Initial commit - 611 cybersecurity skills across all subdomains

This commit is contained in:
mukul975
2026-02-25 10:47:44 +01:00
commit 22a7ab1462
1765 changed files with 280648 additions and 0 deletions
@@ -0,0 +1,160 @@
---
name: implementing-gdpr-data-protection-controls
description: The General Data Protection Regulation (EU) 2016/679 (GDPR) is the EU's comprehensive data protection law governing the collection, processing, storage, and transfer of personal data. This skill cover
domain: cybersecurity
subdomain: compliance-governance
tags: [compliance, governance, gdpr, privacy, data-protection, eu-regulation]
version: "1.0"
author: mahipal
license: MIT
---
# Implementing GDPR Data Protection Controls
## Overview
The General Data Protection Regulation (EU) 2016/679 (GDPR) is the EU's comprehensive data protection law governing the collection, processing, storage, and transfer of personal data. This skill covers implementing the technical and organizational measures required by GDPR, including data protection by design and by default, Data Protection Impact Assessments (DPIAs), data subject rights management, breach notification procedures, and cross-border data transfer mechanisms.
## Prerequisites
- Understanding of EU data protection law and its territorial scope
- Knowledge of personal data processing activities within the organization
- Familiarity with data architecture, databases, and application systems
- Understanding of data flows including cross-border transfers
## Core Concepts
### Key GDPR Articles for Technical Controls
| Article | Requirement |
|---------|-------------|
| Art. 5 | Principles: lawfulness, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality, accountability |
| Art. 6 | Lawful basis for processing (consent, contract, legal obligation, vital interests, public task, legitimate interest) |
| Art. 25 | Data protection by design and by default |
| Art. 28 | Processor obligations and contractual requirements |
| Art. 30 | Records of processing activities (ROPA) |
| Art. 32 | Security of processing (technical and organizational measures) |
| Art. 33 | Breach notification to supervisory authority (72 hours) |
| Art. 34 | Communication of breach to data subjects |
| Art. 35 | Data Protection Impact Assessment (DPIA) |
| Art. 37-39 | Data Protection Officer (DPO) appointment and role |
| Art. 44-49 | Cross-border data transfers (adequacy, SCCs, BCRs) |
### Article 32 Security Measures
The regulation requires organizations to implement measures appropriate to the risk:
- **Pseudonymization** and encryption of personal data
- **Confidentiality, integrity, availability, and resilience** of processing systems
- **Ability to restore** availability and access to personal data in a timely manner
- **Regular testing** and evaluation of technical and organizational measures
### Data Subject Rights (Articles 12-22)
| Right | Article | Description |
|-------|---------|-------------|
| Right to be informed | 13-14 | Transparent information about processing |
| Right of access | 15 | Obtain copy of personal data |
| Right to rectification | 16 | Correct inaccurate data |
| Right to erasure | 17 | "Right to be forgotten" |
| Right to restrict processing | 18 | Limit processing of data |
| Right to data portability | 20 | Receive data in machine-readable format |
| Right to object | 21 | Object to processing (especially direct marketing) |
| Automated decision-making | 22 | Not be subject to solely automated decisions |
## Implementation Steps
### Phase 1: Data Mapping and Assessment (Weeks 1-6)
1. Create comprehensive data inventory:
- What personal data is collected
- From whom (data subjects)
- Why (purposes and lawful bases)
- Where it's stored (systems, locations, countries)
- Who has access (internal and external)
- How long it's retained
- What security measures protect it
2. Document Records of Processing Activities (ROPA) per Article 30
3. Identify lawful basis for each processing activity
4. Map cross-border data transfers and transfer mechanisms
5. Identify processing activities requiring DPIA
### Phase 2: Gap Analysis and Risk Assessment (Weeks 7-10)
1. Assess current state against GDPR requirements
2. Perform DPIAs for high-risk processing activities
3. Identify security gaps in Article 32 compliance
4. Evaluate data retention compliance
5. Assess data subject rights request handling capabilities
### Phase 3: Technical Controls Implementation (Weeks 11-24)
1. **Encryption**:
- Data at rest: AES-256 for databases, file systems, backups
- Data in transit: TLS 1.2+ for all personal data transfers
- Key management: secure key storage and rotation procedures
2. **Pseudonymization**:
- Implement tokenization for sensitive identifiers
- Separate pseudonymization keys from data stores
3. **Access Controls**:
- Role-based access control (RBAC) for personal data
- Principle of least privilege
- MFA for systems processing personal data
- Regular access reviews
4. **Data Minimization**:
- Implement data collection limits at application layer
- Default privacy settings (data protection by default)
- Automated data retention enforcement
5. **Erasure and Portability**:
- Build data deletion workflows across all systems
- Implement data export in machine-readable formats (JSON, CSV)
- Cascade deletion to backups and archives
6. **Consent Management**:
- Implement granular consent collection mechanisms
- Consent withdrawal functionality
- Consent audit trail and versioning
7. **Breach Detection**:
- SIEM for personal data access monitoring
- Data loss prevention (DLP) controls
- Anomalous access detection
### Phase 4: Organizational Controls (Weeks 11-24)
1. Appoint Data Protection Officer (DPO) if required
2. Develop data protection policies and procedures
3. Create breach notification procedures (72-hour timeline)
4. Establish data subject request (DSR) handling procedures
5. Implement vendor management with Data Processing Agreements (DPAs)
6. Deploy privacy awareness training for all staff
7. Create data protection by design guidance for development teams
### Phase 5: Documentation and Compliance Evidence (Weeks 25-30)
1. Finalize ROPA documentation
2. Document all DPIAs and outcomes
3. Create data protection policies
4. Document technical and organizational measures
5. Establish privacy notice and consent records
6. Create international transfer documentation (SCCs, TIAs)
### Phase 6: Ongoing Compliance (Continuous)
1. Regular DPIA reviews for new processing activities
2. Annual data mapping refresh
3. Periodic security measure testing (Art. 32 requirement)
4. Data subject request tracking and SLA monitoring
5. Breach response readiness testing
6. Training refresh and awareness campaigns
## Key Artifacts
- Records of Processing Activities (ROPA)
- Data Protection Impact Assessments (DPIAs)
- Data Processing Agreements (DPAs)
- Privacy Notices and Consent Records
- Breach Response Procedures and Register
- Data Subject Request Handling Procedures
- International Data Transfer Mechanisms (SCCs, BCRs)
- Technical and Organizational Measures Documentation
## Common Pitfalls
- Treating GDPR as only a legal/compliance exercise without technical implementation
- Incomplete data mapping missing shadow IT or legacy systems
- Failing to maintain consent audit trails
- Not testing 72-hour breach notification capability
- Ignoring cross-border transfer requirements for cloud services
- Over-reliance on consent as lawful basis when legitimate interest applies
## References
- GDPR Official Text: https://gdpr-info.eu/
- European Data Protection Board (EDPB) Guidelines
- ICO (UK) GDPR Guidance: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/
- CNIL (France) GDPR Compliance Toolkit
- Article 29 Working Party Guidelines on DPIAs
@@ -0,0 +1,140 @@
# GDPR Compliance Audit Checklist
## Organization Information
| Field | Value |
|-------|-------|
| Organization Name | |
| Role | Controller / Processor / Joint Controller |
| DPO Name and Contact | |
| Lead Supervisory Authority | |
| Assessment Date | |
| Assessor | |
---
## Article 5: Data Processing Principles
- [ ] Lawfulness: All processing has documented lawful basis (Art. 6)
- [ ] Fairness: Processing is fair and does not cause unjustified adverse effects
- [ ] Transparency: Privacy notices provided at point of collection (Art. 13/14)
- [ ] Purpose Limitation: Data collected for specified, explicit, and legitimate purposes
- [ ] Data Minimization: Only data necessary for the purpose is collected
- [ ] Accuracy: Processes exist to keep personal data accurate and up to date
- [ ] Storage Limitation: Retention periods defined and enforced for all data categories
- [ ] Integrity and Confidentiality: Technical and organizational security measures in place
- [ ] Accountability: Ability to demonstrate compliance with all principles
## Article 6: Lawful Basis
- [ ] Lawful basis identified for each processing activity
- [ ] Consent is freely given, specific, informed, and unambiguous where used
- [ ] Consent withdrawal mechanism available and easy to use
- [ ] Legitimate interest assessments documented where Art. 6(1)(f) relied upon
- [ ] Legal bases recorded in ROPA
## Articles 13-14: Transparency
- [ ] Privacy notice provided at time of data collection (Art. 13)
- [ ] Privacy notice provided when data obtained indirectly (Art. 14)
- [ ] Notices include: controller identity, purposes, lawful basis, recipients, retention, rights, DPO contact
- [ ] Notices are concise, transparent, intelligible, and in plain language
- [ ] Notices available in appropriate languages
## Articles 15-22: Data Subject Rights
- [ ] Process for receiving and handling DSRs documented
- [ ] Identity verification procedure before fulfilling requests
- [ ] Response within one month (extendable by two months for complex requests)
- [ ] Right of access (Art. 15): can provide copy of personal data
- [ ] Right to rectification (Art. 16): can correct inaccurate data
- [ ] Right to erasure (Art. 17): can delete data across all systems including backups
- [ ] Right to restriction (Art. 18): can restrict processing when contested
- [ ] Right to portability (Art. 20): can export data in machine-readable format
- [ ] Right to object (Art. 21): can cease processing when objected to
- [ ] Automated decision-making (Art. 22): safeguards for solely automated decisions
## Article 25: Data Protection by Design and Default
- [ ] Privacy considerations integrated into system design processes
- [ ] Default settings are most privacy-protective
- [ ] Only personal data necessary for each purpose is processed by default
- [ ] Data protection integrated into development lifecycle
## Article 28: Processors
- [ ] All processors identified and documented
- [ ] Data Processing Agreements (DPAs) in place with all processors
- [ ] DPAs include required Art. 28 provisions
- [ ] Processor security measures verified
- [ ] Sub-processor notification process in place
## Article 30: Records of Processing Activities (ROPA)
- [ ] ROPA maintained and up to date
- [ ] All processing activities documented
- [ ] Controller details, purposes, data categories, recipients, transfers, retention, security measures recorded
- [ ] Available for supervisory authority on request
## Article 32: Security of Processing
- [ ] Risk-appropriate technical measures:
- [ ] Encryption of personal data (at rest and in transit)
- [ ] Pseudonymization implemented where appropriate
- [ ] Access controls and authentication
- [ ] Logging and monitoring of access to personal data
- [ ] Data loss prevention controls
- [ ] Risk-appropriate organizational measures:
- [ ] Information security policies
- [ ] Staff training on data protection
- [ ] Confidentiality agreements
- [ ] Access review processes
- [ ] Ability to restore availability and access after incident
- [ ] Regular testing and evaluation of security measures
## Articles 33-34: Breach Notification
- [ ] Breach detection and assessment procedures documented
- [ ] 72-hour notification to supervisory authority process in place
- [ ] Data subject notification process for high-risk breaches
- [ ] Breach register maintained
- [ ] Breach response plan tested within last 12 months
## Article 35: Data Protection Impact Assessment
- [ ] DPIA criteria documented (when DPIA is required)
- [ ] DPIA process documented
- [ ] DPIAs conducted for all high-risk processing
- [ ] DPO consulted on DPIAs
- [ ] DPIAs reviewed when processing changes
## Articles 44-49: International Transfers
- [ ] All international transfers identified and documented
- [ ] Transfer mechanisms in place (adequacy, SCCs, BCRs)
- [ ] Transfer Impact Assessments conducted for non-adequate countries
- [ ] Supplementary measures implemented where required
- [ ] Standard Contractual Clauses (new 2021 modular version) executed
## Articles 37-39: Data Protection Officer
- [ ] DPO appointed (if required: public authority, core activity large-scale monitoring, core activity special categories)
- [ ] DPO has expert knowledge of data protection law
- [ ] DPO involved in all data protection matters
- [ ] DPO reports to highest management level
- [ ] DPO contact details published and communicated to supervisory authority
---
## Summary
| GDPR Area | Items | Compliant | Non-Compliant | N/A |
|-----------|-------|-----------|---------------|-----|
| Principles (Art. 5) | | | | |
| Lawful Basis (Art. 6) | | | | |
| Transparency (Art. 13-14) | | | | |
| Data Subject Rights (Art. 15-22) | | | | |
| Privacy by Design (Art. 25) | | | | |
| Processors (Art. 28) | | | | |
| ROPA (Art. 30) | | | | |
| Security (Art. 32) | | | | |
| Breach Notification (Art. 33-34) | | | | |
| DPIA (Art. 35) | | | | |
| International Transfers (Art. 44-49) | | | | |
| DPO (Art. 37-39) | | | | |
| **Total** | | | | |
## Sign-off
| Role | Name | Signature | Date |
|------|------|-----------|------|
| DPO | | | |
| CISO | | | |
| Legal Counsel | | | |
| Senior Management | | | |
@@ -0,0 +1,108 @@
# GDPR Standards Reference
## Primary Legislation
### Regulation (EU) 2016/679 - General Data Protection Regulation
- **Adopted**: April 14, 2016
- **Effective**: May 25, 2018
- **Scope**: Applies to any organization processing personal data of EU/EEA residents
- **Chapters**: 11 chapters, 99 articles, 173 recitals
- **Enforcement**: Supervisory authorities in each EU member state
- **Penalties**: Up to EUR 20 million or 4% of annual global turnover (whichever is greater)
## Key Articles Reference
### Chapter II - Principles (Articles 5-11)
- **Art. 5**: Core processing principles (lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality, accountability)
- **Art. 6**: Six lawful bases for processing
- **Art. 7**: Conditions for consent
- **Art. 8**: Child's consent (minimum age varies by member state, 13-16)
- **Art. 9**: Special categories of data (health, biometric, genetic, racial/ethnic, political, religious, trade union, sexual orientation)
- **Art. 10**: Criminal conviction data
### Chapter III - Rights of the Data Subject (Articles 12-23)
- **Art. 12**: Transparent communication (one month response deadline)
- **Art. 13**: Information for direct collection
- **Art. 14**: Information for indirect collection
- **Art. 15**: Right of access (copy of data, processing purposes, recipients, retention periods, safeguards for transfers)
- **Art. 16**: Right to rectification
- **Art. 17**: Right to erasure (applies when: consent withdrawn, purpose fulfilled, unlawful processing, legal obligation)
- **Art. 18**: Right to restriction of processing
- **Art. 20**: Right to data portability (structured, commonly used, machine-readable format)
- **Art. 21**: Right to object (especially direct marketing - absolute right)
- **Art. 22**: Automated individual decision-making including profiling
### Chapter IV - Controller and Processor (Articles 24-43)
- **Art. 24**: Responsibility of the controller
- **Art. 25**: Data protection by design and by default
- **Art. 26**: Joint controllers
- **Art. 28**: Processor (DPA requirements: subject-matter, duration, nature/purpose, personal data types, data subject categories, controller obligations/rights)
- **Art. 30**: Records of processing activities
- **Art. 32**: Security of processing
- **Art. 33**: Notification to supervisory authority (72 hours)
- **Art. 34**: Communication to data subject (when high risk to rights and freedoms)
- **Art. 35**: Data Protection Impact Assessment (DPIA)
- **Art. 36**: Prior consultation with supervisory authority
- **Art. 37-39**: Data Protection Officer
### Chapter V - International Transfers (Articles 44-49)
- **Art. 45**: Adequacy decision (EU Commission determines adequate countries)
- **Art. 46**: Appropriate safeguards (SCCs, BCRs, codes of conduct, certification)
- **Art. 47**: Binding Corporate Rules
- **Art. 49**: Derogations (explicit consent, contract, public interest)
## Supporting Standards and Guidance
### ISO/IEC 27701:2019
- Privacy Information Management System (PIMS) extension to ISO 27001
- Maps GDPR requirements to ISO management system controls
- Provides controller and processor-specific guidance
### EDPB Guidelines
- Guidelines on Data Protection Impact Assessment (WP 248)
- Guidelines on Data Breach Notification (WP 250)
- Guidelines on Consent (updated 2020)
- Guidelines on International Data Transfers (post-Schrems II)
- Guidelines on Data Protection by Design and Default (04/2019)
### Transfer Mechanisms Post-Schrems II
- **Standard Contractual Clauses (SCCs)**: New modular SCCs adopted June 2021
- Module 1: Controller to Controller
- Module 2: Controller to Processor
- Module 3: Processor to Processor
- Module 4: Processor to Controller
- **Transfer Impact Assessment (TIA)**: Required to supplement SCCs
- **Supplementary Measures**: Technical (encryption, pseudonymization), contractual, organizational
- **EU-US Data Privacy Framework**: Adequacy decision adopted July 2023
### DPIA Criteria (Article 35(3) and EDPB)
DPIA required when processing involves:
1. Systematic and extensive evaluation of personal aspects (profiling)
2. Large-scale processing of special categories or criminal data
3. Systematic monitoring of publicly accessible areas
4. New technologies with potential high risk
5. Large-scale data processing
6. Matching or combining datasets
7. Data concerning vulnerable subjects
8. Innovative use of biometric data
9. Data transfers outside EU without adequacy
10. Processing that prevents data subjects from exercising rights
## Supervisory Authorities
| Country | Authority | Website |
|---------|-----------|---------|
| EU-wide | European Data Protection Board (EDPB) | edpb.europa.eu |
| France | CNIL | cnil.fr |
| Germany | BfDI (Federal), State DPAs | bfdi.bund.de |
| Ireland | DPC | dataprotection.ie |
| Netherlands | Autoriteit Persoonsgegevens | autoriteitpersoonsgegevens.nl |
| Spain | AEPD | aepd.es |
| Italy | Garante | garanteprivacy.it |
| UK | ICO (UK GDPR post-Brexit) | ico.org.uk |
## Key Enforcement Decisions (Benchmark)
- Meta (Ireland DPC, 2023): EUR 1.2 billion - Transfers to US without adequate safeguards
- Amazon (Luxembourg CNPD, 2021): EUR 746 million - Advertising targeting
- WhatsApp (Ireland DPC, 2021): EUR 225 million - Transparency failures
- Google (CNIL, 2022): EUR 150 million - Cookie consent
- H&M (Hamburg DPA, 2020): EUR 35.3 million - Employee surveillance
@@ -0,0 +1,288 @@
# GDPR Data Protection Control Workflows
## Workflow 1: Data Subject Request (DSR) Handling
```
Start
|
v
[Receive DSR from Data Subject]
- Via email, web form, phone, in-person
- Record receipt timestamp (30-day clock starts)
|
v
[Verify Identity of Requestor]
- Request additional identification if needed
- Clock pauses until identity verified
|
v
[Classify Request Type]
|
+--> Access Request (Art. 15) --> Locate all personal data
+--> Rectification (Art. 16) --> Identify incorrect data
+--> Erasure (Art. 17) --> Verify grounds for erasure
+--> Restriction (Art. 18) --> Flag data for restriction
+--> Portability (Art. 20) --> Export in machine-readable format
+--> Objection (Art. 21) --> Assess processing basis
|
v
[Check for Exemptions]
- Legal obligation to retain
- Freedom of expression
- Public health
- Archiving in public interest
- Legal claims
|
v
[Execute Request Across All Systems]
- Production databases
- Backups and archives
- Third-party processors
- Cloud services
- Analytics platforms
|
v
[Document Action Taken]
|
v
[Respond to Data Subject within 30 days]
- Extension to 60 additional days if complex (notify subject)
|
v
End
```
## Workflow 2: Data Breach Notification (Art. 33-34)
```
Start
|
v
[Breach Detected or Reported]
- Technical detection (SIEM, DLP, IDS)
- Employee report
- External notification
- Third-party processor notification
|
v
[72-hour Clock Starts]
|
v
[Assess Breach Severity]
- Number of data subjects affected
- Types of personal data compromised
- Special categories involved?
- Risk to rights and freedoms
|
v
[Determine Notification Requirements]
|
+--> [Risk to Rights and Freedoms?]
|
+--> No Risk --> Document in breach register only
|
+--> Risk exists --> Notify Supervisory Authority (72 hours)
| |
| v
+--> High Risk --> Notify Supervisory Authority (72 hours)
AND notify affected data subjects
|
v
[Prepare Supervisory Authority Notification]
- Nature of the breach
- Categories and approximate number of data subjects
- Categories and approximate number of records
- Name and contact details of DPO
- Likely consequences of the breach
- Measures taken or proposed to address the breach
|
v
[Submit Notification to Lead Supervisory Authority]
|
v
[If High Risk: Notify Data Subjects]
- Clear and plain language
- Description of breach
- DPO contact information
- Likely consequences
- Measures taken to mitigate
|
v
[Conduct Post-Breach Review]
- Root cause analysis
- Control improvements
- Update breach register
|
v
End
```
## Workflow 3: Data Protection Impact Assessment (DPIA)
```
Start
|
v
[Identify Processing Activity]
|
v
[Screen Against DPIA Criteria]
- Profiling or automated decision-making?
- Large-scale special category data?
- Systematic monitoring of public areas?
- New technology application?
- Cross-border data transfer?
- Vulnerable data subjects?
|
+--> [No DPIA triggers] --> Document screening decision --> End
|
+--> [DPIA required]
|
v
[Describe Processing Operation]
- Purpose and scope
- Data elements collected
- Data subjects categories
- Recipients and transfers
- Retention period
- Technology used
|
v
[Assess Necessity and Proportionality]
- Is processing necessary for the purpose?
- Could purpose be achieved with less data?
- Is lawful basis appropriate?
- Are data subject rights supported?
|
v
[Identify and Assess Risks]
- Risks to confidentiality
- Risks to integrity
- Risks to availability
- Risks to rights and freedoms
- Likelihood and severity of each risk
|
v
[Identify Mitigation Measures]
- Technical measures (encryption, pseudonymization, access controls)
- Organizational measures (policies, training, DPO oversight)
- Contractual measures (DPAs, SCCs)
|
v
[Determine Residual Risk]
|
+--> [Residual Risk Acceptable] --> Approve and proceed
|
+--> [Residual Risk High] --> Consult DPO
| |
| +--> [Can mitigate further] --> Add measures
| |
| +--> [Cannot mitigate] --> Prior consultation
| with Supervisory Authority (Art. 36)
|
v
[Document DPIA]
- Keep under review
- Reassess when processing changes
|
v
End
```
## Workflow 4: International Data Transfer Assessment
```
Start
|
v
[Identify Cross-Border Transfer]
- Data flowing outside EEA
- Cloud services in non-EEA regions
- Group company data sharing
- Vendor/processor locations
|
v
[Check Adequacy Decision]
- Is destination country on EU adequacy list?
- (Andorra, Argentina, Canada, Faroe Islands, Guernsey,
Israel, Isle of Man, Japan, Jersey, New Zealand, Republic
of Korea, Switzerland, UK, Uruguay, US under DPF)
|
+--> [Adequate] --> Document and proceed
|
+--> [Not Adequate]
|
v
[Select Transfer Mechanism]
|
+--> Standard Contractual Clauses (SCCs)
+--> Binding Corporate Rules (BCRs)
+--> Approved Code of Conduct
+--> Certification Mechanism
+--> Derogations (Art. 49) - limited circumstances
|
v
[Conduct Transfer Impact Assessment (TIA)]
- Laws of destination country
- Government surveillance powers
- Data protection standards
- Access by public authorities
|
v
[Identify Supplementary Measures]
- Technical: encryption with EEA-held keys
- Contractual: additional processor obligations
- Organizational: policies limiting access
|
v
[Document Transfer Mechanism]
- Signed SCCs with correct module
- TIA findings and conclusions
- Supplementary measures implemented
|
v
End
```
## Workflow 5: Records of Processing Activities (ROPA)
```
Start
|
v
[Identify All Processing Activities]
- Interview business units
- Review system inventory
- Analyze data flows
- Check vendor agreements
|
v
[For Each Processing Activity Document:]
|
v
[Controller Record (Art. 30(1))]
- Name and contact details of controller (and DPO)
- Purposes of processing
- Categories of data subjects
- Categories of personal data
- Categories of recipients
- Transfers to third countries (safeguards)
- Retention periods
- Technical and organizational security measures
|
v
[Processor Record (Art. 30(2))]
- Name and contact details of processor and controller
- Categories of processing carried out
- Transfers to third countries (safeguards)
- Technical and organizational security measures
|
v
[Maintain and Update ROPA]
- Review quarterly or when processing changes
- Update for new systems, vendors, purposes
- Make available to supervisory authority on request
|
v
End
```
@@ -0,0 +1,535 @@
#!/usr/bin/env python3
"""
GDPR Data Protection Compliance Automation
Automates data mapping, ROPA creation, DPIA assessment, data subject
request tracking, breach notification management, and compliance reporting.
"""
import json
import csv
import os
from datetime import datetime, timedelta
from pathlib import Path
from dataclasses import dataclass, field, asdict
from enum import Enum
from typing import Optional
class LawfulBasis(Enum):
CONSENT = "Consent (Art. 6(1)(a))"
CONTRACT = "Contract (Art. 6(1)(b))"
LEGAL_OBLIGATION = "Legal Obligation (Art. 6(1)(c))"
VITAL_INTERESTS = "Vital Interests (Art. 6(1)(d))"
PUBLIC_TASK = "Public Task (Art. 6(1)(e))"
LEGITIMATE_INTEREST = "Legitimate Interest (Art. 6(1)(f))"
class DSRType(Enum):
ACCESS = "Right of Access (Art. 15)"
RECTIFICATION = "Right to Rectification (Art. 16)"
ERASURE = "Right to Erasure (Art. 17)"
RESTRICTION = "Right to Restriction (Art. 18)"
PORTABILITY = "Right to Data Portability (Art. 20)"
OBJECTION = "Right to Object (Art. 21)"
AUTOMATED = "Automated Decision-Making (Art. 22)"
class BreachSeverity(Enum):
NO_RISK = "No Risk"
RISK = "Risk to Rights and Freedoms"
HIGH_RISK = "High Risk to Rights and Freedoms"
class TransferMechanism(Enum):
ADEQUACY = "Adequacy Decision (Art. 45)"
SCCS = "Standard Contractual Clauses (Art. 46(2)(c))"
BCRS = "Binding Corporate Rules (Art. 47)"
CONSENT = "Explicit Consent (Art. 49(1)(a))"
CONTRACT = "Necessary for Contract (Art. 49(1)(b))"
DEROGATION = "Other Derogation (Art. 49)"
ADEQUATE_COUNTRIES = [
"Andorra", "Argentina", "Canada", "Faroe Islands", "Guernsey",
"Israel", "Isle of Man", "Japan", "Jersey", "New Zealand",
"Republic of Korea", "Switzerland", "United Kingdom", "Uruguay",
"United States (Data Privacy Framework participants)"
]
@dataclass
class ProcessingActivity:
activity_id: str
name: str
purpose: str
lawful_basis: str
data_subjects: list
personal_data_categories: list
special_categories: bool = False
recipients: list = field(default_factory=list)
international_transfers: list = field(default_factory=list)
retention_period: str = ""
systems: list = field(default_factory=list)
security_measures: list = field(default_factory=list)
dpia_required: bool = False
controller_name: str = ""
processor_name: str = ""
@dataclass
class DataSubjectRequest:
dsr_id: str
request_type: str
data_subject_name: str
data_subject_email: str
received_date: str
identity_verified: bool = False
identity_verified_date: str = ""
deadline: str = ""
status: str = "Received"
systems_searched: list = field(default_factory=list)
response_date: str = ""
notes: str = ""
def __post_init__(self):
if not self.deadline and self.received_date:
received = datetime.strptime(self.received_date, "%Y-%m-%d")
self.deadline = (received + timedelta(days=30)).strftime("%Y-%m-%d")
@dataclass
class BreachRecord:
breach_id: str
detected_date: str
detected_time: str
description: str
data_categories: list
subjects_affected: int
severity: str
notification_deadline: str = ""
authority_notified: bool = False
authority_notification_date: str = ""
subjects_notified: bool = False
subjects_notification_date: str = ""
root_cause: str = ""
remediation: str = ""
status: str = "Investigating"
def __post_init__(self):
if not self.notification_deadline and self.detected_date:
detected = datetime.strptime(self.detected_date, "%Y-%m-%d")
self.notification_deadline = (detected + timedelta(hours=72)).strftime("%Y-%m-%d %H:%M")
@dataclass
class DPIARecord:
dpia_id: str
processing_activity: str
description: str
necessity_assessment: str
risks_identified: list
mitigation_measures: list
residual_risk: str
dpo_consultation: bool = False
authority_consultation: bool = False
approved: bool = False
approval_date: str = ""
reviewer: str = ""
class GDPRComplianceManager:
"""Manages GDPR compliance controls and tracking."""
def __init__(self, output_dir: str = "./gdpr_output"):
self.output_dir = Path(output_dir)
self.output_dir.mkdir(parents=True, exist_ok=True)
self.processing_activities: list[ProcessingActivity] = []
self.dsr_log: list[DataSubjectRequest] = []
self.breach_register: list[BreachRecord] = []
self.dpia_register: list[DPIARecord] = []
def create_ropa(self, activities: list[dict]) -> list[ProcessingActivity]:
"""Create Records of Processing Activities (Art. 30)."""
print("\n" + "=" * 70)
print("RECORDS OF PROCESSING ACTIVITIES (ROPA)")
print("=" * 70)
for act_data in activities:
activity = ProcessingActivity(**act_data)
self.processing_activities.append(activity)
print(f"\n [{activity.activity_id}] {activity.name}")
print(f" Purpose: {activity.purpose}")
print(f" Lawful Basis: {activity.lawful_basis}")
print(f" Data Subjects: {', '.join(activity.data_subjects)}")
print(f" Special Categories: {'Yes' if activity.special_categories else 'No'}")
print(f" International Transfers: {'Yes' if activity.international_transfers else 'No'}")
print(f" DPIA Required: {'Yes' if activity.dpia_required else 'No'}")
# Summary statistics
total = len(self.processing_activities)
special = sum(1 for a in self.processing_activities if a.special_categories)
transfers = sum(1 for a in self.processing_activities if a.international_transfers)
dpia_needed = sum(1 for a in self.processing_activities if a.dpia_required)
print(f"\n ROPA Summary:")
print(f" Total Processing Activities: {total}")
print(f" Special Category Processing: {special}")
print(f" International Transfers: {transfers}")
print(f" DPIA Required: {dpia_needed}")
# Lawful basis breakdown
basis_counts = {}
for a in self.processing_activities:
basis_counts.setdefault(a.lawful_basis, 0)
basis_counts[a.lawful_basis] += 1
print(f"\n Lawful Basis Breakdown:")
for basis, count in basis_counts.items():
print(f" {basis}: {count}")
# Save ROPA
ropa_path = self.output_dir / "ropa.json"
with open(ropa_path, "w") as f:
json.dump([asdict(a) for a in self.processing_activities], f, indent=2)
csv_path = self.output_dir / "ropa.csv"
with open(csv_path, "w", newline="", encoding="utf-8") as f:
writer = csv.writer(f)
writer.writerow([
"Activity ID", "Name", "Purpose", "Lawful Basis",
"Data Subjects", "Personal Data Categories", "Special Categories",
"Recipients", "International Transfers", "Retention Period",
"Systems", "Security Measures", "DPIA Required"
])
for a in self.processing_activities:
writer.writerow([
a.activity_id, a.name, a.purpose, a.lawful_basis,
"; ".join(a.data_subjects), "; ".join(a.personal_data_categories),
"Yes" if a.special_categories else "No",
"; ".join(a.recipients), "; ".join(a.international_transfers),
a.retention_period, "; ".join(a.systems),
"; ".join(a.security_measures), "Yes" if a.dpia_required else "No"
])
print(f"\n ROPA saved to: {ropa_path}")
return self.processing_activities
def process_dsr(self, requests: list[dict]) -> dict:
"""Track and manage data subject requests."""
print("\n" + "=" * 70)
print("DATA SUBJECT REQUEST TRACKER")
print("=" * 70)
for req_data in requests:
dsr = DataSubjectRequest(**req_data)
self.dsr_log.append(dsr)
print(f"\n [{dsr.dsr_id}] {dsr.request_type}")
print(f" Subject: {dsr.data_subject_name}")
print(f" Received: {dsr.received_date}")
print(f" Deadline: {dsr.deadline}")
print(f" Status: {dsr.status}")
print(f" Identity Verified: {'Yes' if dsr.identity_verified else 'No'}")
# Overdue check
today = datetime.now().strftime("%Y-%m-%d")
overdue = [d for d in self.dsr_log if d.deadline < today and d.status != "Completed"]
if overdue:
print(f"\n ALERT: {len(overdue)} overdue DSRs!")
for d in overdue:
print(f" [{d.dsr_id}] {d.request_type} - Deadline: {d.deadline}")
# Summary
type_counts = {}
for d in self.dsr_log:
type_counts.setdefault(d.request_type, 0)
type_counts[d.request_type] += 1
print(f"\n DSR Summary:")
for rtype, count in type_counts.items():
print(f" {rtype}: {count}")
print(f" Total: {len(self.dsr_log)}")
print(f" Overdue: {len(overdue)}")
dsr_path = self.output_dir / "dsr_log.json"
with open(dsr_path, "w") as f:
json.dump([asdict(d) for d in self.dsr_log], f, indent=2)
print(f"\n DSR Log saved to: {dsr_path}")
return {"total": len(self.dsr_log), "overdue": len(overdue), "by_type": type_counts}
def manage_breach(self, breaches: list[dict]) -> list[BreachRecord]:
"""Manage breach register and notification tracking."""
print("\n" + "=" * 70)
print("BREACH REGISTER AND NOTIFICATION TRACKER")
print("=" * 70)
for breach_data in breaches:
breach = BreachRecord(**breach_data)
self.breach_register.append(breach)
print(f"\n [{breach.breach_id}] {breach.description[:60]}...")
print(f" Detected: {breach.detected_date} {breach.detected_time}")
print(f" Severity: {breach.severity}")
print(f" Subjects Affected: {breach.subjects_affected}")
print(f" Notification Deadline: {breach.notification_deadline}")
print(f" Authority Notified: {'Yes' if breach.authority_notified else 'No'}")
if breach.severity == BreachSeverity.HIGH_RISK.value:
print(f" Subjects Notified: {'Yes' if breach.subjects_notified else 'No'}")
print(f" Status: {breach.status}")
breach_path = self.output_dir / "breach_register.json"
with open(breach_path, "w") as f:
json.dump([asdict(b) for b in self.breach_register], f, indent=2)
print(f"\n Breach Register saved to: {breach_path}")
return self.breach_register
def conduct_dpia(self, dpias: list[dict]) -> list[DPIARecord]:
"""Conduct and record Data Protection Impact Assessments."""
print("\n" + "=" * 70)
print("DATA PROTECTION IMPACT ASSESSMENTS (DPIAs)")
print("=" * 70)
for dpia_data in dpias:
dpia = DPIARecord(**dpia_data)
self.dpia_register.append(dpia)
print(f"\n [{dpia.dpia_id}] {dpia.processing_activity}")
print(f" Description: {dpia.description[:60]}...")
print(f" Risks Identified: {len(dpia.risks_identified)}")
print(f" Mitigation Measures: {len(dpia.mitigation_measures)}")
print(f" Residual Risk: {dpia.residual_risk}")
print(f" DPO Consulted: {'Yes' if dpia.dpo_consultation else 'No'}")
print(f" Approved: {'Yes' if dpia.approved else 'No'}")
dpia_path = self.output_dir / "dpia_register.json"
with open(dpia_path, "w") as f:
json.dump([asdict(d) for d in self.dpia_register], f, indent=2)
print(f"\n DPIA Register saved to: {dpia_path}")
return self.dpia_register
def assess_compliance(self) -> dict:
"""Generate overall GDPR compliance assessment."""
print("\n" + "=" * 70)
print("GDPR COMPLIANCE ASSESSMENT")
print("=" * 70)
checks = {
"Article 5 - Principles": {
"All processing has documented lawful basis": bool(self.processing_activities),
"Purpose limitation documented for each activity": False,
"Data minimization assessed": False,
"Accuracy procedures in place": False,
"Retention periods defined": any(a.retention_period for a in self.processing_activities),
"Security measures documented": any(a.security_measures for a in self.processing_activities),
},
"Article 25 - Privacy by Design": {
"Development processes include privacy reviews": False,
"Default privacy settings implemented": False,
"Data minimization built into systems": False,
},
"Article 30 - ROPA": {
"Records of processing maintained": bool(self.processing_activities),
"Controller details documented": any(a.controller_name for a in self.processing_activities),
"All processing activities captured": len(self.processing_activities) > 0,
},
"Article 32 - Security Measures": {
"Encryption implemented for personal data": False,
"Pseudonymization implemented where appropriate": False,
"Access controls for personal data systems": False,
"Regular security testing performed": False,
},
"Articles 33-34 - Breach Notification": {
"Breach detection capabilities in place": False,
"72-hour notification process documented": False,
"Breach register maintained": bool(self.breach_register),
"Breach response tested": False,
},
"Article 35 - DPIA": {
"DPIA criteria documented": False,
"DPIAs conducted for high-risk processing": bool(self.dpia_register),
"DPO consulted on DPIAs": any(d.dpo_consultation for d in self.dpia_register),
},
"Articles 12-22 - Data Subject Rights": {
"DSR handling process documented": False,
"30-day response capability": bool(self.dsr_log),
"Identity verification process": any(d.identity_verified for d in self.dsr_log),
"Erasure capability across systems": False,
"Portability export capability": False,
},
"Articles 44-49 - International Transfers": {
"Cross-border transfers mapped": any(a.international_transfers for a in self.processing_activities),
"Transfer mechanisms in place (SCCs/BCRs)": False,
"Transfer impact assessments conducted": False,
},
}
total = sum(len(v) for v in checks.values())
passed = sum(sum(1 for x in v.values() if x) for v in checks.values())
pct = (passed / total * 100) if total > 0 else 0
print(f"\n Compliance Score: {passed}/{total} ({pct:.1f}%)")
for article, items in checks.items():
cat_passed = sum(1 for x in items.values() if x)
cat_total = len(items)
print(f"\n {article} ({cat_passed}/{cat_total}):")
for item, status in items.items():
icon = "[PASS]" if status else "[FAIL]"
print(f" {icon} {item}")
report = {
"date": datetime.now().isoformat(),
"compliance_percentage": pct,
"checks": checks,
"ropa_count": len(self.processing_activities),
"dsr_count": len(self.dsr_log),
"breach_count": len(self.breach_register),
"dpia_count": len(self.dpia_register),
}
report_path = self.output_dir / "gdpr_compliance_report.json"
with open(report_path, "w") as f:
json.dump(report, f, indent=2)
print(f"\n Compliance Report saved to: {report_path}")
return report
def main():
"""Run GDPR compliance assessment."""
manager = GDPRComplianceManager()
# ROPA
sample_activities = [
{
"activity_id": "PROC-001",
"name": "Customer Account Management",
"purpose": "Managing customer accounts and providing services",
"lawful_basis": LawfulBasis.CONTRACT.value,
"data_subjects": ["Customers"],
"personal_data_categories": ["Name", "Email", "Phone", "Address", "Payment details"],
"recipients": ["Payment processor", "CRM provider"],
"international_transfers": ["US (Payment processor - SCCs)"],
"retention_period": "Duration of contract + 6 years",
"systems": ["CRM", "Payment gateway", "Database"],
"security_measures": ["Encryption at rest", "TLS in transit", "RBAC", "MFA"],
"controller_name": "Example Corp Ltd",
},
{
"activity_id": "PROC-002",
"name": "Employee HR Processing",
"purpose": "Employment administration, payroll, benefits",
"lawful_basis": LawfulBasis.CONTRACT.value,
"data_subjects": ["Employees", "Job applicants"],
"personal_data_categories": ["Name", "Address", "DOB", "NI number", "Bank details", "Health data"],
"special_categories": True,
"recipients": ["Payroll provider", "Pension provider", "HMRC"],
"retention_period": "Employment + 7 years",
"systems": ["HRIS", "Payroll system"],
"security_measures": ["Encryption", "Access controls", "Audit logging"],
"dpia_required": True,
"controller_name": "Example Corp Ltd",
},
{
"activity_id": "PROC-003",
"name": "Website Analytics",
"purpose": "Analyzing website usage to improve user experience",
"lawful_basis": LawfulBasis.CONSENT.value,
"data_subjects": ["Website visitors"],
"personal_data_categories": ["IP address", "Cookie identifiers", "Browsing behavior"],
"recipients": ["Analytics provider"],
"international_transfers": ["US (Analytics provider - EU-US DPF)"],
"retention_period": "26 months",
"systems": ["Website", "Analytics platform"],
"security_measures": ["IP anonymization", "Cookie consent", "Data pseudonymization"],
"controller_name": "Example Corp Ltd",
},
]
manager.create_ropa(sample_activities)
# DSRs
sample_dsrs = [
{
"dsr_id": "DSR-001",
"request_type": DSRType.ACCESS.value,
"data_subject_name": "John Smith",
"data_subject_email": "john.smith@email.com",
"received_date": "2024-12-01",
"identity_verified": True,
"identity_verified_date": "2024-12-02",
"status": "In Progress",
"systems_searched": ["CRM", "Email", "Analytics"],
},
{
"dsr_id": "DSR-002",
"request_type": DSRType.ERASURE.value,
"data_subject_name": "Jane Doe",
"data_subject_email": "jane.doe@email.com",
"received_date": "2024-12-15",
"identity_verified": True,
"identity_verified_date": "2024-12-16",
"status": "Completed",
"response_date": "2024-12-28",
},
]
manager.process_dsr(sample_dsrs)
# Breaches
sample_breaches = [
{
"breach_id": "BREACH-001",
"detected_date": "2024-11-15",
"detected_time": "14:30",
"description": "Unauthorized access to customer database via compromised admin credentials",
"data_categories": ["Name", "Email", "Phone"],
"subjects_affected": 2500,
"severity": BreachSeverity.HIGH_RISK.value,
"authority_notified": True,
"authority_notification_date": "2024-11-16",
"subjects_notified": True,
"subjects_notification_date": "2024-11-18",
"root_cause": "Credential compromise via phishing",
"remediation": "MFA enforced, passwords reset, phishing training deployed",
"status": "Closed",
},
]
manager.manage_breach(sample_breaches)
# DPIAs
sample_dpias = [
{
"dpia_id": "DPIA-001",
"processing_activity": "Employee HR Processing",
"description": "Processing of employee health data for occupational health and benefits administration",
"necessity_assessment": "Processing is necessary for employment contract and legal obligations",
"risks_identified": [
"Unauthorized access to health data",
"Data breach exposing sensitive employee information",
"Excessive data collection beyond what is necessary",
],
"mitigation_measures": [
"Encryption of all health data at rest and in transit",
"Strict RBAC limiting access to HR and OH staff only",
"Audit logging of all access to health records",
"Annual access reviews",
"Staff training on handling special category data",
],
"residual_risk": "Low",
"dpo_consultation": True,
"approved": True,
"approval_date": "2024-06-15",
"reviewer": "DPO",
},
]
manager.conduct_dpia(sample_dpias)
# Overall compliance assessment
manager.assess_compliance()
print("\n" + "=" * 70)
print("GDPR COMPLIANCE ASSESSMENT COMPLETE")
print("=" * 70)
if __name__ == "__main__":
main()