GDPR Compliance Planning
Comprehensive guidance for General Data Protection Regulation compliance before development begins.
When to Use This Skill
- •Planning systems that process EU residents' personal data
- •Designing consent management and preference centers
- •Implementing data subject rights (access, erasure, portability)
- •Conducting Data Protection Impact Assessments (DPIA)
- •Defining data processing agreements and controller/processor relationships
GDPR Fundamentals
The 7 Principles
| Principle | Description | Implementation Focus |
|---|---|---|
| Lawfulness, Fairness, Transparency | Valid legal basis, fair processing, clear privacy notices | Consent flows, privacy policies |
| Purpose Limitation | Collect for specified, explicit purposes | Purpose tracking, use restriction |
| Data Minimization | Adequate, relevant, limited to purpose | Field-level justification |
| Accuracy | Keep data accurate and up to date | Update mechanisms, verification |
| Storage Limitation | Keep only as long as necessary | Retention policies, auto-deletion |
| Integrity and Confidentiality | Appropriate security measures | Encryption, access control |
| Accountability | Demonstrate compliance | Audit logs, documentation |
Lawful Bases for Processing
text
1. Consent - Freely given, specific, informed, unambiguous 2. Contract - Necessary for contract performance 3. Legal Obligation - Required by law 4. Vital Interests - Protect someone's life 5. Public Task - Official authority/public interest 6. Legitimate Interest - Balanced against data subject rights
Legitimate Interest Assessment (LIA):
- •Purpose test: Is there a legitimate interest?
- •Necessity test: Is processing necessary for that interest?
- •Balancing test: Do subject's interests override?
Data Subject Rights Implementation
Rights Checklist
| Right | Description | Response Time | Implementation |
|---|---|---|---|
| Access | Copy of personal data | 1 month | Export endpoint |
| Rectification | Correct inaccurate data | 1 month | Update endpoint |
| Erasure ("Right to be Forgotten") | Delete personal data | 1 month | Deletion pipeline |
| Restrict Processing | Limit use of data | 1 month | Processing flags |
| Data Portability | Machine-readable export | 1 month | JSON/CSV export |
| Object | Stop processing | Without undue delay | Opt-out mechanism |
| Automated Decision-Making | Human review of decisions | Varies | Review queue |
.NET Implementation Patterns
csharp
// Data Subject Request Handling
public interface IDataSubjectRequestHandler
{
Task<DataExport> HandleAccessRequest(Guid subjectId, CancellationToken ct);
Task HandleErasureRequest(Guid subjectId, ErasureScope scope, CancellationToken ct);
Task<PortableData> HandlePortabilityRequest(Guid subjectId, string format, CancellationToken ct);
}
public class DataSubjectRequestService : IDataSubjectRequestHandler
{
private readonly IPersonalDataLocator _dataLocator;
private readonly IAuditLogger _auditLogger;
private readonly TimeProvider _timeProvider;
public async Task<DataExport> HandleAccessRequest(Guid subjectId, CancellationToken ct)
{
await _auditLogger.LogRequestReceived(subjectId, "Access", _timeProvider.GetUtcNow());
var locations = await _dataLocator.LocateAllPersonalData(subjectId, ct);
var export = new DataExport
{
SubjectId = subjectId,
GeneratedAt = _timeProvider.GetUtcNow(),
Categories = new List<DataCategory>()
};
foreach (var location in locations)
{
var data = await location.ExtractData(ct);
export.Categories.Add(new DataCategory
{
Name = location.CategoryName,
Purpose = location.ProcessingPurpose,
LawfulBasis = location.LawfulBasis,
RetentionPeriod = location.RetentionPolicy,
Data = data
});
}
await _auditLogger.LogRequestCompleted(subjectId, "Access", _timeProvider.GetUtcNow());
return export;
}
public async Task HandleErasureRequest(Guid subjectId, ErasureScope scope, CancellationToken ct)
{
// Check for legal holds or retention requirements
var blocks = await CheckErasureBlocks(subjectId, ct);
if (blocks.Any())
{
throw new ErasureBlockedException(blocks);
}
var locations = await _dataLocator.LocateAllPersonalData(subjectId, ct);
foreach (var location in locations)
{
if (scope.IncludesCategory(location.CategoryName))
{
// Soft delete with scheduled hard delete
await location.MarkForDeletion(_timeProvider.GetUtcNow().AddDays(30), ct);
}
}
await _auditLogger.LogErasureInitiated(subjectId, scope, _timeProvider.GetUtcNow());
}
}
Consent Management
csharp
// Consent tracking with granular purposes
public class ConsentRecord
{
public Guid SubjectId { get; init; }
public string Purpose { get; init; } = string.Empty;
public bool IsGranted { get; init; }
public DateTimeOffset Timestamp { get; init; }
public string ConsentMechanism { get; init; } = string.Empty; // e.g., "WebForm", "API"
public string ConsentVersion { get; init; } = string.Empty; // Version of consent text
public string? WithdrawalTimestamp { get; set; }
}
public interface IConsentManager
{
Task RecordConsent(ConsentRecord consent, CancellationToken ct);
Task WithdrawConsent(Guid subjectId, string purpose, CancellationToken ct);
Task<bool> HasValidConsent(Guid subjectId, string purpose, CancellationToken ct);
Task<IReadOnlyList<ConsentRecord>> GetConsentHistory(Guid subjectId, CancellationToken ct);
}
public class GdprConsentManager : IConsentManager
{
private readonly IConsentRepository _repository;
private readonly IEventPublisher _events;
public async Task<bool> HasValidConsent(Guid subjectId, string purpose, CancellationToken ct)
{
var latest = await _repository.GetLatestConsent(subjectId, purpose, ct);
if (latest is null)
return false;
if (latest.WithdrawalTimestamp is not null)
return false;
// Check if consent version is still current
var currentVersion = await _repository.GetCurrentConsentVersion(purpose, ct);
if (latest.ConsentVersion != currentVersion)
{
// Consent was given under old terms - needs re-consent
return false;
}
return latest.IsGranted;
}
}
Data Protection Impact Assessment (DPIA)
When DPIA is Required
DPIA is mandatory when processing is likely to result in high risk:
- •Systematic and extensive profiling with significant effects
- •Large-scale processing of special category data
- •Systematic monitoring of public areas
- •New technologies with unknown privacy impact
- •Automated decision-making with legal/similar effects
- •Large-scale processing of children's data
DPIA Template Structure
markdown
## 1. Description of Processing - Nature: What will you do with the data? - Scope: How much data, how many subjects, geographic area? - Context: Internal/external factors affecting expectations? - Purpose: What are you trying to achieve? ## 2. Necessity and Proportionality - Lawful basis and justification - Purpose limitation assessment - Data minimization measures - Data quality approach - Storage limitation policy ## 3. Risk Assessment ### Risks to Individuals | Risk | Likelihood | Severity | Score | Mitigation | |------|------------|----------|-------|------------| | Unauthorized access | Medium | High | 6 | Encryption, MFA | | Data breach | Low | Critical | 4 | Monitoring, IR plan | | Inaccurate profiling | Medium | Medium | 4 | Human review | ### Residual Risk [After mitigations applied] ## 4. Consultation - DPO advice obtained: [Date] - Supervisory authority consulted: [If required] - Data subject views considered: [How] ## 5. Sign-Off | Role | Name | Approval | Date | |------|------|----------|------| | Project Owner | | [ ] | | | DPO | | [ ] | | | CISO | | [ ] | |
Risk Scoring Matrix
text
SEVERITY
Low(1) Medium(2) High(3) Critical(4)
L High(4) 4 8 12 16
I Med(3) 3 6 9 12
K Low(2) 2 4 6 8
E V.Low(1) 1 2 3 4
Thresholds:
- •1-4: Acceptable risk
- •5-8: Mitigations required
- •9-12: Senior approval required
- •13+: Consult supervisory authority
Privacy by Design Checklist
Architecture Phase
- • Data flows documented with personal data highlighted
- • Purpose for each data element defined
- • Lawful basis identified per purpose
- • Retention periods defined per category
- • Access control requirements specified
- • Encryption requirements defined
- • Pseudonymization opportunities identified
Development Phase
- • Consent collection implemented correctly
- • Data subject rights endpoints created
- • Audit logging captures processing activities
- • Data retention automation implemented
- • Encryption at rest and in transit
- • Input validation prevents excess collection
- • Error messages don't leak personal data
Testing Phase
- • Consent flows tested (grant, withdraw, re-consent)
- • All DSR endpoints functional
- • Retention automation verified
- • Access controls tested
- • Audit logs complete and accurate
- • Penetration testing for data exposure
Record of Processing Activities (ROPA)
Article 30 Requirements
Controllers must maintain records of:
yaml
Processing Activity: Customer Account Management Controller: [Organization Name] DPO Contact: dpo@example.com Purposes: - Account authentication - Order fulfillment - Customer support Categories of Data Subjects: - Customers - Prospective customers Categories of Personal Data: - Name, email, phone - Address - Order history - Payment tokens (not card numbers) Recipients: - Payment processor (Stripe) - Shipping provider (FedEx) - Customer support platform (Zendesk) International Transfers: - Stripe Inc. (US) - SCCs - None to third countries without safeguards Retention: - Active account: Duration of relationship - Closed account: 7 years (legal requirement) Security Measures: - TLS 1.3 in transit - AES-256 at rest - Role-based access control - Regular access reviews
International Data Transfers
Transfer Mechanisms Post-Schrems II
| Mechanism | Use Case | Requirements |
|---|---|---|
| Adequacy Decision | EU-approved countries | None additional |
| Standard Contractual Clauses (SCCs) | Most common | TIA required |
| Binding Corporate Rules | Intra-group transfers | Supervisory approval |
| Derogations (Art. 49) | Occasional transfers | Limited scope |
Transfer Impact Assessment (TIA)
markdown
## Transfer Impact Assessment ### 1. Transfer Details - Exporter: [EU entity] - Importer: [Third country entity] - Countries: [List] - Data types: [Categories] - Transfer mechanism: [SCCs/BCRs/etc.] ### 2. Third Country Assessment - Laws requiring disclosure to authorities - Surveillance legislation - Rule of law / judicial independence - Practical access by authorities ### 3. Supplementary Measures - Technical: [Encryption, pseudonymization] - Contractual: [Additional clauses] - Organizational: [Policies, training] ### 4. Conclusion - Risk level: [Acceptable/Requires mitigation/Unacceptable] - Decision: [Proceed/Modify/Suspend]
Cross-References
- •CCPA/CPRA: See similar concepts (disclosure, deletion, opt-out)
- •AI Governance:
ai-governanceskill for AI-specific requirements - •Security Frameworks:
security-frameworksfor technical controls - •Data Classification:
data-classificationfor sensitivity levels