Audit-Ready Data Migration: SOX, GDPR, and HIPAA Compliance

Most data migration projects treat compliance as a step done AFTER cutover. That's expensive — when auditors find a gap, you're rebuilding controls into a live production system. The right move is to bake the controls into the ETL pipeline from day one. Below are the three most-common frameworks, what auditors actually ask for, and the 9 specific controls that satisfy all three.

What auditors actually ask

Across SOX, GDPR, and HIPAA, auditors converge on five questions during a migration:

• Who could see this data? (access controls + audit trail)
• Who actually saw it? (access logs)
• Did the data get to the target system unchanged? (control totals + reconciliation)
• Can you prove no records were dropped? (row-count reconciliation)
• Can you reproduce the exact load if subpoenaed? (versioned mapping + immutable run log)

The 9 controls that satisfy all three frameworks

• Control 1 — Role-based access. Only named users can run loads. Service-account passwords don't count.
• Control 2 — MFA on the ETL workspace. Required by most SOX programs since 2024.
• Control 3 — Immutable audit log. Every load attempt logged with user, timestamp, source, target, row count, success/fail. Cannot be edited.
• Control 4 — PII masking on test environments. Production data with names and SSNs cannot live in test/sandbox tenants. Mask during the extract, not after.
• Control 5 — Encryption at rest + in transit. Source extract files encrypted on disk; transport TLS 1.2+.
• Control 6 — Reconciliation evidence. Every load produces a control-total report (PDF), retained per the framework's retention rule (SOX: 7 years).
• Control 7 — Versioned mappings. Every change to a crosswalk is versioned with who/when/why. Auditors will ask to see version 3 of a mapping that ran last March.
• Control 8 — Right-to-be-forgotten support (GDPR). The pipeline must be able to omit specific records on demand and prove they're not in the target.
• Control 9 — Data Processing Record. A short document for each migration: what data, what source, what target, what legal basis, what retention. Required by GDPR Article 30.

Framework-specific extras

Beyond the 9 shared controls, each framework has 1–2 extras:

• SOX: SoD checks during the load. The same person cannot configure a mapping AND approve its production run.
• GDPR: Cross-border data transfer log. If source is EU and target is US, log every transfer with the legal mechanism (SCCs, etc.).
• HIPAA: BAA in place with the ETL vendor. Without a Business Associate Agreement, a US healthcare ETL is technically non-compliant from day one.

Don't outsource your audit risk

A vendor that says "we're SOC 2 certified" is helpful but doesn't transfer your audit risk. The customer is still on the hook for proving the controls worked during the migration. That means: even with a SOC 2-certified vendor, the customer needs to retain the run logs, the reconciliation reports, and the mapping versions for the auditor's retention period. Plan for it.