bagelhole/gdpr-compliance

GDPR Compliance

Implement General Data Protection Regulation requirements for organizations that process personal data of EU/EEA residents, covering lawful processing, data subject rights, and technical safeguards.

When to Use

• Processing personal data of EU/EEA residents in any capacity
• Building consent management and preference centers
• Implementing Data Subject Access Request (DSAR) workflows
• Conducting Data Protection Impact Assessments (DPIAs)
• Setting up data processing agreements with third-party processors
• Designing systems with privacy by design and by default principles

Key Principles and Legal Bases

gdpr_principles:
  article_5:
    lawfulness_fairness_transparency:
      description: "Process data lawfully, fairly, and transparently"
      implementation:
        - Document legal basis for every processing activity
        - Provide clear privacy notices
        - No hidden or deceptive data collection

    purpose_limitation:
      description: "Collect for specified, explicit, and legitimate purposes"
      implementation:
        - Define purpose before collection
        - Do not repurpose data without new legal basis
        - Document all processing purposes in ROPA

    data_minimization:
      description: "Adequate, relevant, and limited to what is necessary"
      implementation:
        - Collect only required fields
        - Review data models for unnecessary fields
        - Remove optional fields that are not used

    accuracy:
      description: "Accurate and kept up to date"
      implementation:
        - Provide self-service profile editing
        - Implement data validation at point of entry
        - Schedule regular data quality reviews

    storage_limitation:
      description: "Kept no longer than necessary"
      implementation:
        - Define retention periods per data category
        - Automate deletion when retention expires
        - Document retention schedule

    integrity_and_confidentiality:
      description: "Appropriate security measures"
      implementation:
        - Encryption at rest and in transit
        - Access controls and audit logging
        - Pseudonymization where appropriate

    accountability:
      description: "Demonstrate compliance"
      implementation:
        - Maintain Records of Processing Activities
        - Conduct DPIAs for high-risk processing
        - Appoint DPO if required

legal_bases:
  article_6:
    consent: "Freely given, specific, informed, unambiguous"
    contract: "Necessary for performance of a contract"
    legal_obligation: "Required by EU or member state law"
    vital_interests: "Protect life of data subject or another person"
    public_interest: "Task carried out in public interest"
    legitimate_interest: "Legitimate interest not overridden by data subject rights"

Data Mapping Template (Records of Processing Activities)

# Record of Processing Activities (ROPA) - Article 30
processing_activity:
  name: "Customer Account Management"
  controller: "Example Corp, 123 Main St, Dublin, Ireland"
  dpo_contact: "[email protected]"
  purpose: "Manage customer accounts, provide services, handle billing"
  legal_basis: "Contract (Art. 6(1)(b))"
  categories_of_data_subjects:
    - Customers
    - Prospective customers
  categories_of_personal_data:
    - Name, email, phone number
    - Billing address
    - Payment information (tokenized)
    - Service usage data
    - Support ticket history
  special_categories: "None"
  recipients:
    - Payment processor (Stripe) - processor
    - Email service (SendGrid) - processor
    - Cloud hosting (AWS) - processor
  international_transfers:
    - Destination: United States
      Safeguard: "Standard Contractual Clauses (SCCs)"
      TIA_completed: true
  retention_period: "Account data retained for duration of contract + 7 years for legal obligations"
  security_measures:
    - AES-256 encryption at rest
    - TLS 1.3 in transit
    - Role-based access control
    - Audit logging of all access
  dpia_required: false
  last_reviewed: "2024-06-01"

# Template for each processing activity
processing_activity_template:
  name: ""
  controller: ""
  joint_controller: ""  # if applicable
  processor: ""  # if acting as processor
  dpo_contact: ""
  purpose: ""
  legal_basis: ""  # consent | contract | legal_obligation | vital_interests | public_interest | legitimate_interest
  legitimate_interest_assessment: ""  # if legitimate interest
  categories_of_data_subjects: []
  categories_of_personal_data: []
  special_categories: ""  # Art. 9 data
  recipients: []
  international_transfers: []
  retention_period: ""
  security_measures: []
  dpia_required: false
  date_added: ""
  last_reviewed: ""

Consent Management Implementation

"""
Consent management system implementing GDPR Article 7 requirements.
Consent must be freely given, specific, informed, and unambiguous.
"""
from datetime import datetime, timezone
from enum import Enum
import json
import hashlib


class ConsentPurpose(Enum):
    MARKETING_EMAIL = "marketing_email"
    MARKETING_SMS = "marketing_sms"
    ANALYTICS = "analytics"
    PERSONALIZATION = "personalization"
    THIRD_PARTY_SHARING = "third_party_sharing"
    PROFILING = "profiling"


class ConsentManager:
    def __init__(self, db):
        self.db = db

    def record_consent(self, user_id, purpose, granted, source,
                       privacy_policy_version, ip_address=None):
        """Record a consent decision with full audit trail."""
        consent_record = {
            "user_id": user_id,
            "purpose": purpose.value,
            "granted": granted,
            "timestamp": datetime.now(timezone.utc).isoformat(),
            "source": source,  # e.g., "web_signup", "preference_center", "cookie_banner"
            "privacy_policy_version": privacy_policy_version,
            "ip_address": ip_address,
            "withdrawal_timestamp": None,
        }
        # Store with immutable audit trail
        consent_record["record_hash"] = hashlib.sha256(
            json.dumps(consent_record, sort_keys=True).encode()
        ).hexdigest()
        self.db.consent_records.insert(consent_record)
        return consent_record

    def withdraw_consent(self, user_id, purpose):
        """Process consent withdrawal - must be as easy as giving consent."""
        record = self.record_consent(
            user_id=user_id,
            purpose=purpose,
            granted=False,
            source="withdrawal",
            privacy_policy_version="N/A",
        )
        # Trigger downstream actions
        self._notify_processors(user_id, purpose, "withdrawn")
        self._stop_processing(user_id, purpose)
        return record

    def get_consent_status(self, user_id, purpose):
        """Get current consent status for a specific purpose."""
        latest = self.db.consent_records.find_one(
            {"user_id": user_id, "purpose": purpose.value},
            sort=[("timestamp", -1)]
        )
        return latest["granted"] if latest else False

    def get_all_consents(self, user_id):
        """Get all consent records for a user (for DSAR response)."""
        return list(self.db.consent_records.find(
            {"user_id": user_id},
            sort=[("timestamp", -1)]
        ))

    def export_consent_proof(self, user_id, purpose):
        """Export verifiable consent proof for accountability."""
        records = list(self.db.consent_records.find(
            {"user_id": user_id, "purpose": purpose.value},
            sort=[("timestamp", 1)]
        ))
        return {
            "user_id": user_id,
            "purpose": purpose.value,
            "consent_history": records,
            "current_status": self.get_consent_status(user_id, purpose),
            "exported_at": datetime.now(timezone.utc).isoformat(),
        }

    def _notify_processors(self, user_id, purpose, action):
        """Notify downstream processors of consent change."""
        pass  # Implement webhook/API calls to processors

    def _stop_processing(self, user_id, purpose):
        """Immediately stop processing for withdrawn consent."""
        pass  # Implement processing halt logic

Data Subject Access Request (DSAR) Procedures

dsar_workflow:
  step_1_receive:
    actions:
      - Log the request with timestamp and channel received
      - Assign unique tracking ID
      - Acknowledge receipt within 3 business days
    identity_verification:
      - Verify identity before providing any data
      - Use existing authentication where possible
      - Request additional proof if necessary (but not excessive)
    sla: "Must respond within 30 days (extendable to 90 days for complex requests)"

  step_2_assess:
    actions:
      - Determine request type (access, rectification, erasure, portability, etc.)
      - Identify all systems containing the individual's data
      - Check for lawful grounds to refuse (legal obligations, etc.)
      - Assess if extension is needed (complex or numerous requests)

  step_3_collect:
    systems_to_search:
      - Primary application database
      - CRM system
      - Email marketing platform
      - Analytics systems
      - Customer support tickets
      - Backup systems (if practically retrievable)
      - Log files containing PII
      - Third-party processors (request from each)

  step_4_respond:
    access_request:
      - Provide copy of all personal data in commonly used electronic format
      - Include processing purposes, categories, recipients, retention periods
      - Include source of data if not collected from the individual
      - Include information about automated decision-making
    rectification_request:
      - Update data in all systems
      - Notify all recipients of the correction
    erasure_request:
      - Delete data from all active systems
      - Remove from backups where technically feasible
      - Notify all processors and recipients
      - Document what was deleted and any retained data with legal basis
    portability_request:
      - Provide data in structured, machine-readable format (JSON/CSV)
      - Include only data provided by the data subject
      - Transfer directly to another controller if requested and feasible

  step_5_close:
    actions:
      - Send response to data subject
      - Document the entire handling process
      - Archive DSAR record for accountability
      - Update data mapping if new data stores discovered

"""DSAR automation - data collection across systems."""
import json
from datetime import datetime, timezone


class DSARProcessor:
    def __init__(self, data_sources):
        self.data_sources = data_sources  # Dict of system_name: DataSource

    def process_access_request(self, user_identifier):
        """Collect all personal data across registered systems."""
        collected_data = {
            "request_id": f"DSAR-{datetime.now(timezone.utc).strftime('%Y%m%d%H%M%S')}",
            "generated_at": datetime.now(timezone.utc).isoformat(),
            "data_subject": user_identifier,
            "systems": {},
        }

        for system_name, source in self.data_sources.items():
            try:
                data = source.extract_user_data(user_identifier)
                collected_data["systems"][system_name] = {
                    "status": "collected",
                    "record_count": len(data) if isinstance(data, list) else 1,
                    "data": data,
                }
            except Exception as e:
                collected_data["systems"][system_name] = {
                    "status": "error",
                    "error": str(e),
                }

        return collected_data

    def process_erasure_request(self, user_identifier):
        """Delete personal data across all systems (right to erasure)."""
        results = {
            "request_id": f"ERASE-{datetime.now(timezone.utc).strftime('%Y%m%d%H%M%S')}",
            "data_subject": user_identifier,
            "systems": {},
        }

        for system_name, source in self.data_sources.items():
            try:
                deleted = source.delete_user_data(user_identifier)
                retained = source.get_retained_data(user_identifier)
                results["systems"][system_name] = {
                    "status": "deleted",
                    "records_deleted": deleted,
                    "retained_data": retained,  # Data kept for legal obligations
                    "retention_basis": source.retention_legal_basis,
                }
            except Exception as e:
                results["systems"][system_name] = {
                    "status": "error",
                    "error": str(e),
                }

        return results

    def export_portable_data(self, user_identifier, format="json"):
        """Export data in machine-readable format for portability."""
        data = self.process_access_request(user_identifier)
        if format == "json":
            return json.dumps(data, indent=2, default=str)
        elif format == "csv":
            return self._convert_to_csv(data)
        raise ValueError(f"Unsupported format: {format}")

Data Processing Agreement (DPA) Requirements

dpa_requirements:
  mandatory_clauses:
    article_28:
      - Subject matter, duration, nature, and purpose of processing
      - Type of personal data and categories of data subjects
      - Obligations and rights of the controller
      - Processing only on documented instructions from controller
      - Confidentiality obligations on processor personnel
      - Appropriate technical and organizational security measures
      - Conditions for engaging sub-processors (prior authorization)
      - Assistance with data subject rights requests
      - Assistance with security obligations (Art. 32-36)
      - Deletion or return of data after service ends
      - Audit and inspection rights for the controller

  sub_processor_management:
    - [ ] List of current sub-processors provided by processor
    - [ ] Notification mechanism for new sub-processors (30-day notice)
    - [ ] Right to object to new sub-processors
    - [ ] Sub-processors bound by same data protection obligations
    - [ ] Processor remains liable for sub-processor compliance

  international_transfers:
    mechanisms:
      - Standard Contractual Clauses (SCCs) - most common
      - Binding Corporate Rules (BCRs) - intra-group transfers
      - Adequacy decision (countries deemed adequate by EC)
      - Derogations for specific situations (explicit consent, contract necessity)
    transfer_impact_assessment:
      - [ ] Assess laws of the destination country
      - [ ] Evaluate effectiveness of safeguards
      - [ ] Document supplementary measures if needed
      - [ ] Review periodically for legal changes

  dpa_registry:
    track_per_processor:
      - Processor name and contact details
      - DPA execution date
      - Data types processed
      - Sub-processors and their locations
      - SCC version used for international transfers
      - TIA completion date
      - Next review date

Data Protection Impact Assessment (DPIA) Template

dpia_template:
  when_required:
    - Systematic and extensive profiling with significant effects
    - Large-scale processing of special category data
    - Systematic monitoring of publicly accessible areas
    - Any processing on national supervisory authority's list
    - New technologies with likely high risk to rights and freedoms

  assessment:
    section_1_description:
      processing_activity: ""
      purpose: ""
      legal_basis: ""
      data_categories: []
      data_subjects: []
      recipients: []
      retention: ""
      data_flows: "Describe how data moves through systems"

    section_2_necessity:
      is_processing_necessary: ""
      is_processing_proportionate: ""
      alternatives_considered: ""
      data_minimization_applied: ""

    section_3_risks:
      risk_assessment:
        - risk: "Unauthorized access to personal data"
          likelihood: "medium"
          severity: "high"
          risk_level: "high"
          existing_controls: "Encryption, access controls, audit logs"
          residual_risk: "medium"

        - risk: "Accidental data loss or destruction"
          likelihood: "low"
          severity: "high"
          risk_level: "medium"
          existing_controls: "Backups, replication, DR procedures"
          residual_risk: "low"

        - risk: "Excessive data collection beyond purpose"
          likelihood: "medium"
          severity: "medium"
          risk_level: "medium"
          existing_controls: "Data minimization review, schema validation"
          residual_risk: "low"

    section_4_measures:
      technical_measures:
        - Pseudonymization of personal data
        - Encryption at rest (AES-256) and in transit (TLS 1.3)
        - Access controls with least privilege
        - Automated data retention enforcement
      organizational_measures:
        - Staff training on data protection
        - Data protection policies and procedures
        - Incident response procedures
        - Regular access reviews
      monitoring:
        - Audit logging of all data access
        - Anomaly detection for unusual access patterns
        - Regular compliance testing

    section_5_sign_off:
      dpo_consultation: "Required if high residual risk"
      dpo_opinion: ""
      supervisory_authority_consultation: "Required if risk cannot be mitigated"
      approval_date: ""
      next_review_date: ""

GDPR Compliance Checklist

gdpr_compliance_checklist:
  governance:
    - [ ] Data Protection Officer appointed (if required under Art. 37)
    - [ ] Records of Processing Activities (ROPA) maintained
    - [ ] Privacy policies published and up to date
    - [ ] Data protection training conducted for all staff
    - [ ] Data breach response plan documented and tested

  lawful_processing:
    - [ ] Legal basis identified and documented for each processing activity
    - [ ] Consent mechanisms comply with Art. 7 (freely given, specific, informed)
    - [ ] Consent withdrawal is as easy as giving consent
    - [ ] Legitimate interest assessments completed where applicable
    - [ ] Special category data has Art. 9 legal basis documented

  data_subject_rights:
    - [ ] DSAR intake process established (multiple channels)
    - [ ] Identity verification procedure defined
    - [ ] Response within 30 days (or extension communicated)
    - [ ] Right to access implemented and tested
    - [ ] Right to rectification implemented
    - [ ] Right to erasure implemented with legal retention exceptions
    - [ ] Right to portability implemented (structured, machine-readable export)
    - [ ] Right to object implemented (especially for direct marketing)

  technical_measures:
    - [ ] Encryption at rest and in transit for all personal data
    - [ ] Pseudonymization applied where feasible
    - [ ] Access controls enforce least privilege
    - [ ] Audit logging of personal data access
    - [ ] Data retention automated with defined schedules
    - [ ] Secure deletion procedures verified

  third_parties:
    - [ ] Data Processing Agreements signed with all processors
    - [ ] Sub-processor notification mechanism in place
    - [ ] International transfer safeguards implemented (SCCs, etc.)
    - [ ] Transfer Impact Assessments completed
    - [ ] Processor compliance verified periodically

  breach_management:
    - [ ] Breach detection and assessment procedures documented
    - [ ] 72-hour supervisory authority notification process ready
    - [ ] Individual notification procedures for high-risk breaches
    - [ ] Breach register maintained
    - [ ] Post-breach review and improvement process

Best Practices

• Maintain a comprehensive Records of Processing Activities as the foundation of GDPR compliance
• Implement privacy by design: build data protection into systems from the start, not retrofitted
• Apply data minimization rigorously: do not collect personal data "just in case"
• Automate DSAR processing to meet the 30-day response deadline consistently
• Keep consent granular and purpose-specific; avoid bundled consent for multiple purposes
• Conduct DPIAs before launching high-risk processing activities
• Ensure data processing agreements are signed with every processor before sharing personal data
• Implement automated retention enforcement to prevent storage beyond defined periods
• Train all staff who handle personal data, not just the IT and legal teams
• Regularly audit data flows to discover shadow processing or undocumented data stores