Data Migration Compliance: Your GDPR, HIPAA & SOC 2 Checklist
Regulation-by-regulation requirements mapped to migration steps. A universal pre/during/post migration checklist for compliance officers and IT admins.
Data migrations are high-risk events from a compliance perspective. You’re moving data — potentially including PII, PHI, or financial records — between systems, possibly across network boundaries. Regulators don’t care about your infrastructure refresh timeline; they care about whether data was protected throughout.
This guide maps compliance requirements to specific migration steps and gives you a universal checklist you can adapt to your regulatory environment.
Why Migrations Are Compliance Events
A data migration triggers compliance scrutiny because:
- Data is in transit — encryption requirements apply
- Access controls may change — permissions must be verified on the destination
- Audit trails matter — you must demonstrate what was moved, when, and by whom
- Data may cross boundaries — geographic, network, or organizational
- Integrity must be preserved — corrupted or missing data is a compliance failure
Compliance isn't optional
A migration that loses data, exposes PII, or lacks an audit trail can trigger regulatory fines. GDPR fines can reach 4% of annual revenue. HIPAA penalties range from $100 to $1.9M per violation. Plan compliance into the migration — not as an afterthought.
Regulation-Specific Requirements
GDPR (General Data Protection Regulation)
Applies to: Any organization processing EU/EEA personal data.
| Requirement | Migration Implication |
|---|---|
| Data minimization (Art. 5) | Only migrate data that’s still needed — don’t copy obsolete PII |
| Purpose limitation (Art. 5) | Document why data is being migrated and where |
| Encryption in transit (Art. 32) | Use encrypted protocols (NFSv4+krb5p, SMB3+encryption, HTTPS for S3) |
| Data Processing Agreement (Art. 28) | If using a migration service provider, a DPA is required |
| Right to erasure (Art. 17) | Ensure deletion requests are reflected in the migrated data |
| Data breach notification (Art. 33) | If data is exposed during migration, 72-hour notification applies |
| Records of processing (Art. 30) | Document the migration as a processing activity |
GDPR migration checklist:
- Data Protection Impact Assessment (DPIA) completed if high-risk data
- Legal basis documented for the migration
- Data Processing Agreement in place with any migration vendors
- Encryption enabled for data in transit
- Access limited to authorized personnel during migration
- Migration documented in Records of Processing Activities
- Post-migration: verify right-to-erasure requests are honored on new system
HIPAA (Health Insurance Portability and Accountability Act)
Applies to: Covered entities and business associates handling PHI.
| Requirement | Migration Implication |
|---|---|
| Access controls (§164.312(a)) | Only authorized users access data during migration |
| Audit controls (§164.312(b)) | Log all access to PHI during migration |
| Integrity controls (§164.312(c)) | Verify PHI is not altered during transfer |
| Transmission security (§164.312(e)) | Encrypt PHI in transit |
| Business Associate Agreement (§164.502(e)) | BAA required with migration service providers |
HIPAA migration checklist:
- Business Associate Agreement executed with migration tools/vendors
- PHI identified and classified before migration
- Encryption enabled for all PHI in transit
- Access logs enabled and retained for 6 years
- Integrity verification (checksums) performed post-migration
- Workforce training on handling PHI during migration
- Backup of PHI available in case of migration failure
SOC 2 (Service Organization Control 2)
Applies to: Service organizations that store/process customer data.
| Trust Principle | Migration Implication |
|---|---|
| Security | Access controls, encryption, change management |
| Availability | Migration doesn’t cause unplanned downtime |
| Processing integrity | Data is complete and accurate after migration |
| Confidentiality | Data is protected from unauthorized access |
| Privacy | Personal information is collected, used, retained per policy |
SOC 2 migration checklist:
- Change management process followed (approval, testing, rollback plan)
- Encryption in transit and at rest on destination
- Access limited to authorized personnel with MFA
- Migration tested in non-production environment first
- Data integrity verification with checksums
- Incident response plan updated for migration period
- Evidence collected: logs, verification reports, approval records
Universal Migration Compliance Checklist
This checklist works across regulations. Adapt it to your specific requirements.
Pre-Migration
- Data classification — identify PII, PHI, financial data, confidential records
- Legal review — confirm migration is within legal/contractual bounds
- Risk assessment — DPIA (GDPR) or security assessment (HIPAA/SOC 2)
- Vendor agreements — DPA/BAA with any third parties involved
- Access controls — define who can access data during migration
- Encryption plan — document encryption for data in transit and at rest
- Rollback plan — define how to reverse the migration if issues arise
- Communication plan — notify stakeholders, including DPO if applicable
- Retention review — identify data past retention period (don’t migrate it)
During Migration
- Encrypted transfer — verify encryption is active (not just configured)
- Access logging — all data access during migration is logged
- Progress monitoring — track what’s been transferred and what’s remaining
- Error handling — failed transfers are logged and retried or escalated
- No data at rest in temp locations — intermediate staging areas are encrypted and cleaned
- Incident detection — monitoring for unauthorized access attempts
Post-Migration
- Integrity verification — checksum comparison between source and destination
- Permission verification — ACLs/permissions match requirements on destination
- Completeness check — all expected files/records are present
- Source data handling — secure deletion from source per retention policy
- Audit report generation — document what was migrated, when, by whom, with what results
- Access control update — revoke temporary migration access
- Evidence archival — store logs, reports, and verification results for audit period
Keep evidence for the right duration
GDPR doesn’t specify a retention period for processing records, but best practice is 3-5 years. HIPAA requires 6 years. SOC 2 audit evidence is typically retained for 12-15 months. Know your retention requirements.
Migration Tools and Compliance
How do common migration tools support compliance requirements?
| Requirement | rsync | Robocopy | rclone | syncopio |
|---|---|---|---|---|
| Encrypted transfer | SSH | SMB encryption | HTTPS | NFS krb5p, SMB3, HTTPS |
| Audit logging | --log-file | /LOG | --log-file | Built-in audit trail |
| Checksum verification | --checksum (extra pass) | Not available | --checksum | During transfer |
| Compliance reports | Manual | Manual | Manual | PDF/CSV/Excel export |
| Access control | SSH keys | AD/NTFS | Config-based | Role-based + API keys |
| Evidence generation | Parse logs manually | Parse logs manually | Parse logs manually | Automated reports |
Compliance-ready migration reports
syncopio generates compliance evidence automatically: checksummed transfer reports, audit trails with timestamps, and exportable reports in PDF, CSV, and Excel formats. No manual log parsing required. See all features.
Common Compliance Mistakes During Migrations
- Migrating data you should have deleted — retention policies exist for a reason
- Using unencrypted protocols — NFSv3 and SMB1 send data in cleartext
- No verification — “it copied successfully” isn’t evidence; checksums are
- Temporary staging without encryption — data sitting on a staging server unencrypted
- Missing audit trail — “we migrated the data last month” without logs or timestamps
- Forgetting the BAA/DPA — using a cloud migration tool without a vendor agreement
- Not revoking migration access — temporary elevated permissions that persist
Further Reading
- Why Checksums Matter: How syncopio Verifies Every File — data integrity deep-dive
- Data Migration: The Complete Guide — end-to-end methodology
- NFS vs SMB: Security Comparison — protocol security features