpr-deletion-batch-for-data-bucket --bucket-type health_claims --dry-run

Review and Approve Batches

# Programmatically review batches
from components.compliance.internal.business_logic.actions.gdpr_deletion_batch import (
    review_gdpr_deletion_batch
)
from components.compliance.public.enums import GdprDeletionBatchStatus

# Approve a batch
review_gdpr_deletion_batch(
    deletion_batch_id=batch_id,
    reviewed_status=GdprDeletionBatchStatus.accepted,
    reviewed_by="reviewer_name",
    reviewed_reason="All checks passed"
)

🔍 Business Logic Guidelines

Finding Members Ready for Deletion

Your get_profiles_ready_for_deletion() method should consider:

• Retention periods: Legal requirements for data retention
• Active relationships: No ongoing contracts or claims
• Grace periods: Allow time for member to return
• Dependencies: Check for data used by other systems

Implementing Safe Deletion

Your delete_member_data() method should:

• Be idempotent: Safe to call multiple times
• Handle errors gracefully: Don't fail the entire batch
• Log actions: Track what was deleted for audit
• Preserve audit trails: Keep minimal records for compliance

🧪 Testing

Writing Tests for Your Integration

# Test your deletion identification logic
def test_get_profiles_ready_for_deletion_should_return_eligible_profiles():
    # Create test data
    expired_member = create_expired_member()
    active_member = create_active_member()

    # Test your method
    eligible_profiles = get_profiles_ready_for_deletion()

    # Assertions
    assert expired_member.global_profile_id in eligible_profiles
    assert active_member.global_profile_id not in eligible_profiles

# Test your deletion logic
def test_delete_member_data_should_remove_all_data():
    # Create test member with data
    member = create_member_with_data()

    # Execute deletion
    delete_member_data(member.global_profile_id)

    # Verify data is deleted
    assert not member_data_exists(member.global_profile_id)

📊 Monitoring and Observability

The system automatically logs: - Number of profiles identified for deletion - Batch creation and review status - Job execution status and failures - Deletion completion metrics

🚨 Important Considerations

Data Safety

• Always test in staging first
• Use dry-run mode for validation
• Implement proper backups before deletion
• Consider soft deletion for reversibility

Performance

• Batch operations efficiently
• Implement pagination for large datasets
• Consider database locks and transactions
• Monitor job execution times

Legal Compliance

• Verify retention requirements
• Document deletion policies
• Maintain audit logs
• Handle cross-border data requirements

📞 Support

For questions or issues with GDPR deletion integration: 1. Check the existing implementations in other components 2. Review the test cases for examples 3. Consult with the compliance team for legal requirements 4. Reach out to the platform team for technical guidance

📚 Related Documentation

• Data Model Documentation
• API Reference
• Code Quality Guidelines