IT AI Skill

Data Privacy Gdpr Compliance

Manage data privacy compliance including GDPR, CCPA/CPRA, and other data protection regulations. Use when conducting data protection impact assessments, managing data subject requests (DSARs), implementing privacy-by-design, maintaining data processing reco...

Data Privacy & GDPR Compliance

Manage organizational data privacy compliance across GDPR, CCPA/CPRA, and global data protection regulations with systematic controls, automation, and governance.

Workflow

  1. Conduct data mapping exercise: inventory all personal data processed, purposes, legal bases, data flows, retention periods, and third-party recipients.
  2. Designate Data Protection Officer (DPO) if required (public authority, large-scale systematic monitoring, large-scale special category data processing).
  3. Implement privacy-by-design principles: data minimization, purpose limitation, default privacy settings, privacy impact assessments for high-risk processing.
  4. Establish DSAR (Data Subject Access Request) process: intake, verification, fulfillment within statutory timeframes (30 days for GDPR, 45 days for CCPA).
  5. Configure consent management platform (CMP): granular consent, consent withdrawal, consent logging, cookie consent banners compliant with ePrivacy directive.
  6. Execute data protection impact assessments (DPIAs) for high-risk processing: profiling, large-scale sensitive data, systematic monitoring, new technologies.
  7. Implement data breach detection, response, and notification procedures: 72-hour notification to supervisory authority (GDPR Art. 33), 24-hour notification for California breaches.
  8. Maintain records of processing activities (RoPA): document all processing operations per GDPR Art. 30.
  9. Manage cross-border data transfers: Standard Contractual Clauses (SCCs), Transfer Impact Assessments (TIAs), adequacy decisions, binding corporate rules (BCRs).
  10. Conduct annual privacy compliance audit: policy review, control testing, DSAR response time review, consent audit, third-party assessment.

Regulatory Framework Overview

GLOBAL DATA PROTECTION LAWS COMPARISON
========================================

GDPR (European Union / UK):
  → Scope: All organizations processing EU/UK residents' personal data (regardless of location)
  → Applies to: >250 employees OR any size processing special category data / large-scale monitoring
  → Key rights: Access, rectification, erasure ("right to be forgotten"), portability, objection, restriction
  → Consent: Explicit, informed, granular, easy to withdraw; pre-ticked boxes prohibited
  → DSAR response: 30 days (extendable by 60 days for complex requests)
  → DPIA required: Profiling, large-scale sensitive data, systematic monitoring, new tech
  → Breach notification: 72 hours to supervisory authority; affected individuals without undue delay
  → Fines: Up to €20 million or 4% of global annual turnover (whichever higher)
  → Data retention: Minimum necessary; specific time limits; regular review
  → DPO: Mandatory for public authorities, large-scale monitoring/sensitive data

CCPA / CPRA (California):
  → Scope: For-profit entities doing business in CA meeting thresholds:
     - $25M+ annual gross revenue, OR
     - Buy/sell/share personal data of 100,000+ consumers/households, OR
     - 50%+ revenue from selling/sharing personal data
  → Key rights: Know, delete, correct, opt-out of sale/share, limit sensitive data use, non-discrimination
  → Consent: Opt-out for sale/sharing; opt-in for sensitive data use
  → DSAR response: 45 days (extendable by 45 days with notice)
  → Breach notification: Without unreasonable delay; no specific hour requirement
  → Fines: $7,500 per intentional violation / $2,500 per non-intentional (per consumer, per day)
  → Private right of action: Data breaches only (consumers can sue directly)

LGPD (Brazil):
  → Scope: Data processing in Brazil or targeting Brazilian individuals
  → Key rights: Access, correction, anonymization, deletion, portability, consent withdrawal
  → Fines: Up to 2% of Brazilian revenue (max R$50 million per violation)
  → Breach notification: "Reasonable time" to regulator and affected individuals

PIPEDA (Canada):
  → Scope: Private-sector organizations across Canada collecting personal data in commerce
  → Key rights: Access, correction, consent withdrawal, complaint to OPC
  → Breach notification: 72 hours to Privacy Commissioner; affected individuals if risk of harm
  → Fines: Up to CAD $100,000

Australia Privacy Act (with Notifiable Data Breaches scheme):
  → Scope: Organizations with >$3M AUD turnover or government agencies
  → Key rights: Access, correction, complaint to OAIC
  → Breach notification: As soon as practicable when likely serious harm
  → Fines: Up to AUD 50 million or 3x benefit obtained (enhanced from 2022)

Data Subject Access Request (DSAR) Process

DSAR PROCESS PLAYBOOK
=======================

INTAKE (DAY 0–1):

  Channels for receiving requests:
    → Dedicated email: [email protected]
    → Web form: www.company.com/privacy-request
    → Phone: Privacy hotline (logged and documented)
    → In writing: Postal mail to legal/privacy office

  Required information from requester:
    → Full name and contact information
    → Account identifier (if applicable)
    → Government-issued ID for verification (minimum necessary)
    → Specific request type (access, deletion, correction, portability, objection)

  Automated acknowledgment:
    → Within 24 hours: email confirming receipt and request reference number
    → Estimated response date included
    → Information needed for verification (if insufficient)

VERIFICATION (DAY 1–3):

  Identity verification (proportionate to risk):
    → Low risk (data access): Match name + email + account
    → Medium risk (data deletion): Match name + email + account + security question
    → High risk (sensitive data): Government ID verification (copy securely stored, deleted after)

  Special cases:
    → Legal representative: Power of attorney or parent/guardian documentation
    → Deceased individual: Next of kin with death certificate and legal authority
    → Corporate representative: Authorized signatory with board resolution

FULFILLMENT (DAY 3–25):

  Data Access Request:
    → Search all systems: CRM, HRIS, databases, data warehouses, backups (if accessible)
    → Compile all personal data in readable format (JSON, CSV, PDF)
    → Include: data categories, purposes, recipients, retention periods, automated decision info
    → Redact third-party data not belonging to requester
    → Format: Machine-readable format per GDPR Art. 20 (data portability)
    → Review: Legal/privacy team reviews output before sending
    → Cost: Free first copy; reasonable fee for excessive/repetitive requests

  Data Deletion Request ("Right to Be Forgotten"):
    → Identify all instances of personal data across systems
    → Check legal exemptions (cannot delete if required for):
      - Legal obligation (tax records, employment records)
      - Legal claim defense
      - Public interest / archiving
      - Freedom of expression
    → Delete from: Primary databases, backups (when feasible), analytics, logs (anonymize)
    → Notify third-party processors to delete (GDPR Art. 17(2))
    → Document deletion: system, date, method, verification

  Data Correction Request:
    → Identify inaccurate data
    → Requester provides correct information
    → Update across all systems within 5 business days
    → Notify third parties who received inaccurate data
    → Confirm correction to requester

  Right to Object (profiling, direct marketing):
    → Immediate halt of processing for direct marketing (no justification needed)
    → For other processing: assess legitimate interest override
    → If override justified: explain to data subject; allow appeal
    → If no override: stop processing immediately

RESPONSE (DAY 25–30):

  Delivery:
    → Secure channel (encrypted email, secure portal, postal mail for sensitive data)
    → Plain language explanation of actions taken
    → Information about right to lodge complaint with supervisory authority
    → Contact details for follow-up questions

  Documentation:
    → DSAR log entry: request date, type, verification method, fulfillment date, actions taken
    → Retention: DSAR records kept for 3 years (for compliance audits)
    → Metrics tracked: avg response time, completion rate, common request types

TIMELINE COMPLIANCE:
    → Target: 15 business days (well within 30-day requirement)
    → Extension: Document justification; notify data subject within initial 30 days
    → Missed deadline: Escalate to DPO; notify legal; assess regulatory risk

AUTOMATION OPPORTUNITIES:
    → OneTrust / BigID / Transcend: DSAR automation platforms
    → Auto-discovery of personal data across systems
    → Workflow routing: intake → verification → fulfillment → review → delivery
    → SLA tracking with escalation alerts at 15, 20, 25 days
    → Template responses for common request types

Data Protection Impact Assessment (DPIA)

DPIA FRAMEWORK AND TEMPLATE
=============================

WHEN DPIA IS REQUIRED (GDPR Art. 35):

  → Systematic and extensive evaluation of personal data (profiling with legal/significant effects)
  → Large-scale processing of special category data (health, biometric, genetic, religious)
  → Systematic monitoring of publicly accessible areas (CCTV, location tracking)
  → New technologies: AI/ML processing, facial recognition, IoT data collection
  → Data matching/combining from different sources
  → Processing vulnerable data subjects (children, employees, health patients)

DPIA PROCESS STEPS:

  Step 1: Describe the Processing
    → Nature: What data is collected? (categories, special categories)
    → Purpose: Why is it processed? (business objective, legal basis)
    → Context: How is it processed? (systems, technologies, data flows)
    → Retention: How long is it kept? (retention schedule, deletion criteria)
    → Stakeholders: Data controller, processors, sub-processors, DPO

  Step 2: Assess Necessity and Proportionality
    → Necessity test: Is processing necessary for the stated purpose?
    → Least intrusive alternative: Could less data achieve the same purpose?
    → Data minimization: Only data strictly needed is collected
    → Proportionality: Data collection balanced against individual rights

  Step 3: Assess Risks to Rights and Freedoms
    → Confidentiality risks: Unauthorized access, data breach, data leakage
    → Integrity risks: Data modification, inaccurate profiling decisions
    → Availability risks: Data loss, system failure affecting access rights
    → Autonomy risks: Profiling, manipulation, discrimination
    → Reputational risks: Public exposure, identity theft, financial loss
    → Risk scoring: Likelihood (1-5) × Impact (1-5) = Risk Level
       Low (1-5): Acceptable with documentation
       Medium (6-12): Requires mitigating measures
       High (13-25): Requires consultation with supervisory authority

  Step 4: Identify Mitigating Measures
    → Technical: Encryption, pseudonymization, access controls, DLP
    → Organizational: Policies, training, audit trails, retention schedules
    → Process: DPIA update triggers, regular reviews, incident response
    → Contractual: DPA with processors, SCCs for transfers, audit rights

  Step 5: Residual Risk Assessment
    → Re-score risks after mitigation applied
    → If still high: Consult supervisory authority before processing
    → Document residual risk acceptance with sign-off from data protection lead

  Step 6: Approvals and Sign-Off
    → DPO review and opinion
    → Data protection lead approval
    → Legal team review
    → Senior management sign-off
    → Supervisory authority consultation (if high residual risk)

DPIA TEMPLATE STRUCTURE:
    Section 1: Description of Processing (nature, purpose, necessity, proportionality)
    Section 2: Assessment of Necessity and Proportionality
    Section 3: Risk Assessment (risks to data subjects' rights)
    Section 4: Mitigating Measures (safeguards, security measures, guarantees)
    Section 5: Residual Risk Assessment and Conclusion
    Section 6: Approvals and Consultation (sign-offs, authority consultation if needed)
    Appendices: Data flow diagrams, system architecture, processing agreements

Consent Management

CONSENT MANAGEMENT FRAMEWORK
==============================

CONSENT REQUIREMENTS BY REGULATION:

  GDPR (Strict Opt-In):
    → Freely given: No bundling consent with service terms; separate consent for each purpose
    → Specific: Separate consent for each processing purpose (no blanket consent)
    → Informed: Clear, plain language description of what consent covers
    → Unambiguous: Active opt-in (checkbox not pre-ticked; no silence/inactivity as consent)
    → Withdrawable: As easy to withdraw as to give; no detriment for withdrawal
    → Children: Age of consent varies by member state (13-16); parental consent required below

  CCPA/CPRA (Opt-Out for Sale):
    → "Do Not Sell or Share My Personal Information" link on website/app
    → Global Privacy Control (GPC) signal: Must honor browser GPC signal
    → No discrimination for opting out (same price and quality of service)
    → Consent for sensitive data: Opt-in required for sensitive personal information use
    → Children under 13: Parental consent required
    → Children 13-16: Direct consent required (no parental consent needed)

CONSENT BANNER CONFIGURATION:

  Tier 1 (Strict / EU-focused):
    → No tracking scripts loaded until consent given
    → Cookie wall NOT acceptable for free services (must allow access without consent)
    → Categories: Strictly necessary (no consent), Analytics (consent), Marketing (consent), Functional (consent)
    → Granular choices: Toggle per category; "Accept all" and "Reject all" equally prominent
    → Consent preferences center: Accessible from any page; manage consent anytime

  Tier 2 (Standard / US-focused):
    → Notice at collection (not full consent required for all processing)
    → "Do Not Sell/Share" link in footer
    → Honor GPC signal
    → Privacy policy with clear sale/sharing disclosure

CONSENT RECORDING AND STORAGE:

  Consent log entries:
    → Timestamp (ISO 8601, with timezone)
    → User identifier (pseudonymized)
    → IP address (hashed for security)
    → Browser/device fingerprint
    → Consent version (privacy policy version at time of consent)
    → Categories consented to (granular)
    → Withdrawal timestamp and method (if withdrawn)
    → CMP vendor and version (for audit)

  Retention: Consent records kept for 3-7 years (varies by jurisdiction)
  Access: Data subjects can request consent history via DSAR
  Audit: Annual consent audit (sample review for compliance)

CMP VENDORS:
    → OneTrust: Enterprise-grade; consent + DSAR + cookie management + vendor management
    → Cookiebot: European-focused; automatic cookie scanning; GDPR-compliant defaults
    → Didomi: Consent management with privacy portal; real-time consent API
    → Osano: Affordable; consent + DSAR + privacy center; multi-regulation
    → Sourcepoint: Enterprise CMP with granular consent; data layer integration

Data Breach Response

DATA BREACH RESPONSE PLAYBOOK
===============================

PHASE 1: DETECTION AND ASSESSMENT (0-4 HOURS)

  Detection sources:
    → DLP alerts: Unusual data exfiltration, policy violations
    → SIEM alerts: Unauthorized access attempts, anomalous behavior
    → External reports: Customer notification, security researcher, regulator
    → System anomalies: Unexpected database queries, large data exports
    → Third-party notification: Processor breach affecting your data

  Initial assessment:
    → What data was affected? (categories, sensitivity, special category)
    → How many individuals affected? (count, approximate or exact)
    → What is the nature of the breach? (unauthorized access, accidental disclosure, loss)
    → When did the breach occur and when was it discovered?
    → What is the potential impact on affected individuals?

PHASE 2: CONTAINMENT (4-24 HOURS)

  Containment actions:
    → Isolate affected systems (network segmentation, account disablement)
    → Reset credentials (compromised accounts, shared credentials)
    → Block unauthorized access (firewall rules, IP blocking, MFA enforcement)
    → Preserve evidence (forensic imaging, log preservation)
    → Engage incident response team (internal + external IR firm if needed)
    → Activate legal counsel (privilege protection for investigation)

PHASE 3: NOTIFICATION (24-72 HOURS)

  Regulatory notification:
    → GDPR: Notify supervisory authority within 72 hours of awareness
       - Describe: nature of breach, categories/number of data subjects, DPO contact
       - Likely consequences: assessment of risk to rights and freedoms
       - Measures taken: containment, mitigation, remediation
       - If >72 hours: include reasons for delay

    → CCPA: Notify without unreasonable delay
       - Describe categories of information breached
       - Approximate number of consumers affected
       - Steps taken in response
       - Contact information for questions
       - FTC resources: www.opsafe.org (if email addresses compromised)

  Individual notification (GDPR: "without undue delay" if high risk):
    → Plain language description of what happened
    → DPO contact details
    → What data was involved
    → What the company is doing about it
    → What the individual should do (password change, credit monitoring, etc.)
    → Offer: Credit monitoring service (12-24 months if financial/identity data)

PHASE 4: REMEDIATION AND REVIEW (1-4 WEEKS)

  Remediation:
    → Patch vulnerabilities exploited
    → Enhance security controls (additional MFA, network segmentation, monitoring)
    → Review access controls (least privilege, access reviews)
    → Update incident response procedures based on lessons learned

  Documentation:
    → Breach record: details, notification dates, remediation actions (GDPR Art. 33(5))
    → Post-incident report: root cause, timeline, lessons learned, recommendations
    → Board notification: executive summary of breach and response
    → Insurance claim: cyber insurance notification (within policy timeframe)

Integration Points

Edge Cases