Anthropic-Cybersecurity-Skills/skills/implementing-gdpr-data-protection-controls/references/workflows.md

# GDPR Data Protection Control Workflows

## Workflow 1: Data Subject Request (DSR) Handling

```
Start
  |
  v
[Receive DSR from Data Subject]
  - Via email, web form, phone, in-person
  - Record receipt timestamp (30-day clock starts)
  |
  v
[Verify Identity of Requestor]
  - Request additional identification if needed
  - Clock pauses until identity verified
  |
  v
[Classify Request Type]
  |
  +--> Access Request (Art. 15) --> Locate all personal data
  +--> Rectification (Art. 16) --> Identify incorrect data
  +--> Erasure (Art. 17) --> Verify grounds for erasure
  +--> Restriction (Art. 18) --> Flag data for restriction
  +--> Portability (Art. 20) --> Export in machine-readable format
  +--> Objection (Art. 21) --> Assess processing basis
  |
  v
[Check for Exemptions]
  - Legal obligation to retain
  - Freedom of expression
  - Public health
  - Archiving in public interest
  - Legal claims
  |
  v
[Execute Request Across All Systems]
  - Production databases
  - Backups and archives
  - Third-party processors
  - Cloud services
  - Analytics platforms
  |
  v
[Document Action Taken]
  |
  v
[Respond to Data Subject within 30 days]
  - Extension to 60 additional days if complex (notify subject)
  |
  v
End
```

## Workflow 2: Data Breach Notification (Art. 33-34)

```
Start
  |
  v
[Breach Detected or Reported]
  - Technical detection (SIEM, DLP, IDS)
  - Employee report
  - External notification
  - Third-party processor notification
  |
  v
[72-hour Clock Starts]
  |
  v
[Assess Breach Severity]
  - Number of data subjects affected
  - Types of personal data compromised
  - Special categories involved?
  - Risk to rights and freedoms
  |
  v
[Determine Notification Requirements]
  |
  +--> [Risk to Rights and Freedoms?]
        |
        +--> No Risk --> Document in breach register only
        |
        +--> Risk exists --> Notify Supervisory Authority (72 hours)
        |                    |
        |                    v
        +--> High Risk --> Notify Supervisory Authority (72 hours)
                           AND notify affected data subjects
  |
  v
[Prepare Supervisory Authority Notification]
  - Nature of the breach
  - Categories and approximate number of data subjects
  - Categories and approximate number of records
  - Name and contact details of DPO
  - Likely consequences of the breach
  - Measures taken or proposed to address the breach
  |
  v
[Submit Notification to Lead Supervisory Authority]
  |
  v
[If High Risk: Notify Data Subjects]
  - Clear and plain language
  - Description of breach
  - DPO contact information
  - Likely consequences
  - Measures taken to mitigate
  |
  v
[Conduct Post-Breach Review]
  - Root cause analysis
  - Control improvements
  - Update breach register
  |
  v
End
```

## Workflow 3: Data Protection Impact Assessment (DPIA)

```
Start
  |
  v
[Identify Processing Activity]
  |
  v
[Screen Against DPIA Criteria]
  - Profiling or automated decision-making?
  - Large-scale special category data?
  - Systematic monitoring of public areas?
  - New technology application?
  - Cross-border data transfer?
  - Vulnerable data subjects?
  |
  +--> [No DPIA triggers] --> Document screening decision --> End
  |
  +--> [DPIA required]
        |
        v
[Describe Processing Operation]
  - Purpose and scope
  - Data elements collected
  - Data subjects categories
  - Recipients and transfers
  - Retention period
  - Technology used
  |
  v
[Assess Necessity and Proportionality]
  - Is processing necessary for the purpose?
  - Could purpose be achieved with less data?
  - Is lawful basis appropriate?
  - Are data subject rights supported?
  |
  v
[Identify and Assess Risks]
  - Risks to confidentiality
  - Risks to integrity
  - Risks to availability
  - Risks to rights and freedoms
  - Likelihood and severity of each risk
  |
  v
[Identify Mitigation Measures]
  - Technical measures (encryption, pseudonymization, access controls)
  - Organizational measures (policies, training, DPO oversight)
  - Contractual measures (DPAs, SCCs)
  |
  v
[Determine Residual Risk]
  |
  +--> [Residual Risk Acceptable] --> Approve and proceed
  |
  +--> [Residual Risk High] --> Consult DPO
  |                             |
  |                             +--> [Can mitigate further] --> Add measures
  |                             |
  |                             +--> [Cannot mitigate] --> Prior consultation
  |                                    with Supervisory Authority (Art. 36)
  |
  v
[Document DPIA]
  - Keep under review
  - Reassess when processing changes
  |
  v
End
```

## Workflow 4: International Data Transfer Assessment

```
Start
  |
  v
[Identify Cross-Border Transfer]
  - Data flowing outside EEA
  - Cloud services in non-EEA regions
  - Group company data sharing
  - Vendor/processor locations
  |
  v
[Check Adequacy Decision]
  - Is destination country on EU adequacy list?
  - (Andorra, Argentina, Canada, Faroe Islands, Guernsey,
     Israel, Isle of Man, Japan, Jersey, New Zealand, Republic
     of Korea, Switzerland, UK, Uruguay, US under DPF)
  |
  +--> [Adequate] --> Document and proceed
  |
  +--> [Not Adequate]
        |
        v
      [Select Transfer Mechanism]
        |
        +--> Standard Contractual Clauses (SCCs)
        +--> Binding Corporate Rules (BCRs)
        +--> Approved Code of Conduct
        +--> Certification Mechanism
        +--> Derogations (Art. 49) - limited circumstances
        |
        v
      [Conduct Transfer Impact Assessment (TIA)]
        - Laws of destination country
        - Government surveillance powers
        - Data protection standards
        - Access by public authorities
        |
        v
      [Identify Supplementary Measures]
        - Technical: encryption with EEA-held keys
        - Contractual: additional processor obligations
        - Organizational: policies limiting access
        |
        v
      [Document Transfer Mechanism]
        - Signed SCCs with correct module
        - TIA findings and conclusions
        - Supplementary measures implemented
  |
  v
End
```

## Workflow 5: Records of Processing Activities (ROPA)

```
Start
  |
  v
[Identify All Processing Activities]
  - Interview business units
  - Review system inventory
  - Analyze data flows
  - Check vendor agreements
  |
  v
[For Each Processing Activity Document:]
  |
  v
[Controller Record (Art. 30(1))]
  - Name and contact details of controller (and DPO)
  - Purposes of processing
  - Categories of data subjects
  - Categories of personal data
  - Categories of recipients
  - Transfers to third countries (safeguards)
  - Retention periods
  - Technical and organizational security measures
  |
  v
[Processor Record (Art. 30(2))]
  - Name and contact details of processor and controller
  - Categories of processing carried out
  - Transfers to third countries (safeguards)
  - Technical and organizational security measures
  |
  v
[Maintain and Update ROPA]
  - Review quarterly or when processing changes
  - Update for new systems, vendors, purposes
  - Make available to supervisory authority on request
  |
  v
End
```