Non-Compliance Analysis (LINDDUN N2)

Analyze source code for regulatory non-compliance where data processing activities violate GDPR, CCPA, or HIPAA. Non-compliance results from missing technical controls, incorrect legal bases, or unimplemented data subject rights. This category has no STRIDE equivalent and is unique to privacy threat modeling.

Supported Flags

Read ../../shared/schemas/flags.md for full flag documentation. This skill supports all cross-cutting flags.

Flag Non-Compliance-Specific Behavior

--scope

Default changed . Focuses on files containing data retention, deletion logic, consent management, cross-border transfers, age verification, and processing records.

--depth quick

Grep patterns only: scan for missing deletion endpoints, hardcoded retention, and cross-border transfers.

--depth standard

Full code read, check data lifecycle implementation against regulatory requirements.

--depth deep

Trace data flows across storage layers. Verify deletion cascades through databases, backups, caches, and logs.

--depth expert

Deep + regulatory audit simulation: assess compliance posture against GDPR, CCPA, and HIPAA article by article.

--severity

Filter output. Missing data subject rights are high ; documentation gaps are medium .

--fix

Generate retention enforcement, deletion cascades, and consent management implementations.

Framework Context

LINDDUN N2 -- Non-compliance

Non-compliance occurs when data processing activities violate applicable privacy regulations. Read ../../shared/frameworks/linddun.md

for the full framework reference including regulatory mappings.

Privacy Property Violated: Regulatory Compliance | STRIDE Mapping: No equivalent | OWASP: A04:2021 (Insecure Design)

Workflow

Step 1 -- Determine Scope

• Parse --scope flag (default: changed ).

• Resolve to a concrete file list.

• Filter to relevant files: data retention logic, deletion handlers, consent management, user rights endpoints, data transfer configs, and age gates.

• Prioritize files containing: cleanup jobs, TTL configs, deletion endpoints, consent flows, data exports, and cross-region deployment configs.

Step 2 -- Analyze for Non-Compliance

Read each scoped file and assess regulatory compliance:

• Check data retention enforcement: Verify that data retention periods are defined, configurable, and enforced through automated cleanup.

• Assess deletion completeness: Verify that user deletion cascades through all storage layers (database, cache, logs, backups, third parties).

• Examine consent management: Check for valid consent collection, withdrawal mechanisms, and purpose-specific processing controls.

• Check cross-border transfers: Identify personal data flows to servers in non-adequate jurisdictions without transfer safeguards.

• Verify data subject rights: Confirm implementation of access, correction, deletion, portability, and restriction of processing endpoints.

• Assess age verification: Check for age gating where required (COPPA, GDPR Article 8).

At --depth deep or --depth expert , trace the complete data lifecycle and verify compliance at every stage from collection through deletion.

Step 3 -- Report Findings

Output findings per ../../shared/schemas/findings.md . Each finding needs: NCMPL-NNN id, title, severity (based on regulatory penalty risk and affected data subjects), location with snippet, description of unmet regulatory requirement, impact (penalties and liability), fix (technical control implementation), and CWE/LINDDUN/regulatory article references.

Analysis Checklist

• Are data retention periods defined and enforced through automated cleanup jobs?

• Does user deletion cascade through all storage systems (DB, cache, logs, backups)?

• Is there a consent management system with collection, withdrawal, and purpose tracking?

• Are cross-border data transfers protected with adequate safeguards (SCCs, BCRs)?

• Are data subject rights implemented (access, export, deletion, restriction)?

• Does the system implement age verification for minors (COPPA, GDPR Article 8)?

• Is there a breach notification capability within 72 hours?

• Do hardcoded retention periods match the stated privacy policy?

What to Look For

• Missing data retention enforcement: No TTL, no cleanup jobs, no expiration.

• Grep: retention|ttl|time.to.live|cleanup|purge|expire|cron.*delete|scheduled.*removal

• Incomplete deletion: User deletion that misses storage layers.

• Grep: deleteUser|removeUser|eraseUser|destroyUser|delete.*account|purge.*user

• Missing consent withdrawal: No mechanism to revoke previously given consent.

• Grep: withdraw.*consent|revoke.*consent|opt.out|unsubscribe|consent.*revoke|removeConsent

• Cross-border data transfers: Data sent to non-adequate jurisdictions.

• Grep: region.*us-east|endpoint.*amazonaws|storage.*googleapis|azure.*region|cloudflare

• Missing age verification: No age gate or parental consent for minors.

• Grep: age.*verify|date.of.birth|dateOfBirth|minAge|age.*gate|parental.*consent|COPPA|under.*13

• Hardcoded retention periods: Retention values that may not match policy.

• Grep: days.=.365|retention.=.30|ttl.=.90|expire.=.\d+|keep.*days|max.age.=

• Missing processing restriction: No ability to pause processing on request.

• Grep: restrict.*processing|pause.*processing|freeze.*account|suspend.*data|processing.*hold

• Missing breach notification: No incident response or notification mechanism.

• Grep: breach.*notify|incident.*report|security.*alert|data.*breach|notify.*authority

Regulatory Mapping

Regulation Provision Relevance

GDPR Art. 5-6 Processing principles, lawful bases Lawfulness, purpose limitation, data minimization

GDPR Art. 8 Child's consent Parental consent required for minors

GDPR Art. 17-18, 20 Erasure, restriction, portability Data subject rights implementation

GDPR Art. 28, 30 Processor requirements, ROPA DPAs and records of processing activities

GDPR Art. 33-35 Breach notification, DPIA 72-hour notification, impact assessments

GDPR Art. 44-49 Cross-border transfers Adequacy decisions, SCCs, or BCRs required

CCPA 1798.105, .120 Right to delete, opt-out Consumer deletion and sale opt-out

HIPAA 164.404, .530 Breach notification, admin PHI safeguards and breach notification

Output Format

Use finding ID prefix NCMPL (e.g., NCMPL-001 , NCMPL-002 ).

All findings follow the schema in ../../shared/schemas/findings.md with:

• references.cwe : CWE-359 (Exposure of Private Information)

• references.owasp : A04:2021 (Insecure Design -- missing regulatory controls)

• metadata.tool : "non-compliance"

• metadata.framework : "linddun"

• metadata.category : "N2"

Summary table after all findings:

Followed by: top 3 priorities, compliance posture summary, and overall assessment.