Guides systematic review of processing documentation for completeness against GDPR Articles 5, 13-14, 24, 28, and 30. Activate when auditing documentation or preparing for inspections. Keywords: documentation review, processing records, completeness, privacy notices, RoPA.
Guides the creation and review of data processing agreements under GDPR Article 28(3), covering all eight mandatory clauses. References the 2021 Standard Contractual Clauses and provides a compliance checklist for processor contracts. Activate when onboarding processors, reviewing DPAs, or auditing processor compliance. Keywords: DPA, data processing agreement, Article 28, processor, mandatory clauses, standard contractual clauses.
Guides cooperation with GDPR supervisory authorities under Article 31, including procedures for responding to investigations, information requests, and on-site inspections. Covers controller and processor obligations during supervisory authority interactions. Keywords: supervisory authority, Article 31, cooperation, DPA investigation, information request, inspection.
Executes breach notification under HIPAA Breach Notification Rule (45 CFR 164.400-414). Covers 60-day individual notification, HHS/OCR reporting for breaches of 500+ individuals (immediate) and under 500 (annual log), state attorney general notification, media notification for 500+ in a single state, and breach risk assessment using the four-factor test. Keywords: HIPAA, breach notification, PHI, HHS, OCR, covered entity, business associate.
Guides compliance with South Korea's Personal Information Protection Act (PIPA, 개인정보 보호법). Covers pseudonymisation framework, notification requirements, PIPC enforcement, consent standards, and cross-border transfer rules under the 2023 amendments. Keywords: PIPA, Korea data protection, PIPC, pseudonymisation, consent, cross-border transfers.
Manages Data Subject Access Request procedures for employee requests under Art. 15 GDPR. Covers scope of disclosable HR records, emails, CCTV footage, performance reviews, monitoring data, and training records. Implements third-party data redaction, legal professional privilege, exemptions for ongoing proceedings, and the one-month response timeline. Keywords: DSAR, subject access request, Art. 15, employee records, redaction, privilege, HR data, SAR.
Assesses children's data protection in educational technology. Covers COPPA school exception under Section 312.5(c)(4), FERPA intersection, parental rights, teacher consent authority, data deletion at year-end, and Student Privacy Pledge compliance. Keywords: edtech, COPPA school exception, FERPA, student privacy, teacher consent, educational data.
Analyses the limitations on consent as a lawful basis for processing employee data under Art. 88 GDPR and WP29 Opinion 2/2017. Addresses power imbalance in employment relationships, identifies alternative lawful bases, and maps national derogations. Keywords: consent, employment, power imbalance, Art. 88, WP29, lawful basis, employee data, labour law.
Guides preparation for supervisory authority (DPA) inspections and investigations including document readiness checklists, interview preparation for key personnel, technical demonstration procedures, on-site logistics, response protocols, and post-inspection follow-up. Covers unannounced inspections, formal audits, and complaint-triggered investigations. Keywords: DPA inspection, supervisory authority, investigation, readiness, interview preparation, response protocol.
Structures risk mitigation planning and residual risk tracking for Data Protection Impact Assessments under GDPR Article 35(7)(d). Covers mitigation measure identification, implementation tracking, residual risk acceptance, and Art. 36 prior consultation triggers. Keywords: DPIA mitigation, risk treatment, residual risk, Art. 35(7)(d), safeguards, mitigation tracking, prior consultation.
Applying the ePrivacy Directive Article 5(3) strictly necessary exemption to classify cookies that do not require consent. Covers exemption criteria, functionality cookies, load balancing, session state, and non-exempt categories with regulatory guidance from EDPB and national DPAs.
Handles GDPR Art. 10 criminal conviction and offence data classification including official authority requirements, national law derogations, and comprehensive register restrictions. Covers controller obligations for criminal background checks and offence records. Keywords: criminal data, Art 10, conviction data, offence records, criminal background, DBS check.
CPRA §1798.121 sensitive personal information restrictions and compliance. Covers all 9 sensitive PI categories including SSN, precise geolocation, racial/ethnic origin, biometric, genetic, health, and sex life data. Right to limit use/disclosure, permitted purposes, and implementation.
Harmonises data classification across jurisdictions mapping GDPR special categories vs CCPA sensitive PI (1798.140(ae)) vs HIPAA PHI (160.103) vs LGPD sensitive data (Art. 5-II). Provides cross-regulation mapping matrix for multinational compliance. Keywords: cross-jurisdiction, GDPR, CCPA, HIPAA, LGPD, sensitive data, multinational, classification mapping.
Guide for building a consent record-keeping system to demonstrate valid consent per GDPR Article 7(1). Covers required fields including timestamp, version, purpose, mechanism, and identity. Implements audit-ready consent receipts per the Kantara Initiative Consent Receipt Specification and supervisory authority expectations.
Implementation guide for GDPR Article 7(3) consent withdrawal mechanisms. Covers the equal ease requirement ensuring withdrawal is as easy as giving consent, one-click withdrawal implementation, cascading effects on downstream processing, third-party notification workflows, and technical architecture for real-time consent revocation.
GDPR-compliant Data Processing Agreement drafting per Article 28(3). Covers all 8 mandatory provisions including subject matter, duration, nature and purpose, data types, categories of data subjects, controller and processor obligations, and sub-processor cascade requirements.
Guides EU Code of Conduct adherence under GDPR Articles 40-41 including EDPB approval requirements, monitoring body accreditation, code drafting, adherence declaration, compliance verification, and complaint handling. Covers sector-specific codes, transnational codes, and Art. 40(3) approval by supervisory authorities. Keywords: code of conduct, Article 40, Article 41, EDPB, monitoring body, adherence.
Guides managing conflicting privacy requirements across jurisdictions. Covers data localisation vs transfer freedom, consent standards variation, age thresholds, breach timelines, and resolution frameworks for incompatible obligations. Keywords: conflicting laws, data localisation, consent variation, age thresholds, resolution framework.
Connecticut Data Privacy Act (CTDPA) compliance. Covers consumer rights, controller obligations, dark pattern prohibition, loyalty program exemption, universal opt-out requirement effective January 2025, sensitive data consent, and AG enforcement. Effective July 1, 2023.
Technical architecture guide for building a multi-purpose consent preference center. Covers per-purpose granularity, easy withdrawal under Article 7(3), version history, audit trails, and IAB Transparency and Consent Framework v2.2 integration. Includes database schema, API design, and UI component specifications.
Designs and implements privacy notices for children that comply with GDPR Articles 12-14, UK AADC Standard 4, and COPPA Section 312.4. Covers plain language, visual explanations, layered information, age-appropriate vocabulary, and interactive notice elements. Keywords: children privacy notice, transparency, plain language, visual, age-appropriate, layered notice.
Complete CCPA/CPRA compliance implementation covering California Civil Code §1798.100-199. Includes consumer rights framework, business obligations, service provider and contractor requirements, enforcement mechanisms, and CPPA rulemaking. Triggers on CCPA, CPRA, California privacy, consumer rights.
Guides compliance with China's Personal Information Protection Law (PIPL, effective 1 November 2021). Covers consent requirements, cross-border transfer mechanisms (CAC security assessment, standard contracts, certification), separate consent triggers, and critical information infrastructure obligations. Keywords: PIPL, China data protection, CAC security assessment, cross-border transfer, separate consent, CIIO.
