melodic-software/gdpr-compliance

GDPR Compliance Planning

Comprehensive guidance for General Data Protection Regulation compliance before development begins.

When to Use This Skill

• Planning systems that process EU residents' personal data
• Designing consent management and preference centers
• Implementing data subject rights (access, erasure, portability)
• Conducting Data Protection Impact Assessments (DPIA)
• Defining data processing agreements and controller/processor relationships

GDPR Fundamentals

The 7 Principles

| Principle | Description | Implementation Focus | |-----------|-------------|---------------------| | Lawfulness, Fairness, Transparency | Valid legal basis, fair processing, clear privacy notices | Consent flows, privacy policies | | Purpose Limitation | Collect for specified, explicit purposes | Purpose tracking, use restriction | | Data Minimization | Adequate, relevant, limited to purpose | Field-level justification | | Accuracy | Keep data accurate and up to date | Update mechanisms, verification | | Storage Limitation | Keep only as long as necessary | Retention policies, auto-deletion | | Integrity and Confidentiality | Appropriate security measures | Encryption, access control | | Accountability | Demonstrate compliance | Audit logs, documentation |

Lawful Bases for Processing

1. Consent - Freely given, specific, informed, unambiguous
2. Contract - Necessary for contract performance
3. Legal Obligation - Required by law
4. Vital Interests - Protect someone's life
5. Public Task - Official authority/public interest
6. Legitimate Interest - Balanced against data subject rights

Legitimate Interest Assessment (LIA):

1. Purpose test: Is there a legitimate interest?
2. Necessity test: Is processing necessary for that interest?
3. Balancing test: Do subject's interests override?

Data Subject Rights Implementation

Rights Checklist

| Right | Description | Response Time | Implementation | |-------|-------------|---------------|----------------| | Access | Copy of personal data | 1 month | Export endpoint | | Rectification | Correct inaccurate data | 1 month | Update endpoint | | Erasure ("Right to be Forgotten") | Delete personal data | 1 month | Deletion pipeline | | Restrict Processing | Limit use of data | 1 month | Processing flags | | Data Portability | Machine-readable export | 1 month | JSON/CSV export | | Object | Stop processing | Without undue delay | Opt-out mechanism | | Automated Decision-Making | Human review of decisions | Varies | Review queue |

.NET Implementation Patterns

// Data Subject Request Handling
public interface IDataSubjectRequestHandler
{
    Task<DataExport> HandleAccessRequest(Guid subjectId, CancellationToken ct);
    Task HandleErasureRequest(Guid subjectId, ErasureScope scope, CancellationToken ct);
    Task<PortableData> HandlePortabilityRequest(Guid subjectId, string format, CancellationToken ct);
}

public class DataSubjectRequestService : IDataSubjectRequestHandler
{
    private readonly IPersonalDataLocator _dataLocator;
    private readonly IAuditLogger _auditLogger;
    private readonly TimeProvider _timeProvider;

    public async Task<DataExport> HandleAccessRequest(Guid subjectId, CancellationToken ct)
    {
        await _auditLogger.LogRequestReceived(subjectId, "Access", _timeProvider.GetUtcNow());

        var locations = await _dataLocator.LocateAllPersonalData(subjectId, ct);
        var export = new DataExport
        {
            SubjectId = subjectId,
            GeneratedAt = _timeProvider.GetUtcNow(),
            Categories = new List<DataCategory>()
        };

        foreach (var location in locations)
        {
            var data = await location.ExtractData(ct);
            export.Categories.Add(new DataCategory
            {
                Name = location.CategoryName,
                Purpose = location.ProcessingPurpose,
                LawfulBasis = location.LawfulBasis,
                RetentionPeriod = location.RetentionPolicy,
                Data = data
            });
        }

        await _auditLogger.LogRequestCompleted(subjectId, "Access", _timeProvider.GetUtcNow());
        return export;
    }

    public async Task HandleErasureRequest(Guid subjectId, ErasureScope scope, CancellationToken ct)
    {
        // Check for legal holds or retention requirements
        var blocks = await CheckErasureBlocks(subjectId, ct);
        if (blocks.Any())
        {
            throw new ErasureBlockedException(blocks);
        }

        var locations = await _dataLocator.LocateAllPersonalData(subjectId, ct);

        foreach (var location in locations)
        {
            if (scope.IncludesCategory(location.CategoryName))
            {
                // Soft delete with scheduled hard delete
                await location.MarkForDeletion(_timeProvider.GetUtcNow().AddDays(30), ct);
            }
        }

        await _auditLogger.LogErasureInitiated(subjectId, scope, _timeProvider.GetUtcNow());
    }
}

Consent Management

// Consent tracking with granular purposes
public class ConsentRecord
{
    public Guid SubjectId { get; init; }
    public string Purpose { get; init; } = string.Empty;
    public bool IsGranted { get; init; }
    public DateTimeOffset Timestamp { get; init; }
    public string ConsentMechanism { get; init; } = string.Empty; // e.g., "WebForm", "API"
    public string ConsentVersion { get; init; } = string.Empty; // Version of consent text
    public string? WithdrawalTimestamp { get; set; }
}

public interface IConsentManager
{
    Task RecordConsent(ConsentRecord consent, CancellationToken ct);
    Task WithdrawConsent(Guid subjectId, string purpose, CancellationToken ct);
    Task<bool> HasValidConsent(Guid subjectId, string purpose, CancellationToken ct);
    Task<IReadOnlyList<ConsentRecord>> GetConsentHistory(Guid subjectId, CancellationToken ct);
}

public class GdprConsentManager : IConsentManager
{
    private readonly IConsentRepository _repository;
    private readonly IEventPublisher _events;

    public async Task<bool> HasValidConsent(Guid subjectId, string purpose, CancellationToken ct)
    {
        var latest = await _repository.GetLatestConsent(subjectId, purpose, ct);

        if (latest is null)
            return false;

        if (latest.WithdrawalTimestamp is not null)
            return false;

        // Check if consent version is still current
        var currentVersion = await _repository.GetCurrentConsentVersion(purpose, ct);
        if (latest.ConsentVersion != currentVersion)
        {
            // Consent was given under old terms - needs re-consent
            return false;
        }

        return latest.IsGranted;
    }
}

Data Protection Impact Assessment (DPIA)

When DPIA is Required

DPIA is mandatory when processing is likely to result in high risk:

• Systematic and extensive profiling with significant effects
• Large-scale processing of special category data
• Systematic monitoring of public areas
• New technologies with unknown privacy impact
• Automated decision-making with legal/similar effects
• Large-scale processing of children's data

DPIA Template Structure

## 1. Description of Processing
- Nature: What will you do with the data?
- Scope: How much data, how many subjects, geographic area?
- Context: Internal/external factors affecting expectations?
- Purpose: What are you trying to achieve?

## 2. Necessity and Proportionality
- Lawful basis and justification
- Purpose limitation assessment
- Data minimization measures
- Data quality approach
- Storage limitation policy

## 3. Risk Assessment

### Risks to Individuals
| Risk | Likelihood | Severity | Score | Mitigation |
|------|------------|----------|-------|------------|
| Unauthorized access | Medium | High | 6 | Encryption, MFA |
| Data breach | Low | Critical | 4 | Monitoring, IR plan |
| Inaccurate profiling | Medium | Medium | 4 | Human review |

### Residual Risk
[After mitigations applied]

## 4. Consultation
- DPO advice obtained: [Date]
- Supervisory authority consulted: [If required]
- Data subject views considered: [How]

## 5. Sign-Off
| Role | Name | Approval | Date |
|------|------|----------|------|
| Project Owner | | [ ] | |
| DPO | | [ ] | |
| CISO | | [ ] | |

Risk Scoring Matrix

         SEVERITY
         Low(1)  Medium(2)  High(3)  Critical(4)
L   High(4)    4      8         12       16
I   Med(3)     3      6          9       12
K   Low(2)     2      4          6        8
E   V.Low(1)   1      2          3        4

Thresholds:

• 1-4: Acceptable risk
• 5-8: Mitigations required
• 9-12: Senior approval required
• 13+: Consult supervisory authority

Privacy by Design Checklist

Architecture Phase

• [ ] Data flows documented with personal data highlighted
• [ ] Purpose for each data element defined
• [ ] Lawful basis identified per purpose
• [ ] Retention periods defined per category
• [ ] Access control requirements specified
• [ ] Encryption requirements defined
• [ ] Pseudonymization opportunities identified

Development Phase

• [ ] Consent collection implemented correctly
• [ ] Data subject rights endpoints created
• [ ] Audit logging captures processing activities
• [ ] Data retention automation implemented
• [ ] Encryption at rest and in transit
• [ ] Input validation prevents excess collection
• [ ] Error messages don't leak personal data

Testing Phase

• [ ] Consent flows tested (grant, withdraw, re-consent)
• [ ] All DSR endpoints functional
• [ ] Retention automation verified
• [ ] Access controls tested
• [ ] Audit logs complete and accurate
• [ ] Penetration testing for data exposure

Record of Processing Activities (ROPA)

Article 30 Requirements

Controllers must maintain records of:

Processing Activity: Customer Account Management
Controller: [Organization Name]
DPO Contact: [email protected]
Purposes:
  - Account authentication
  - Order fulfillment
  - Customer support
Categories of Data Subjects:
  - Customers
  - Prospective customers
Categories of Personal Data:
  - Name, email, phone
  - Address
  - Order history
  - Payment tokens (not card numbers)
Recipients:
  - Payment processor (Stripe)
  - Shipping provider (FedEx)
  - Customer support platform (Zendesk)
International Transfers:
  - Stripe Inc. (US) - SCCs
  - None to third countries without safeguards
Retention:
  - Active account: Duration of relationship
  - Closed account: 7 years (legal requirement)
Security Measures:
  - TLS 1.3 in transit
  - AES-256 at rest
  - Role-based access control
  - Regular access reviews

International Data Transfers

Transfer Mechanisms Post-Schrems II

| Mechanism | Use Case | Requirements | |-----------|----------|--------------| | Adequacy Decision | EU-approved countries | None additional | | Standard Contractual Clauses (SCCs) | Most common | TIA required | | Binding Corporate Rules | Intra-group transfers | Supervisory approval | | Derogations (Art. 49) | Occasional transfers | Limited scope |

Transfer Impact Assessment (TIA)

## Transfer Impact Assessment

### 1. Transfer Details
- Exporter: [EU entity]
- Importer: [Third country entity]
- Countries: [List]
- Data types: [Categories]
- Transfer mechanism: [SCCs/BCRs/etc.]

### 2. Third Country Assessment
- Laws requiring disclosure to authorities
- Surveillance legislation
- Rule of law / judicial independence
- Practical access by authorities

### 3. Supplementary Measures
- Technical: [Encryption, pseudonymization]
- Contractual: [Additional clauses]
- Organizational: [Policies, training]

### 4. Conclusion
- Risk level: [Acceptable/Requires mitigation/Unacceptable]
- Decision: [Proceed/Modify/Suspend]

Cross-References

• CCPA/CPRA: See similar concepts (disclosure, deletion, opt-out)
• AI Governance: ai-governance skill for AI-specific requirements
• Security Frameworks: security-frameworks for technical controls
• Data Classification: data-classification for sensitivity levels

Resources

• GDPR Full Text
• EDPB Guidelines
• ICO GDPR Guidance