--- name: data-privacy-gdpr-compliance description: Manage data privacy compliance including GDPR, CCPA/CPRA, and other data protection regulations. Use when conducting data protection impact assessments, managing data subject requests (DSARs), implementing privacy-by-design, maintaining data processing records, managing consent, configuring data retention, handling data breach notifications, or establishing privacy governance. Triggers on phrases like "GDPR compliance", "CCPA compliance", "data privacy", "DSAR", "data subject request", "privacy impact assessment", "DPIA", "data protection officer", "consent management", "right to be forgotten", "data breach notification", "privacy by design", "data processing agreement", "cross-border data transfer". --- # Data Privacy & GDPR Compliance Manage organizational data privacy compliance across GDPR, CCPA/CPRA, and global data protection regulations with systematic controls, automation, and governance. ## Workflow 1. Conduct data mapping exercise: inventory all personal data processed, purposes, legal bases, data flows, retention periods, and third-party recipients. 2. Designate Data Protection Officer (DPO) if required (public authority, large-scale systematic monitoring, large-scale special category data processing). 3. Implement privacy-by-design principles: data minimization, purpose limitation, default privacy settings, privacy impact assessments for high-risk processing. 4. Establish DSAR (Data Subject Access Request) process: intake, verification, fulfillment within statutory timeframes (30 days for GDPR, 45 days for CCPA). 5. Configure consent management platform (CMP): granular consent, consent withdrawal, consent logging, cookie consent banners compliant with ePrivacy directive. 6. Execute data protection impact assessments (DPIAs) for high-risk processing: profiling, large-scale sensitive data, systematic monitoring, new technologies. 7. Implement data breach detection, response, and notification procedures: 72-hour notification to supervisory authority (GDPR Art. 33), 24-hour notification for California breaches. 8. Maintain records of processing activities (RoPA): document all processing operations per GDPR Art. 30. 9. Manage cross-border data transfers: Standard Contractual Clauses (SCCs), Transfer Impact Assessments (TIAs), adequacy decisions, binding corporate rules (BCRs). 10. Conduct annual privacy compliance audit: policy review, control testing, DSAR response time review, consent audit, third-party assessment. ## Regulatory Framework Overview ``` GLOBAL DATA PROTECTION LAWS COMPARISON ======================================== GDPR (European Union / UK): → Scope: All organizations processing EU/UK residents' personal data (regardless of location) → Applies to: >250 employees OR any size processing special category data / large-scale monitoring → Key rights: Access, rectification, erasure ("right to be forgotten"), portability, objection, restriction → Consent: Explicit, informed, granular, easy to withdraw; pre-ticked boxes prohibited → DSAR response: 30 days (extendable by 60 days for complex requests) → DPIA required: Profiling, large-scale sensitive data, systematic monitoring, new tech → Breach notification: 72 hours to supervisory authority; affected individuals without undue delay → Fines: Up to €20 million or 4% of global annual turnover (whichever higher) → Data retention: Minimum necessary; specific time limits; regular review → DPO: Mandatory for public authorities, large-scale monitoring/sensitive data CCPA / CPRA (California): → Scope: For-profit entities doing business in CA meeting thresholds: - $25M+ annual gross revenue, OR - Buy/sell/share personal data of 100,000+ consumers/households, OR - 50%+ revenue from selling/sharing personal data → Key rights: Know, delete, correct, opt-out of sale/share, limit sensitive data use, non-discrimination → Consent: Opt-out for sale/sharing; opt-in for sensitive data use → DSAR response: 45 days (extendable by 45 days with notice) → Breach notification: Without unreasonable delay; no specific hour requirement → Fines: $7,500 per intentional violation / $2,500 per non-intentional (per consumer, per day) → Private right of action: Data breaches only (consumers can sue directly) LGPD (Brazil): → Scope: Data processing in Brazil or targeting Brazilian individuals → Key rights: Access, correction, anonymization, deletion, portability, consent withdrawal → Fines: Up to 2% of Brazilian revenue (max R$50 million per violation) → Breach notification: "Reasonable time" to regulator and affected individuals PIPEDA (Canada): → Scope: Private-sector organizations across Canada collecting personal data in commerce → Key rights: Access, correction, consent withdrawal, complaint to OPC → Breach notification: 72 hours to Privacy Commissioner; affected individuals if risk of harm → Fines: Up to CAD $100,000 Australia Privacy Act (with Notifiable Data Breaches scheme): → Scope: Organizations with >$3M AUD turnover or government agencies → Key rights: Access, correction, complaint to OAIC → Breach notification: As soon as practicable when likely serious harm → Fines: Up to AUD 50 million or 3x benefit obtained (enhanced from 2022) ``` ## Data Subject Access Request (DSAR) Process ``` DSAR PROCESS PLAYBOOK ======================= INTAKE (DAY 0–1): Channels for receiving requests: → Dedicated email: privacy@company.com → Web form: www.company.com/privacy-request → Phone: Privacy hotline (logged and documented) → In writing: Postal mail to legal/privacy office Required information from requester: → Full name and contact information → Account identifier (if applicable) → Government-issued ID for verification (minimum necessary) → Specific request type (access, deletion, correction, portability, objection) Automated acknowledgment: → Within 24 hours: email confirming receipt and request reference number → Estimated response date included → Information needed for verification (if insufficient) VERIFICATION (DAY 1–3): Identity verification (proportionate to risk): → Low risk (data access): Match name + email + account → Medium risk (data deletion): Match name + email + account + security question → High risk (sensitive data): Government ID verification (copy securely stored, deleted after) Special cases: → Legal representative: Power of attorney or parent/guardian documentation → Deceased individual: Next of kin with death certificate and legal authority → Corporate representative: Authorized signatory with board resolution FULFILLMENT (DAY 3–25): Data Access Request: → Search all systems: CRM, HRIS, databases, data warehouses, backups (if accessible) → Compile all personal data in readable format (JSON, CSV, PDF) → Include: data categories, purposes, recipients, retention periods, automated decision info → Redact third-party data not belonging to requester → Format: Machine-readable format per GDPR Art. 20 (data portability) → Review: Legal/privacy team reviews output before sending → Cost: Free first copy; reasonable fee for excessive/repetitive requests Data Deletion Request ("Right to Be Forgotten"): → Identify all instances of personal data across systems → Check legal exemptions (cannot delete if required for): - Legal obligation (tax records, employment records) - Legal claim defense - Public interest / archiving - Freedom of expression → Delete from: Primary databases, backups (when feasible), analytics, logs (anonymize) → Notify third-party processors to delete (GDPR Art. 17(2)) → Document deletion: system, date, method, verification Data Correction Request: → Identify inaccurate data → Requester provides correct information → Update across all systems within 5 business days → Notify third parties who received inaccurate data → Confirm correction to requester Right to Object (profiling, direct marketing): → Immediate halt of processing for direct marketing (no justification needed) → For other processing: assess legitimate interest override → If override justified: explain to data subject; allow appeal → If no override: stop processing immediately RESPONSE (DAY 25–30): Delivery: → Secure channel (encrypted email, secure portal, postal mail for sensitive data) → Plain language explanation of actions taken → Information about right to lodge complaint with supervisory authority → Contact details for follow-up questions Documentation: → DSAR log entry: request date, type, verification method, fulfillment date, actions taken → Retention: DSAR records kept for 3 years (for compliance audits) → Metrics tracked: avg response time, completion rate, common request types TIMELINE COMPLIANCE: → Target: 15 business days (well within 30-day requirement) → Extension: Document justification; notify data subject within initial 30 days → Missed deadline: Escalate to DPO; notify legal; assess regulatory risk AUTOMATION OPPORTUNITIES: → OneTrust / BigID / Transcend: DSAR automation platforms → Auto-discovery of personal data across systems → Workflow routing: intake → verification → fulfillment → review → delivery → SLA tracking with escalation alerts at 15, 20, 25 days → Template responses for common request types ``` ## Data Protection Impact Assessment (DPIA) ``` DPIA FRAMEWORK AND TEMPLATE ============================= WHEN DPIA IS REQUIRED (GDPR Art. 35): → Systematic and extensive evaluation of personal data (profiling with legal/significant effects) → Large-scale processing of special category data (health, biometric, genetic, religious) → Systematic monitoring of publicly accessible areas (CCTV, location tracking) → New technologies: AI/ML processing, facial recognition, IoT data collection → Data matching/combining from different sources → Processing vulnerable data subjects (children, employees, health patients) DPIA PROCESS STEPS: Step 1: Describe the Processing → Nature: What data is collected? (categories, special categories) → Purpose: Why is it processed? (business objective, legal basis) → Context: How is it processed? (systems, technologies, data flows) → Retention: How long is it kept? (retention schedule, deletion criteria) → Stakeholders: Data controller, processors, sub-processors, DPO Step 2: Assess Necessity and Proportionality → Necessity test: Is processing necessary for the stated purpose? → Least intrusive alternative: Could less data achieve the same purpose? → Data minimization: Only data strictly needed is collected → Proportionality: Data collection balanced against individual rights Step 3: Assess Risks to Rights and Freedoms → Confidentiality risks: Unauthorized access, data breach, data leakage → Integrity risks: Data modification, inaccurate profiling decisions → Availability risks: Data loss, system failure affecting access rights → Autonomy risks: Profiling, manipulation, discrimination → Reputational risks: Public exposure, identity theft, financial loss → Risk scoring: Likelihood (1-5) × Impact (1-5) = Risk Level Low (1-5): Acceptable with documentation Medium (6-12): Requires mitigating measures High (13-25): Requires consultation with supervisory authority Step 4: Identify Mitigating Measures → Technical: Encryption, pseudonymization, access controls, DLP → Organizational: Policies, training, audit trails, retention schedules → Process: DPIA update triggers, regular reviews, incident response → Contractual: DPA with processors, SCCs for transfers, audit rights Step 5: Residual Risk Assessment → Re-score risks after mitigation applied → If still high: Consult supervisory authority before processing → Document residual risk acceptance with sign-off from data protection lead Step 6: Approvals and Sign-Off → DPO review and opinion → Data protection lead approval → Legal team review → Senior management sign-off → Supervisory authority consultation (if high residual risk) DPIA TEMPLATE STRUCTURE: Section 1: Description of Processing (nature, purpose, necessity, proportionality) Section 2: Assessment of Necessity and Proportionality Section 3: Risk Assessment (risks to data subjects' rights) Section 4: Mitigating Measures (safeguards, security measures, guarantees) Section 5: Residual Risk Assessment and Conclusion Section 6: Approvals and Consultation (sign-offs, authority consultation if needed) Appendices: Data flow diagrams, system architecture, processing agreements ``` ## Consent Management ``` CONSENT MANAGEMENT FRAMEWORK ============================== CONSENT REQUIREMENTS BY REGULATION: GDPR (Strict Opt-In): → Freely given: No bundling consent with service terms; separate consent for each purpose → Specific: Separate consent for each processing purpose (no blanket consent) → Informed: Clear, plain language description of what consent covers → Unambiguous: Active opt-in (checkbox not pre-ticked; no silence/inactivity as consent) → Withdrawable: As easy to withdraw as to give; no detriment for withdrawal → Children: Age of consent varies by member state (13-16); parental consent required below CCPA/CPRA (Opt-Out for Sale): → "Do Not Sell or Share My Personal Information" link on website/app → Global Privacy Control (GPC) signal: Must honor browser GPC signal → No discrimination for opting out (same price and quality of service) → Consent for sensitive data: Opt-in required for sensitive personal information use → Children under 13: Parental consent required → Children 13-16: Direct consent required (no parental consent needed) CONSENT BANNER CONFIGURATION: Tier 1 (Strict / EU-focused): → No tracking scripts loaded until consent given → Cookie wall NOT acceptable for free services (must allow access without consent) → Categories: Strictly necessary (no consent), Analytics (consent), Marketing (consent), Functional (consent) → Granular choices: Toggle per category; "Accept all" and "Reject all" equally prominent → Consent preferences center: Accessible from any page; manage consent anytime Tier 2 (Standard / US-focused): → Notice at collection (not full consent required for all processing) → "Do Not Sell/Share" link in footer → Honor GPC signal → Privacy policy with clear sale/sharing disclosure CONSENT RECORDING AND STORAGE: Consent log entries: → Timestamp (ISO 8601, with timezone) → User identifier (pseudonymized) → IP address (hashed for security) → Browser/device fingerprint → Consent version (privacy policy version at time of consent) → Categories consented to (granular) → Withdrawal timestamp and method (if withdrawn) → CMP vendor and version (for audit) Retention: Consent records kept for 3-7 years (varies by jurisdiction) Access: Data subjects can request consent history via DSAR Audit: Annual consent audit (sample review for compliance) CMP VENDORS: → OneTrust: Enterprise-grade; consent + DSAR + cookie management + vendor management → Cookiebot: European-focused; automatic cookie scanning; GDPR-compliant defaults → Didomi: Consent management with privacy portal; real-time consent API → Osano: Affordable; consent + DSAR + privacy center; multi-regulation → Sourcepoint: Enterprise CMP with granular consent; data layer integration ``` ## Data Breach Response ``` DATA BREACH RESPONSE PLAYBOOK =============================== PHASE 1: DETECTION AND ASSESSMENT (0-4 HOURS) Detection sources: → DLP alerts: Unusual data exfiltration, policy violations → SIEM alerts: Unauthorized access attempts, anomalous behavior → External reports: Customer notification, security researcher, regulator → System anomalies: Unexpected database queries, large data exports → Third-party notification: Processor breach affecting your data Initial assessment: → What data was affected? (categories, sensitivity, special category) → How many individuals affected? (count, approximate or exact) → What is the nature of the breach? (unauthorized access, accidental disclosure, loss) → When did the breach occur and when was it discovered? → What is the potential impact on affected individuals? PHASE 2: CONTAINMENT (4-24 HOURS) Containment actions: → Isolate affected systems (network segmentation, account disablement) → Reset credentials (compromised accounts, shared credentials) → Block unauthorized access (firewall rules, IP blocking, MFA enforcement) → Preserve evidence (forensic imaging, log preservation) → Engage incident response team (internal + external IR firm if needed) → Activate legal counsel (privilege protection for investigation) PHASE 3: NOTIFICATION (24-72 HOURS) Regulatory notification: → GDPR: Notify supervisory authority within 72 hours of awareness - Describe: nature of breach, categories/number of data subjects, DPO contact - Likely consequences: assessment of risk to rights and freedoms - Measures taken: containment, mitigation, remediation - If >72 hours: include reasons for delay → CCPA: Notify without unreasonable delay - Describe categories of information breached - Approximate number of consumers affected - Steps taken in response - Contact information for questions - FTC resources: www.opsafe.org (if email addresses compromised) Individual notification (GDPR: "without undue delay" if high risk): → Plain language description of what happened → DPO contact details → What data was involved → What the company is doing about it → What the individual should do (password change, credit monitoring, etc.) → Offer: Credit monitoring service (12-24 months if financial/identity data) PHASE 4: REMEDIATION AND REVIEW (1-4 WEEKS) Remediation: → Patch vulnerabilities exploited → Enhance security controls (additional MFA, network segmentation, monitoring) → Review access controls (least privilege, access reviews) → Update incident response procedures based on lessons learned Documentation: → Breach record: details, notification dates, remediation actions (GDPR Art. 33(5)) → Post-incident report: root cause, timeline, lessons learned, recommendations → Board notification: executive summary of breach and response → Insurance claim: cyber insurance notification (within policy timeframe) ``` ## Integration Points - **OneTrust**: Privacy governance suite — consent management, DSAR automation, vendor risk management, privacy training, data mapping; integrates with major CMS and ad tech platforms - **BigID**: Data discovery and classification — automatically finds personal data across cloud, on-prem, databases; DSAR fulfillment; data lineage; integrates with AWS, Azure, GCP, Snowflake - **Transcend**: DSAR automation — API-first approach; integrates with 200+ data sources; automated data discovery, verification, deletion; SLA tracking - **Privacera**: Data security and governance — AI-driven data discovery; automated classification; consent management; integrates with Snowflake, Databricks, AWS, Azure - **Drata / Vanta**: Compliance automation — privacy compliance monitoring (SOC 2, ISO 27001, GDPR); continuous evidence collection; control monitoring - **Data loss prevention (Microsoft Purview, Symantec DLP)**: Real-time monitoring of data exfiltration; policy enforcement across email, cloud apps, endpoints - **SIEM (Splunk, Microsoft Sentinel)**: Breach detection via log correlation; automated alerting for privacy-relevant events; forensic investigation support - **Ticketing (ServiceNow, Jira)**: DSAR workflow management; breach incident tracking; SLA monitoring ## Edge Cases - **Anonymous vs. pseudonymous data**: Anonymized data (irreversible) not subject to GDPR; pseudonymized data (reversible with key) IS personal data; ensure true anonymization before reuse - **Employee monitoring**: Workplace surveillance lawful only with legitimate interest + proportionality test; inform employees; DPIA required; union works council consultation in EU - **Cross-border transfers post-Schrems II**: SCCs alone insufficient; Transfer Impact Assessment required; supplementary measures (encryption, access controls) documented; consider data localization - **Mergers and acquisitions**: Due diligence for privacy compliance of target; data transfer agreement pre-close; notification to data subjects post-close; integration of data processing records - **Third-party processor breaches**: DPA clauses defining notification timelines (typically 24-48 hours); right to audit; flow-down requirements to sub-processors; insurance requirements - **Cloud provider data access**: US CLOUD Act may require US cloud providers to hand over data to US authorities; consider encryption with customer-held keys; EU-based data centers for EU data - **AI/ML training data**: Personal data used in ML training requires lawful basis; opt-out mechanisms for automated decision-making; right to explanation for significant decisions; DPIA mandatory