GDPR Compliance Planning
Comprehensive guidance for General Data Protection Regulation compliance before development begins.
When to Use This Skill
-
Planning systems that process EU residents' personal data
-
Designing consent management and preference centers
-
Implementing data subject rights (access, erasure, portability)
-
Conducting Data Protection Impact Assessments (DPIA)
-
Defining data processing agreements and controller/processor relationships
GDPR Fundamentals
The 7 Principles
Principle Description Implementation Focus
Lawfulness, Fairness, Transparency Valid legal basis, fair processing, clear privacy notices Consent flows, privacy policies
Purpose Limitation Collect for specified, explicit purposes Purpose tracking, use restriction
Data Minimization Adequate, relevant, limited to purpose Field-level justification
Accuracy Keep data accurate and up to date Update mechanisms, verification
Storage Limitation Keep only as long as necessary Retention policies, auto-deletion
Integrity and Confidentiality Appropriate security measures Encryption, access control
Accountability Demonstrate compliance Audit logs, documentation
Lawful Bases for Processing
- Consent - Freely given, specific, informed, unambiguous
- Contract - Necessary for contract performance
- Legal Obligation - Required by law
- Vital Interests - Protect someone's life
- Public Task - Official authority/public interest
- Legitimate Interest - Balanced against data subject rights
Legitimate Interest Assessment (LIA):
-
Purpose test: Is there a legitimate interest?
-
Necessity test: Is processing necessary for that interest?
-
Balancing test: Do subject's interests override?
Data Subject Rights Implementation
Rights Checklist
Right Description Response Time Implementation
Access Copy of personal data 1 month Export endpoint
Rectification Correct inaccurate data 1 month Update endpoint
Erasure ("Right to be Forgotten") Delete personal data 1 month Deletion pipeline
Restrict Processing Limit use of data 1 month Processing flags
Data Portability Machine-readable export 1 month JSON/CSV export
Object Stop processing Without undue delay Opt-out mechanism
Automated Decision-Making Human review of decisions Varies Review queue
.NET Implementation Patterns
// Data Subject Request Handling public interface IDataSubjectRequestHandler { Task<DataExport> HandleAccessRequest(Guid subjectId, CancellationToken ct); Task HandleErasureRequest(Guid subjectId, ErasureScope scope, CancellationToken ct); Task<PortableData> HandlePortabilityRequest(Guid subjectId, string format, CancellationToken ct); }
public class DataSubjectRequestService : IDataSubjectRequestHandler { private readonly IPersonalDataLocator _dataLocator; private readonly IAuditLogger _auditLogger; private readonly TimeProvider _timeProvider;
public async Task<DataExport> HandleAccessRequest(Guid subjectId, CancellationToken ct)
{
await _auditLogger.LogRequestReceived(subjectId, "Access", _timeProvider.GetUtcNow());
var locations = await _dataLocator.LocateAllPersonalData(subjectId, ct);
var export = new DataExport
{
SubjectId = subjectId,
GeneratedAt = _timeProvider.GetUtcNow(),
Categories = new List<DataCategory>()
};
foreach (var location in locations)
{
var data = await location.ExtractData(ct);
export.Categories.Add(new DataCategory
{
Name = location.CategoryName,
Purpose = location.ProcessingPurpose,
LawfulBasis = location.LawfulBasis,
RetentionPeriod = location.RetentionPolicy,
Data = data
});
}
await _auditLogger.LogRequestCompleted(subjectId, "Access", _timeProvider.GetUtcNow());
return export;
}
public async Task HandleErasureRequest(Guid subjectId, ErasureScope scope, CancellationToken ct)
{
// Check for legal holds or retention requirements
var blocks = await CheckErasureBlocks(subjectId, ct);
if (blocks.Any())
{
throw new ErasureBlockedException(blocks);
}
var locations = await _dataLocator.LocateAllPersonalData(subjectId, ct);
foreach (var location in locations)
{
if (scope.IncludesCategory(location.CategoryName))
{
// Soft delete with scheduled hard delete
await location.MarkForDeletion(_timeProvider.GetUtcNow().AddDays(30), ct);
}
}
await _auditLogger.LogErasureInitiated(subjectId, scope, _timeProvider.GetUtcNow());
}
}
Consent Management
// Consent tracking with granular purposes public class ConsentRecord { public Guid SubjectId { get; init; } public string Purpose { get; init; } = string.Empty; public bool IsGranted { get; init; } public DateTimeOffset Timestamp { get; init; } public string ConsentMechanism { get; init; } = string.Empty; // e.g., "WebForm", "API" public string ConsentVersion { get; init; } = string.Empty; // Version of consent text public string? WithdrawalTimestamp { get; set; } }
public interface IConsentManager { Task RecordConsent(ConsentRecord consent, CancellationToken ct); Task WithdrawConsent(Guid subjectId, string purpose, CancellationToken ct); Task<bool> HasValidConsent(Guid subjectId, string purpose, CancellationToken ct); Task<IReadOnlyList<ConsentRecord>> GetConsentHistory(Guid subjectId, CancellationToken ct); }
public class GdprConsentManager : IConsentManager { private readonly IConsentRepository _repository; private readonly IEventPublisher _events;
public async Task<bool> HasValidConsent(Guid subjectId, string purpose, CancellationToken ct)
{
var latest = await _repository.GetLatestConsent(subjectId, purpose, ct);
if (latest is null)
return false;
if (latest.WithdrawalTimestamp is not null)
return false;
// Check if consent version is still current
var currentVersion = await _repository.GetCurrentConsentVersion(purpose, ct);
if (latest.ConsentVersion != currentVersion)
{
// Consent was given under old terms - needs re-consent
return false;
}
return latest.IsGranted;
}
}
Data Protection Impact Assessment (DPIA)
When DPIA is Required
DPIA is mandatory when processing is likely to result in high risk:
-
Systematic and extensive profiling with significant effects
-
Large-scale processing of special category data
-
Systematic monitoring of public areas
-
New technologies with unknown privacy impact
-
Automated decision-making with legal/similar effects
-
Large-scale processing of children's data
DPIA Template Structure
1. Description of Processing
- Nature: What will you do with the data?
- Scope: How much data, how many subjects, geographic area?
- Context: Internal/external factors affecting expectations?
- Purpose: What are you trying to achieve?
2. Necessity and Proportionality
- Lawful basis and justification
- Purpose limitation assessment
- Data minimization measures
- Data quality approach
- Storage limitation policy
3. Risk Assessment
Risks to Individuals
| Risk | Likelihood | Severity | Score | Mitigation |
|---|---|---|---|---|
| Unauthorized access | Medium | High | 6 | Encryption, MFA |
| Data breach | Low | Critical | 4 | Monitoring, IR plan |
| Inaccurate profiling | Medium | Medium | 4 | Human review |
Residual Risk
[After mitigations applied]
4. Consultation
- DPO advice obtained: [Date]
- Supervisory authority consulted: [If required]
- Data subject views considered: [How]
5. Sign-Off
| Role | Name | Approval | Date |
|---|---|---|---|
| Project Owner | [ ] | ||
| DPO | [ ] | ||
| CISO | [ ] |
Risk Scoring Matrix
SEVERITY
Low(1) Medium(2) High(3) Critical(4)
L High(4) 4 8 12 16 I Med(3) 3 6 9 12 K Low(2) 2 4 6 8 E V.Low(1) 1 2 3 4
Thresholds:
-
1-4: Acceptable risk
-
5-8: Mitigations required
-
9-12: Senior approval required
-
13+: Consult supervisory authority
Privacy by Design Checklist
Architecture Phase
-
Data flows documented with personal data highlighted
-
Purpose for each data element defined
-
Lawful basis identified per purpose
-
Retention periods defined per category
-
Access control requirements specified
-
Encryption requirements defined
-
Pseudonymization opportunities identified
Development Phase
-
Consent collection implemented correctly
-
Data subject rights endpoints created
-
Audit logging captures processing activities
-
Data retention automation implemented
-
Encryption at rest and in transit
-
Input validation prevents excess collection
-
Error messages don't leak personal data
Testing Phase
-
Consent flows tested (grant, withdraw, re-consent)
-
All DSR endpoints functional
-
Retention automation verified
-
Access controls tested
-
Audit logs complete and accurate
-
Penetration testing for data exposure
Record of Processing Activities (ROPA)
Article 30 Requirements
Controllers must maintain records of:
Processing Activity: Customer Account Management Controller: [Organization Name] DPO Contact: dpo@example.com Purposes:
- Account authentication
- Order fulfillment
- Customer support Categories of Data Subjects:
- Customers
- Prospective customers Categories of Personal Data:
- Name, email, phone
- Address
- Order history
- Payment tokens (not card numbers) Recipients:
- Payment processor (Stripe)
- Shipping provider (FedEx)
- Customer support platform (Zendesk) International Transfers:
- Stripe Inc. (US) - SCCs
- None to third countries without safeguards Retention:
- Active account: Duration of relationship
- Closed account: 7 years (legal requirement) Security Measures:
- TLS 1.3 in transit
- AES-256 at rest
- Role-based access control
- Regular access reviews
International Data Transfers
Transfer Mechanisms Post-Schrems II
Mechanism Use Case Requirements
Adequacy Decision EU-approved countries None additional
Standard Contractual Clauses (SCCs) Most common TIA required
Binding Corporate Rules Intra-group transfers Supervisory approval
Derogations (Art. 49) Occasional transfers Limited scope
Transfer Impact Assessment (TIA)
Transfer Impact Assessment
1. Transfer Details
- Exporter: [EU entity]
- Importer: [Third country entity]
- Countries: [List]
- Data types: [Categories]
- Transfer mechanism: [SCCs/BCRs/etc.]
2. Third Country Assessment
- Laws requiring disclosure to authorities
- Surveillance legislation
- Rule of law / judicial independence
- Practical access by authorities
3. Supplementary Measures
- Technical: [Encryption, pseudonymization]
- Contractual: [Additional clauses]
- Organizational: [Policies, training]
4. Conclusion
- Risk level: [Acceptable/Requires mitigation/Unacceptable]
- Decision: [Proceed/Modify/Suspend]
Cross-References
-
CCPA/CPRA: See similar concepts (disclosure, deletion, opt-out)
-
AI Governance: ai-governance skill for AI-specific requirements
-
Security Frameworks: security-frameworks for technical controls
-
Data Classification: data-classification for sensitivity levels
Resources
-
GDPR Full Text
-
EDPB Guidelines
-
ICO GDPR Guidance