privacy-skills-complete

Implements 42 CFR Part 2 protections for substance use disorder patient records. Covers written consent requirements stricter than HIPAA, re-disclosure prohibition, court order procedures, qualified service organization agreements, and 2024 amendments aligning Part 2 with HIPAA. Keywords: 42 CFR Part 2, substance use disorder, SUD records, re-disclosure, consent, Part 2 amendments.

Guides assessment of third-country adequacy decisions under GDPR Article 45 for international data transfers. Covers the current EC adequacy decisions list, adequacy assessment criteria, partial adequacy handling, and monitoring of adequacy decision reviews. Keywords: adequacy decision, Article 45, third country, adequate protection, EC adequacy list.

Implements age-gating mechanisms for online services to restrict access based on user age. Covers hard gates versus soft gates, neutral age prompts, re-verification triggers, circumvention prevention, and regulatory requirements under GDPR, COPPA, UK Online Safety Act, and DSA. Keywords: age gate, age restriction, neutral prompt, children, online services, access control.

Evaluates and implements age estimation and verification technologies for online services. Covers facial age estimation, digital ID verification, self-declaration with risk assessment, AI-based age estimation, and the accuracy versus privacy tradeoff. Includes ICO guidance and euCONSENT framework. Keywords: age verification, age estimation, facial analysis, digital ID, children, online safety.

Preparing EU AI Act compliance documentation for high-risk AI systems. Covers Annex III classification, technical documentation under Art. 11, conformity assessment, risk management systems, and CE marking requirements. Keywords: EU AI Act, high-risk AI, Annex III, conformity assessment, CE marking.

Implements GDPR Art. 22 automated decision-making and AI Act Art. 14 human oversight requirements for AI systems. Covers identification of solely automated decisions, meaningful human intervention design, logic explanation mechanisms, and contestation procedures. Keywords: Art. 22, automated decision, human oversight, AI Act, profiling, contestation.

Assesses AI bias risks for GDPR Art. 9 special category data and AI Act Art. 10 data governance. Covers fairness metrics, bias detection methods, mitigation strategies, and documentation requirements for protected characteristics. Keywords: AI bias, special category, fairness metrics, discrimination, Art. 9, Art. 10.

Manages AI model retention and machine unlearning requirements. Covers training data deletion verification, model versioning for compliance, machine unlearning techniques (SISA, gradient-based), and retraining triggers. Keywords: AI retention, machine unlearning, model versioning, training data deletion, retraining, storage limitation.

Implements data subject rights mechanisms for AI systems including right to explanation of AI decisions, contestation procedures, human review, model output correction, and training data access. Covers GDPR Arts. 15-22 and AI Act Art. 86. Keywords: data subject rights, AI explanation, contestation, human review, training data access, model correction.

Pre-deployment privacy compliance checklist for AI/ML systems covering DPIA completion, lawful basis verification, transparency notices, human oversight mechanisms, bias testing, and post-deployment monitoring setup. Keywords: AI deployment, privacy checklist, go-live, model deployment, compliance gate.

Conducts Data Protection Impact Assessments for AI and ML systems per EDPB Guidelines 04/2025 on AI processing. Covers training data lawfulness evaluation, model risk assessment, automated decision triggers, and AI-specific DPIA methodology. Keywords: AI DPIA, machine learning impact assessment, EDPB AI guidelines, model risk, training data.

Implements federated learning architecture patterns for GDPR compliance. Covers secure aggregation protocols, differential privacy integration, communication protocols, and privacy-by-design distributed ML training. Keywords: federated learning, distributed training, secure aggregation, differential privacy, privacy-preserving ML.

Conducts privacy auditing of AI models including training data extraction testing, membership inference attacks, model inversion testing, and attribute inference assessment. Uses ML Privacy Meter and related tools to quantify privacy leakage. Keywords: model audit, membership inference, privacy meter, model inversion, training data extraction.

Guides the combined DPIA and AI Act conformity assessment for AI systems processing personal data. Covers EDPB-EDPS Joint Opinion 5/2021, training data lawfulness under Art. 6 and Art. 9, Art. 22 automated decision-making, algorithmic bias detection, and NIST AI RMF MAP function. Keywords: AI privacy, DPIA, AI Act, algorithmic bias, automated decision-making, Art. 22, training data, NIST AI RMF.

Provides combined DPIA and AI Act conformity assessment template with integrated risk scoring matrix. Covers GDPR Art. 35 DPIA elements, AI Act high-risk system requirements, mitigation measures, and human oversight assessment. Keywords: DPIA template, conformity assessment, risk scoring, AI Act, combined assessment, high-risk AI.

Managing privacy risks from AI-driven inferences about individuals including derived data classification, profiling under GDPR Art. 22, inference accuracy obligations, and controlling automated personality/behaviour predictions. Keywords: AI inference, derived data, profiling, automated predictions, GDPR.

Classifies sensitive data in AI/ML training datasets including bias detection for Art. 9 categories, data card documentation, provenance tracking, and consent verification for model training. Keywords: AI training data, ML dataset, bias detection, data card, model training, Art 9, consent, GDPR AI.

Assesses lawful basis for AI training data processing per EDPB April 2025 report on LLMs and general-purpose AI. Covers legitimate interest balancing tests, consent challenges for ML training, public dataset assessment, and web scraping lawfulness. Keywords: AI training data, lawful basis, EDPB LLM, legitimate interest, consent, web scraping.

Implements AI transparency requirements under EU AI Act Arts. 13-14 and GDPR Arts. 13-14. Covers user notification of AI interaction, system capability disclosure, limitation documentation, and meaningful information about automated logic. Keywords: AI transparency, EU AI Act, GDPR notification, explainability, automated decision.

Determines controller-processor relationships for AI services and conducts privacy due diligence. Covers SaaS AI (processor), embedded AI (joint controller), API-based AI (assessment framework), and vendor risk assessment. Keywords: AI vendor, controller-processor, due diligence, SaaS AI, joint controller, Art. 28.

Managing consent for analytics cookies and implementing privacy-preserving measurement. Covers GA4 privacy configuration, consent mode fallback behavior, aggregate reporting alternatives, and cookieless measurement approaches.

Evaluates anonymization as a retention alternative under GDPR Recital 26, applying the WP29 Opinion 05/2014 techniques including randomization and generalization. Validates anonymization effectiveness using k-anonymity, l-diversity, and t-closeness metrics. Activate for anonymization, de-identification, k-anonymity, retention alternative queries.

Guides management of cross-border data transfers under Asia-Pacific regulatory frameworks including APEC CBPR, ASEAN Model Contractual Clauses, Japan APPI supplementary rules, South Korea PIPA provisions, and Thailand/Singapore PDPA mechanisms. Keywords: APEC CBPR, ASEAN MCCs, APPI, PIPA, PDPA, APAC transfers.

Guides APEC Cross-Border Privacy Rules system certification process including self-assessment against the APEC Privacy Framework principles, accountability agent selection, intake questionnaire completion, certification decision, annual recertification, and Global CBPR Forum transition. Keywords: APEC, CBPR, cross-border privacy, accountability agent, certification, Global CBPR.

Systematic application of the eight privacy design patterns per Hoepman: minimize, hide, separate, abstract, inform, control, enforce, and demonstrate. Covers pattern selection methodology per processing activity, mapping to GDPR principles, and practical implementation guidance for privacy-by-design system architecture.

Guides assessment and application of GDPR Article 49 derogation conditions for international data transfers in the absence of adequacy decisions or appropriate safeguards. Covers explicit consent, contract necessity, public interest, vital interests, public register, and compelling legitimate interests with restrictive interpretation per EDPB Guidelines 2/2018. Keywords: Art. 49, derogations, transfer exceptions, explicit consent, compelling legitimate interests.

Guides privacy audit evidence collection processes including evidence planning, sampling strategies, documentation standards, chain of custody, interview techniques, system walkthrough procedures, and evidence evaluation. Covers ISO 19011 evidence categories (records, statements of fact, observations) and ISACA audit evidence requirements for privacy compliance assessments. Keywords: audit evidence, evidence collection, sampling, chain of custody, audit documentation, interview techniques.

Guides audit follow-up and verification processes including follow-up scheduling, remediation effectiveness testing, finding closure criteria, re-testing procedures, status reporting, and escalation of unremediated findings. Implements IIA Standard 2500 monitoring requirements and ISO 19011 follow-up guidance for privacy audit engagements. Keywords: audit follow-up, verification testing, finding closure, remediation effectiveness, re-testing, follow-up audit.

Guides audit findings remediation program management including finding prioritization by severity (critical, high, medium, low), owner assignment, remediation planning, deadline tracking, verification testing, closure criteria, escalation protocols, and management reporting. Covers remediation lifecycle from finding issuance to verified closure. Keywords: audit remediation, finding management, prioritization, verification testing, closure criteria, remediation tracking.

Guides privacy audit report writing including executive summary drafting, findings classification (critical, high, medium, low), evidence referencing, root cause analysis documentation, recommendation formulation, management response tracking, and report distribution protocols. Covers report structure from scope definition through appendices and sign-off. Keywords: audit report, findings documentation, executive summary, recommendations, report structure, privacy audit deliverables.

Guides privacy audit risk assessment including risk universe development, inherent and residual risk scoring, control effectiveness evaluation, risk-based audit planning, heat map generation, risk appetite alignment, and audit prioritization by risk exposure. Covers the full audit risk assessment cycle from scoping through ongoing monitoring. Keywords: audit risk assessment, risk universe, inherent risk, residual risk, control effectiveness, risk-based audit planning.

Guides privacy audit sampling methodology including statistical and non-statistical sampling, sample size determination, stratification techniques, attribute sampling for compliance testing, confidence level selection, tolerable deviation rates, and extrapolation of results to the population. Keywords: audit sampling, statistical sampling, attribute testing, sample size, confidence level, stratified sampling, privacy audit.

Guides compliance with Australia's Privacy Act 1988 including the 2024 reform amendments. Covers automated decision-making transparency, children's privacy code, individual rights expansion, enforcement strengthening, and the Australian Privacy Principles (APPs). Keywords: Australia Privacy Act, APPs, OAIC, automated decisions, children privacy code, privacy reform.

Implements automated PII discovery and classification using tools like Microsoft Purview, BigID, OneTrust DataDiscovery, and AWS Macie. Covers scanning schedules, accuracy tuning, false positive management, and integration patterns. Keywords: data discovery, PII scanning, Purview, BigID, Macie, OneTrust, automated classification, data cataloging.

Implements automated data deletion workflows for GDPR Article 17 right to erasure and retention period expiry. Covers cascading deletion across dependent systems, dependency handling for referential integrity, confirmation logging, and audit trail generation. Activate for automated deletion, erasure automation, data purge, retention expiry queries.

Manages GDPR Article 22 rights related to solely automated decision-making and profiling, including identification of automated decisions, meaningful human oversight implementation, logic explanation requirements, and contestation mechanisms. Activate for automated decision, profiling, Art. 22, algorithmic decision, AI decision queries.

Generates Records of Processing Activities automatically from IT system inventories including Active Directory, cloud service catalogs, API gateway logs, and database schemas. Covers automated field population, data flow discovery, and system-to-RoPA mapping. Activate for automated RoPA, system inventory, data discovery, auto-population, IT-driven records.

Automated enforcement of GDPR Article 5(1)(e) storage limitation principle. Covers TTL-based deletion, retention policy engines, archival workflows, legal hold exemptions, and lifecycle automation. Includes technical implementation patterns for automated data expiry and defensible deletion across distributed systems.

Manages privacy compliance for employee background checks including criminal record processing under Art. 10 GDPR, DBS checks (UK), national law variations, and reference verification. Applies proportionality and data minimisation to pre-employment screening, defines retention limits, and addresses role-based necessity assessments. Keywords: background check, criminal record, Art. 10, DBS, pre-employment screening, vetting, data minimisation, proportionality.

Manages backup and archive data under retention schedules and erasure obligations. Covers the technical infeasibility exception for backup deletion, backup cycle alignment with retention periods, restore-and-delete procedures, and interim protective measures during backup retention. Activate for backup deletion, archive erasure, backup retention, restore and delete, technical infeasibility queries.

Guides development and approval of Binding Corporate Rules under GDPR Article 47 for intra-group international data transfers. Covers Art. 47(2)(a)-(n) content requirements, BCR approval process with lead supervisory authority, and WP256/WP257 referentials. Keywords: BCR, binding corporate rules, intra-group transfers, Art. 47.

Guides DPIA for biometric processing systems including facial recognition, fingerprint, voice, iris, and gait analysis. Covers Art. 9 special category requirements, Art. 35(3)(b) mandatory DPIA triggers for large-scale biometric processing, and EDPB Guidelines 3/2019 on video surveillance. Keywords: biometric, facial recognition, fingerprint, DPIA, Art. 9, special category, EDPB Guidelines 3/2019.

Guides compliance with Brazil's Lei Geral de Proteção de Dados (LGPD, Lei 13.709/2018). Covers the 10 lawful bases under Art. 7, DPO appointment, ANPD enforcement, data subject rights under Arts. 17-22, and international transfer mechanisms. Keywords: LGPD, Brazil data protection, ANPD, lawful bases, data subject rights, international transfers.

Executes the GDPR Article 33 mandatory breach notification to the supervisory authority within 72 hours of becoming aware of a personal data breach. Covers required notification content, deadline calculation, risk assessment for notification threshold, and DPO involvement. Keywords: GDPR, Article 33, breach notification, 72 hours, supervisory authority, DPO, EDPB.

Coordinates credit monitoring and identity theft protection services for individuals affected by a data breach. Covers vendor selection criteria, enrollment logistics, coverage duration (12-24 months), identity theft insurance options, communication to affected individuals, and enrollment rate tracking. Keywords: credit monitoring, identity protection, breach response, Experian, enrollment, identity theft insurance.

Implements technical breach detection capabilities including SIEM integration, DLP alert configuration, anomaly detection rules, and insider threat monitoring. Provides a breach classification taxonomy across confidentiality, integrity, and availability dimensions. Covers detection tool selection, alert tuning, and integration with privacy incident response workflows. Keywords: breach detection, SIEM, DLP, anomaly detection, insider threat, classification.

Maintains the GDPR Article 33(5) breach register documenting all personal data breaches regardless of whether supervisory authority notification was required. Covers mandatory register fields including facts, effects, and remedial actions, retention periods, audit readiness, and integration with the accountability framework. Keywords: breach register, Article 33(5), breach documentation, accountability, audit readiness, remedial actions.

Conducts digital forensics investigations following a personal data breach, covering evidence preservation, chain of custody documentation, log analysis, scope determination, and root cause analysis. References industry-standard tools including Splunk, ELK Stack, and Wireshark. Provides forensic workflow from initial evidence collection through final investigation report. Keywords: digital forensics, breach investigation, evidence preservation, chain of custody, root cause analysis, Splunk, ELK, Wireshark.

Manages coordinated breach notification across multiple legal jurisdictions including EU member states (72-hour GDPR deadline), US state breach notification laws (varying timelines from 30 to 90 days), and other international regimes. Covers conflict resolution when notification timelines differ, lead supervisory authority determination, and parallel notification execution. Keywords: multi-jurisdiction, cross-border breach, notification coordination, GDPR, US state laws, international breach notification.

Conducts structured post-breach remediation using a lessons learned framework covering root cause remediation, control gap closure, policy updates, training modifications, monitoring enhancements, and regulatory follow-up. Provides a systematic approach to preventing breach recurrence and demonstrating accountability to supervisory authorities. Keywords: post-breach, remediation, lessons learned, root cause, control gap, policy update, training.

Builds a comprehensive breach response team playbook defining CSIRT and privacy team structure with named roles (incident commander, legal counsel, communications, IT forensics, DPO), escalation matrices, communication templates, pre-negotiated vendor contacts, and regulatory authority contacts organized by jurisdiction. Keywords: breach response playbook, CSIRT, incident response team, escalation matrix, communication templates, vendor contacts.

Determines whether a personal data breach triggers notification obligations under GDPR Articles 33 and 34 using structured risk assessment methodology. Covers breach type classification (CIA triad), data sensitivity scoring, volume assessment, identifiability analysis, and consequence severity evaluation. References EDPB Guidelines 01/2021 with 18 breach scenarios. Keywords: breach risk assessment, GDPR, Article 33, Article 34, EDPB, notification threshold.

Designs and executes tabletop breach simulation exercises for testing organizational breach response capabilities. Covers scenario creation with realistic inject timelines, participant role assignment, communication testing across internal and external channels, decision-point evaluation, and after-action report generation. Keywords: tabletop exercise, breach simulation, incident response testing, scenario design, after-action report.

Manages direct communication to affected data subjects following a personal data breach under GDPR Article 34 when the breach is likely to result in a high risk to their rights and freedoms. Covers the high risk threshold, required notification content per Art. 34(2), exemptions under Art. 34(3), and breach notification letter templates for five scenarios. Keywords: data subject notification, Article 34, high risk, breach communication, GDPR.

Technical enforcement of GDPR Article 5(1)(b) purpose limitation principle. Covers purpose-tagged data stores, access control per purpose, Article 6(4) compatibility assessment factors, and system design for preventing purpose creep. Includes purpose binding architecture and compatibility test implementation.

Implements BYOD privacy compliance frameworks for personal device use in the workplace. Covers personal vs corporate data separation, MDM capabilities and limitations, employee consent requirements, data wiping boundaries, and monitoring restrictions on personal devices. Keywords: BYOD, mobile device management, MDM, personal device, data separation, containerisation, remote wipe, employee privacy.

Executes breach notification under California Civil Code Section 1798.82 (California data breach notification law). Covers data elements triggering notification, timing requirements (most expedient time possible), AG notification for 500+ California residents, specific content and format requirements, and substitute notice provisions. Keywords: California, breach notification, Cal. Civ. Code 1798.82, attorney general, CCPA, data elements.

California consumer privacy rights workflow implementation under CCPA/CPRA. Covers right to know, delete, opt-out of sale/sharing, correct, and limit sensitive PI processing. Includes 45-day response timelines, identity verification procedures, and authorized agent handling.

Guides compliance with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA, S.C. 2000, c. 5). Covers the 10 fair information principles in Schedule 1, consent requirements, cross-border transfer obligations, breach notification under Division 1.1, and OPC enforcement. Keywords: PIPEDA, Canada privacy, fair information principles, OPC, breach notification, cross-border transfer, consent.

Manages California Consumer Privacy Act (CCPA) consumer rights requests under Civil Code sections 1798.100-125, covering the right to know, right to delete, right to opt-out of sale, and non-discrimination. Includes 45-day response window and identity verification requirements. Activate for CCPA, California privacy, right to know, right to delete, opt-out of sale queries.

Complete CCPA/CPRA compliance implementation covering California Civil Code §1798.100-199. Includes consumer rights framework, business obligations, service provider and contractor requirements, enforcement mechanisms, and CPPA rulemaking. Triggers on CCPA, CPRA, California privacy, consumer rights.

Implements CCPA Section 1798.105 right to delete and CPRA amendments including service provider obligations, statutory exceptions for legal, security, and internal uses, consumer identity verification procedures, and 45-day response timeline management. Activate for CCPA deletion, CPRA right to delete, California privacy, consumer deletion queries.

Implements strict data minimization and retention limits for children's personal data under GDPR Art. 5(1)(c), Recital 38, UK AADC Standard 8, and COPPA Section 312.7. Covers strict necessity testing, shorter retention periods, limited profiling, parental dashboard design, and automated deletion. Keywords: data minimization, children, retention, necessity test, parental dashboard.

Manages deletion requests for children's personal data. Covers parental-initiated versus child-initiated requests, age of capacity assessment, identity verification, scope determination, third-party notification obligations, and regulatory timelines under GDPR Art. 17, COPPA Section 312.6, and UK AADC Standard 15. Keywords: deletion, children, right to erasure, parental request, data deletion, COPPA.

Designs and implements privacy notices for children that comply with GDPR Articles 12-14, UK AADC Standard 4, and COPPA Section 312.4. Covers plain language, visual explanations, layered information, age-appropriate vocabulary, and interactive notice elements. Keywords: children privacy notice, transparency, plain language, visual, age-appropriate, layered notice.

Implements profiling restrictions for children under GDPR Recital 71, Article 22, UK AADC Standard 12, and COPPA. Covers prohibition of behavioural advertising to children, recommendation algorithm limitations, nudge technique prohibition, and automated decision-making safeguards. Keywords: profiling, children, behavioural advertising, recommendation algorithm, AADC, automated decision.

Guides compliance with China's Personal Information Protection Law (PIPL, effective 1 November 2021). Covers consent requirements, cross-border transfer mechanisms (CAC security assessment, standard contracts, certification), separate consent triggers, and critical information infrastructure obligations. Keywords: PIPL, China data protection, CAC security assessment, cross-border transfer, separate consent, CIIO.

Develops data classification policies with tiered handling (public, internal, confidential, restricted), labeling requirements, enforcement mechanisms, and procedures per tier. Covers policy governance, exception handling, and compliance monitoring. Keywords: classification policy, data tiers, handling procedures, labeling, enforcement, data governance, information security.

Guides DPIA for migrating personal data to cloud infrastructure covering controller-processor analysis under Art. 28, international transfer assessment, encryption requirements, and shared responsibility model evaluation. Activate for cloud adoption, SaaS procurement, or data centre migration projects. Keywords: cloud migration, DPIA, Art. 28, processor, encryption, shared responsibility, SaaS, IaaS, PaaS.

Cloud service provider privacy assessment framework. Covers ISO 27018 cloud privacy controls, CSA STAR certification, SOC 2 Type II evaluation, shared responsibility model mapping, data residency verification, and cloud-specific privacy risk analysis.

Configures cloud storage retention policies across AWS S3, Azure Blob Storage, and Google Cloud Storage. Covers lifecycle rules, object lock, legal hold, immutability policies, cross-region replication retention alignment, and compliance mode configuration. Activate for cloud retention, S3 lifecycle, Azure retention, GCP retention policy queries.

Implementation guide for CNIL cookie guidelines compliance. References the EUR 150M Google fine and EUR 60M Meta fine. Covers equal prominence accept/reject buttons, cookie wall prohibition, 6-month reconsent intervals, essential cookies exemption, and detailed CNIL Deliberation No. 2020-091 requirements.

Designing and implementing CNIL-compliant cookie consent banners for French and EU audiences. References the EUR 100M Google LLC fine and EUR 150M Meta Platforms fine for non-compliant cookie practices. Covers equal prominence, reject-all buttons, cookie walls prohibition, and 6-month reconsent cycles.

Colorado Privacy Act (CPA) compliance implementation. Covers universal opt-out mechanism required since July 2024, profiling opt-out rights, sensitive data consent requirements, AG rulemaking under 4 CCR 904-3, and consumer rights framework. Effective July 1, 2023.

Compares PIA/DPIA methodologies: CNIL PIA tool, ICO DPIA template, NIST Privacy Framework, and ISO 29134. Provides methodology selection criteria based on regulatory jurisdiction, organisation maturity, processing complexity, and resource availability. Covers regulatory acceptance, tool features, and cross-methodology mapping. Keywords: PIA methodology, CNIL, ICO, NIST Privacy Framework, ISO 29134, DPIA comparison, assessment.

Guides the end-to-end GDPR Data Protection Impact Assessment process under Article 35, including mandatory trigger identification per Art. 35(3), DPIA content requirements per Art. 35(7), and EDPB WP248rev.01 methodology. Activate for systematic profiling, large-scale special category processing, or large-scale public monitoring. Keywords: DPIA, Article 35, impact assessment, WP248, data protection, risk assessment.

Complete guide to LINDDUN privacy threat modeling methodology covering seven threat categories: Linking, Identifying, Non-repudiation, Detecting, Data Disclosure, Unawareness, and Non-compliance. Includes DFD-based analysis, threat tree catalogs, mitigation mapping to privacy design patterns, and step-by-step process.

Guides managing conflicting privacy requirements across jurisdictions. Covers data localisation vs transfer freedom, consent standards variation, age thresholds, breach timelines, and resolution frameworks for incompatible obligations. Keywords: conflicting laws, data localisation, consent variation, age thresholds, resolution framework.

Connecticut Data Privacy Act (CTDPA) compliance. Covers consumer rights, controller obligations, dark pattern prohibition, loyalty program exemption, universal opt-out requirement effective January 2025, sensitive data consent, and AG enforcement. Effective July 1, 2023.

Guide for obtaining explicit consent for international data transfers under GDPR Article 49(1)(a). Covers informed consent requirements including risks of transfers without adequacy decisions or appropriate safeguards, specific destination country disclosure, and the narrow scope of derogation-based transfers.

Framework for evaluating and selecting Consent Management Platforms (CMPs). Covers TCF v2.2 certification requirements, Global Privacy Control support, multi-regulation compliance (GDPR, CCPA, LGPD), A/B testing capabilities, API integration options, reporting features, and a structured vendor comparison methodology.

Technical architecture guide for building a multi-purpose consent preference center. Covers per-purpose granularity, easy withdrawal under Article 7(3), version history, audit trails, and IAB Transparency and Consent Framework v2.2 integration. Includes database schema, API design, and UI component specifications.

Implement the Kantara Initiative consent receipt specification including machine-readable receipt structure, JWT-based verification mechanisms, receipt lifecycle management, and integration patterns for consent management platforms. Supports ISO/IEC 27560 consent record information structure.

Guide for building a consent record-keeping system to demonstrate valid consent per GDPR Article 7(1). Covers required fields including timestamp, version, purpose, mechanism, and identity. Implements audit-ready consent receipts per the Kantara Initiative Consent Receipt Specification and supervisory authority expectations.

Implementation guide for GDPR Article 7(3) consent withdrawal mechanisms. Covers the equal ease requirement ensuring withdrawal is as easy as giving consent, one-click withdrawal implementation, cascading effects on downstream processing, third-party notification workflows, and technical architecture for real-time consent revocation.

Guides continuous privacy compliance monitoring implementation including automated control testing, evidence collection automation, real-time compliance dashboards, alert-based remediation workflows, regulatory change integration, and deviation management. Covers GRC platform configuration, control framework mapping, and compliance-as-code approaches. Keywords: continuous compliance, automated monitoring, evidence collection, dashboard, regulatory change, compliance-as-code.

Creates GDPR Article 30(1) Records of Processing Activities (RoPA) for data controllers with all seven mandatory fields: controller identity and contact details, processing purposes, data subject categories, personal data categories, recipient categories, third country transfers, and retention periods. Includes Python generator for automated RoPA creation. Activate for controller RoPA, Art. 30(1), processing records, data mapping.

Comprehensive methodology for auditing website cookies and tracking technologies. Covers automated scanning, cookie categorization, lifecycle documentation, and compliance gap analysis referencing the Planet49 CJEU ruling (C-673/17).

Methodology for auditing A/B testing of consent banners to ensure compliance with equal ease of acceptance and rejection. Covers CNIL enforcement patterns including the EUR 150M Google fine, dark pattern detection methodology, manipulative design identification, and regulatory-compliant experimentation boundaries.

Automated cookie consent validation using Selenium and Playwright. Covers banner interaction testing, consent state verification, tag firing audit after consent choices, regression testing for cookie compliance, and CI/CD pipeline integration.

Auditing cookie lifetimes against regulatory recommendations and browser policies. Covers CNIL 13-month maximum recommendation, session vs persistent classification, third-party cookie phase-out impact, and Safari ITP duration caps.

Evaluating and implementing cookie-less tracking alternatives for a post-cookie era. Covers the Privacy Sandbox APIs (Topics, Attribution Reporting, Protected Audiences), server-side analytics, and privacy-preserving measurement techniques.

Implements Children's Online Privacy Protection Act (COPPA) compliance under 16 CFR Part 312. Covers verifiable parental consent methods including signed forms, credit card verification, government ID, knowledge-based authentication, and video call. Includes FTC safe harbor programs and enforcement actions. Keywords: COPPA, FTC, children, parental consent, safe harbor, verifiable consent.

Implements CPRA Section 1798.135 opt-out preference signal handling, covering Global Privacy Control (GPC) technical detection, automated signal honoring, cross-device consistency, and the relationship between browser signals and explicit consumer choices. Activate for GPC, opt-out preference signal, CPRA 1798.135, browser privacy signal, Do Not Sell queries.

CPRA §1798.121 sensitive personal information restrictions and compliance. Covers all 9 sensitive PI categories including SSN, precise geolocation, racial/ethnic origin, biometric, genetic, health, and sex life data. Right to limit use/disclosure, permitted purposes, and implementation.

Handles GDPR Art. 10 criminal conviction and offence data classification including official authority requirements, national law derogations, and comprehensive register restrictions. Covers controller obligations for criminal background checks and offence records. Keywords: criminal data, Art 10, conviction data, offence records, criminal background, DBS check.

Harmonises data classification across jurisdictions mapping GDPR special categories vs CCPA sensitive PI (1798.140(ae)) vs HIPAA PHI (160.103) vs LGPD sensitive data (Art. 5-II). Provides cross-regulation mapping matrix for multinational compliance. Keywords: cross-jurisdiction, GDPR, CCPA, HIPAA, LGPD, sensitive data, multinational, classification mapping.

Implementing cookie compliance across multiple jurisdictions including EU ePrivacy Directive, UK PECR, US California CCPA/CPRA opt-out model, and Brazil LGPD. Provides a requirements matrix and geolocation-based implementation approach.

Guides systematic mapping of international personal data flows across an organisation. Covers system-by-system inventory methodology, third-party identification, transfer mechanism assignment, gap analysis, and data flow visualisation. Keywords: data flow mapping, international transfers, data inventory, transfer register, cross-border data flows.

Builds comprehensive data inventory per GDPR Art. 30 Records of Processing Activities. Covers system-by-system discovery, data flow diagramming, third-party identification, and legal basis per category. Keywords: data inventory, data mapping, Art 30, RoPA, data flow, processing activities.

Implements data classification labels and tagging systems including metadata tagging, DLP integration, automated label propagation, user-applied labels, and label inheritance rules. Covers Microsoft Purview sensitivity labels and enterprise labeling architecture. Keywords: data labeling, sensitivity labels, metadata tagging, DLP integration, label propagation, Purview, classification.

Implements data lineage tracking for privacy compliance including origin tracking, transformation logging, access auditing, deletion verification, and cross-system lineage graphs. Covers source-to-sink mapping, GDPR Art. 30 RoPA integration, automated lineage discovery, and breach impact scoping. Keywords: data lineage, data provenance, data flow mapping, transformation logging, deletion verification.

Guides compliance with country-specific data localization requirements across key jurisdictions including Russia (242-FZ), China (PIPL Art. 40, CAC measures), India (DPDP Act), Turkey, Vietnam, and Indonesia. Covers localization assessment, architecture design, and exemption procedures. Keywords: data localization, data residency, PIPL, 242-FZ, cross-border restrictions.

Executes GDPR Article 20 data portability requests, covering machine-readable format requirements (JSON, CSV, XML), direct controller-to-controller transfer mechanisms, and scope limitations to data provided by the subject on consent or contract basis. Activate for portability, data export, Art. 20, data transfer queries.

Delaware Personal Data Privacy Act (DPPA) compliance implementation. Covers consumer rights (access, correct, delete, portability, opt-out), controller obligations, processor requirements, sensitive data consent, universal opt-out recognition, DPIA requirements, and AG enforcement. Effective January 1, 2025, with no revenue threshold for applicability.

Architecture guide for GDPR-compliant federated learning systems. Covers horizontal and vertical FL, aggregation strategies (FedAvg, FedProx), communication efficiency, secure aggregation, and differential privacy integration. Includes privacy guarantees analysis and deployment patterns for cross-organizational ML without data sharing.

Design privacy-preserving analytics systems using differential privacy, k-anonymity, l-diversity, and t-closeness. Covers privacy budget allocation with epsilon tracking, references Google DP library, OpenDP, and Apple PPML. Includes Python differential privacy implementation for GDPR-compliant statistical analysis.

Deploy differential privacy in production systems including epsilon selection strategies, noise calibration with Laplace and Gaussian mechanisms, privacy budget tracking, composition theorems, and Python implementation patterns. Covers both central and local differential privacy models.

Provides GDPR Article 13 information at the point of direct data collection, covering all required elements under Art. 13(1)(a)-(f) and Art. 13(2)(a)-(g), layered notice design, and timing requirements. Activate for Art. 13, direct collection notice, privacy notice at collection, data collection information queries.

Implementation guide for ePrivacy Directive compliant double opt-in email consent. Covers confirmation email workflow design, token expiration handling, record-keeping requirements, suppression list management, and integration with CAN-SPAM Act and CASL requirements for multi-jurisdiction compliance.

GDPR-compliant Data Processing Agreement drafting per Article 28(3). Covers all 8 mandatory provisions including subject matter, duration, nature and purpose, data types, categories of data subjects, controller and processor obligations, and sub-processor cascade requirements.

Guides preparation for supervisory authority (DPA) inspections and investigations including document readiness checklists, interview preparation for key personnel, technical demonstration procedures, on-site logistics, response protocols, and post-inspection follow-up. Covers unannounced inspections, formal audits, and complaint-triggered investigations. Keywords: DPA inspection, supervisory authority, investigation, readiness, interview preparation, response protocol.

Conducts a Data Protection Impact Assessment for automated decision-making and profiling systems under GDPR Article 35(3)(a), covering algorithmic transparency, meaningful human oversight, contestation mechanisms, and Art. 22 safeguards. Activate for DPIA automated decision, profiling DPIA, algorithmic impact assessment, Art. 35(3)(a), ADM risk assessment queries.

Conducts Data Protection Impact Assessments for biometric identification and authentication systems under GDPR Article 35 and Article 9 special category rules. Covers facial recognition, fingerprint, iris scanning, voice recognition, and behavioural biometrics. Applies EDPB Guidelines 3/2019, CNIL Reglement Type Biometrie, and ISO/IEC 24745 biometric template protection. Keywords: DPIA biometric, facial recognition, fingerprint, Art. 35, Art. 9, biometric template, special category.

Structures risk mitigation planning and residual risk tracking for Data Protection Impact Assessments under GDPR Article 35(7)(d). Covers mitigation measure identification, implementation tracking, residual risk acceptance, and Art. 36 prior consultation triggers. Keywords: DPIA mitigation, risk treatment, residual risk, Art. 35(7)(d), safeguards, mitigation tracking, prior consultation.

Manages the organisational DPIA register tracking all Data Protection Impact Assessments across the enterprise. Covers DPIA lifecycle management, status tracking, review scheduling, Art. 35(11) periodic reassessment, and supervisory authority reporting. Implements a centralised register linking DPIAs to RoPA entries, risk registers, and mitigation plans. Keywords: DPIA register, DPIA tracking, Art. 35(11), review schedule, DPIA lifecycle, centralised register, DPIA portfolio management.

Provides a structured risk scoring methodology for Data Protection Impact Assessments aligned with ENISA threat taxonomy and ISO 29134. Covers likelihood and severity assessment, risk matrix construction, inherent vs residual risk calculation, and risk appetite thresholds per EDPB WP248rev.01 guidance. Keywords: risk scoring, DPIA risk matrix, likelihood, severity, ENISA, ISO 29134, residual risk, risk appetite.

Guides data subject and stakeholder consultation requirements during Data Protection Impact Assessments under GDPR Article 35(9). Covers consultation planning, data subject engagement methods, DPO involvement per Art. 35(2), and documentation of views received. Keywords: DPIA consultation, stakeholder engagement, Art. 35(9), data subject views, DPO advice, public consultation, representative groups.

Builds a multi-channel DSAR intake system supporting web form, email, phone, and in-person requests with identity verification tiers, automated routing logic, SLA tracking, and response generation. Activate for DSAR intake, rights request portal, multi-channel intake, SLA tracking, request management queries.

Guides AI agents through the complete GDPR Data Subject Access Request (DSAR) workflow under Article 15, including identity verification, 30-day deadline calculation with extensions, response formatting, exemptions, and fee provisions. Activate when handling DSAR, access request, subject access, Art. 15, or SAR queries.

Assesses children's data protection in educational technology. Covers COPPA school exception under Section 312.5(c)(4), FERPA intersection, parental rights, teacher consent authority, data deletion at year-end, and Student Privacy Pledge compliance. Keywords: edtech, COPPA school exception, FERPA, student privacy, teacher consent, educational data.

Governs biometric data processing for employee timekeeping and access control under Art. 9 GDPR special category rules. Covers fingerprint, facial recognition, iris scanning, and voice recognition. Applies necessity tests, evaluates less intrusive alternatives, and implements employee objection procedures. Keywords: biometric data, Art. 9, fingerprint, facial recognition, access control, timekeeping, special category.

Manages Data Subject Access Request procedures for employee requests under Art. 15 GDPR. Covers scope of disclosable HR records, emails, CCTV footage, performance reviews, monitoring data, and training records. Implements third-party data redaction, legal professional privilege, exemptions for ongoing proceedings, and the one-month response timeline. Keywords: DSAR, subject access request, Art. 15, employee records, redaction, privilege, HR data, SAR.

Governs employee health data processing for fitness-for-work assessments, occupational health surveillance, COVID testing legacy programmes, and absence management. Applies Art. 9(2)(b) employment obligations and Art. 9(2)(h) health professional exceptions. Covers data minimisation, occupational health provider relationships, and return-to-work procedures. Keywords: health data, Art. 9, occupational health, fitness-for-work, special category, employment, sickness absence.

Conducts Data Protection Impact Assessments for employee monitoring systems per EDPB Guidelines 3/2019 on workplace data processing. Covers video surveillance, email monitoring, GPS tracking, keystroke logging, and productivity tools. Applies proportionality testing under Art. 35 GDPR. Keywords: DPIA, employee monitoring, surveillance, proportionality, EDPB, workplace privacy, keystroke logging, GPS tracking.

Guides DPIA for workplace monitoring including email surveillance, internet usage monitoring, CCTV, GPS tracking, and keystroke logging. Covers GDPR Art. 88 employment context provisions, WP29 Opinion 2/2017 on data processing at work, and proportionality balancing for employee monitoring. Keywords: employee surveillance, workplace monitoring, DPIA, Art. 88, WP29 Opinion 2/2017, CCTV, email monitoring, GPS tracking.

Analyses the limitations on consent as a lawful basis for processing employee data under Art. 88 GDPR and WP29 Opinion 2/2017. Addresses power imbalance in employment relationships, identifies alternative lawful bases, and maps national derogations. Keywords: consent, employment, power imbalance, Art. 88, WP29, lawful basis, employee data, labour law.

Applying the ePrivacy Directive Article 5(3) strictly necessary exemption to classify cookies that do not require consent. Covers exemption criteria, functionality cookies, load balancing, session state, and non-exempt categories with regulatory guidance from EDPB and national DPAs.

Guides EU Code of Conduct adherence under GDPR Articles 40-41 including EDPB approval requirements, monitoring body accreditation, code drafting, adherence declaration, compliance verification, and complaint handling. Covers sector-specific codes, transnational codes, and Art. 40(3) approval by supervisory authorities. Keywords: code of conduct, Article 40, Article 41, EDPB, monitoring body, adherence.

Guides assessment and use of the EU-US Data Privacy Framework adequacy decision for transatlantic data transfers. Covers DPF self-certification with the Department of Commerce, DPF principles compliance, Data Protection Review Court, and annual EC review. Keywords: DPF, EU-US, adequacy, Privacy Shield, transatlantic transfers.

Implements financial records retention requirements across EU directives (5-7 years), SOX Section 802 (7 years), MiFID II (5-7 years), tax records, payment data, and AML obligations under AMLD. Maps financial data categories to statutory retention periods with cross-jurisdictional reconciliation. Activate for financial retention, SOX records, MiFID retention, AML retention, tax record keeping queries.

Guides implementation of the GDPR accountability principle under Articles 5(2) and 24, including documentation requirements for policies, DPIAs, RoPA, training records, and breach logs. Activate when establishing or reviewing accountability measures, preparing evidence portfolios, or demonstrating compliance to supervisory authorities. Keywords: accountability, Article 5(2), Article 24, documentation, compliance evidence, governance.

Guides GDPR certification mechanism implementation per Articles 42-43 including accredited certification body selection, certification criteria per EDPB guidelines, certification scope, periodic audit requirements, seal and mark usage rules, and relationship to codes of conduct. Covers EDPB/ENISA certification framework and national accreditation. Keywords: GDPR certification, Article 42, Article 43, certification body, EDPB, seal, mark, accreditation.

Guides implementation of GDPR Article 42-43 data protection certification mechanisms including accredited certification bodies, criteria development, and periodic review. Activate when pursuing privacy certifications, evaluating certification bodies, or developing certification criteria. Keywords: certification, Article 42, Article 43, accreditation, seal, privacy mark.

Guides development of GDPR Article 40-41 codes of conduct for industry sectors including drafting, submission, and monitoring body requirements. Activate when creating industry codes or establishing monitoring bodies. Keywords: codes of conduct, Article 40, Article 41, monitoring body, industry code.

Guides a comprehensive organisational data protection audit against key GDPR requirements including Articles 5, 24, 25, 28, 30, 32, 35, and 37. Includes 50+ control points covering principles, accountability, security, and governance. Activate when performing compliance audits, preparing for supervisory authority inspections, or assessing organisational GDPR maturity. Keywords: data protection audit, compliance audit, GDPR audit, control points, accountability.

Guides systematic review of processing documentation for completeness against GDPR Articles 5, 13-14, 24, 28, and 30. Activate when auditing documentation or preparing for inspections. Keywords: documentation review, processing records, completeness, privacy notices, RoPA.

Guides the creation and review of data processing agreements under GDPR Article 28(3), covering all eight mandatory clauses. References the 2021 Standard Contractual Clauses and provides a compliance checklist for processor contracts. Activate when onboarding processors, reviewing DPAs, or auditing processor compliance. Keywords: DPA, data processing agreement, Article 28, processor, mandatory clauses, standard contractual clauses.

Guides cooperation with GDPR supervisory authorities under Article 31, including procedures for responding to investigations, information requests, and on-site inspections. Covers controller and processor obligations during supervisory authority interactions. Keywords: supervisory authority, Article 31, cooperation, DPA investigation, information request, inspection.

Guides appointment of GDPR Article 27 EU representative for non-EU controllers or processors. Covers criteria, responsibilities, and documentation. Activate when a non-EU entity processes EU data. Keywords: EU representative, Article 27, non-EU controller, territorial scope.

Guides systematic assessment of current state versus GDPR requirements across all chapters with prioritised remediation matrix. Activate when starting compliance programmes or conducting periodic reassessment. Keywords: gap analysis, compliance assessment, remediation matrix, GDPR readiness.

Guides the GDPR Article 56 one-stop-shop mechanism for determining lead supervisory authority in cross-border processing. Covers main establishment identification and cooperation. Activate when processing across EU borders. Keywords: one-stop-shop, Article 56, lead authority, cross-border.

Implements GDPR Article 8 parental consent verification for information society services offered to children. Covers age thresholds by EU/EEA Member State (13-16 years), EDPB Guidelines 5/2020 on consent, parental verification mechanisms, and consent record-keeping. Keywords: parental consent, Article 8, children, age threshold, EDPB, verification.

Guides creation of organisational privacy policy hierarchy aligned to GDPR chapters including top-level policy, supporting procedures, operational guidelines, and training materials. Activate when building or updating policy frameworks. Keywords: policy framework, privacy policy, procedures, guidelines, policy hierarchy.

Guides the GDPR Article 36 prior consultation process with supervisory authorities when a DPIA indicates high residual risk. Covers timeline requirements, documentation, and outcome handling. Activate when DPIA residual risk remains high or when preparing regulatory submissions. Keywords: prior consultation, Article 36, DPIA, high risk, supervisory authority.

Guides conversion of gap analysis findings into phased implementation plans with milestones and risk-based prioritisation. Activate when building compliance programmes or allocating privacy budgets. Keywords: remediation roadmap, implementation plan, phased approach, prioritisation.

Guides the audit of Records of Processing Activities (RoPA) against GDPR Article 30 requirements for both controllers and processors. Activate when verifying RoPA completeness, validating mandatory fields, or preparing for supervisory authority inspections. Keywords: RoPA, Article 30, records audit, processing activities, controller records, processor records.

Guides comprehensive controller self-assessment covering GDPR Articles 5-49 with scoring methodology and reporting format. Activate when conducting internal reviews or benchmarking maturity. Keywords: self-assessment, controller assessment, compliance questionnaire, scoring.

Guide for implementing GDPR-valid consent under Article 7 conditions and Article 4(11) definition. Covers five core requirements: freely given, specific, informed, unambiguous, and clear affirmative action. Includes pre-ticked boxes prohibition per Planet49 CJEU C-673/17, consent form audit checklist, and practical implementation patterns.

Implementation guide for Global Privacy Control (GPC) automated opt-out signal per CPRA Section 1798.135(e). Covers Sec-GPC HTTP header detection, JavaScript navigator.globalPrivacyControl API, and state-specific requirements for CA, CO, CT, MT, TX, and OR. Includes server-side detection code and compliance mapping.

Configuring Google Consent Mode v2 for privacy-compliant measurement and advertising. Covers default and update commands, consent state mapping to GA4 and Google Ads, conversion modeling with cookieless pings, and EEA requirements effective March 2024.

Integrating Global Privacy Control (GPC) signals with cookie consent platforms. Covers GPC signal detection in browsers, automatic opt-out triggering, mapping GPC to US state privacy laws, and CMP integration for CCPA, CPA, and CTDPA compliance.

Manages RoPA for complex multi-entity corporate groups including entity-level versus group-level records, intra-group transfer documentation, and shared processing coordination. Activate for group RoPA, multi-entity, corporate group, intra-group transfers, subsidiary records, holding company.

Guides DPIA for health and medical data processing covering Art. 9(2)(h)-(j) exemptions, HIPAA crosswalk for transatlantic operations, clinical trial data protection under EU CTR 536/2014, and genetic data specifics under Art. 9(1). Activate for healthcare systems, clinical research, health apps, or medical device data. Keywords: health data, DPIA, Art. 9, clinical trial, genetic data, HIPAA, medical records, special category.

Addresses healthcare AI privacy at the intersection of HIPAA and the EU AI Act for clinical decision support systems. Covers training data PHI handling, model transparency and explainability, patient rights in algorithmic decisions, FDA/OCR regulatory coordination, and bias monitoring. Keywords: healthcare AI, HIPAA, AI Act, clinical decision support, PHI training data, model transparency.

Manages HIPAA Business Associate Agreements under 45 CFR §164.502(e) and §164.504(e). Covers required BAA provisions, business associate vs subcontractor obligations, breach notification chain, downstream BA requirements, and termination remedies. Keywords: BAA, business associate, subcontractor, HIPAA compliance, PHI disclosure, termination.

Executes breach notification under HIPAA Breach Notification Rule (45 CFR 164.400-414). Covers 60-day individual notification, HHS/OCR reporting for breaches of 500+ individuals (immediate) and under 500 (annual log), state attorney general notification, media notification for 500+ in a single state, and breach risk assessment using the four-factor test. Keywords: HIPAA, breach notification, PHI, HHS, OCR, covered entity, business associate.

Implements HIPAA breach notification requirements under 45 CFR §164.400-414. Covers individual notification within 60 days, HHS reporting thresholds (500+ immediate, under 500 annual), state attorney general notification, media notification for 500+ in a state, and breach risk assessment. Keywords: HIPAA breach notification, HHS reporting, OCR breach portal, individual notice, state attorney general.

Implements HIPAA de-identification methods under 45 CFR §164.514(a)-(b). Covers expert determination method and safe harbor method with 18 identifiers removal, re-identification risk assessment, limited dataset requirements, and data use agreements. Keywords: HIPAA de-identification, safe harbor, expert determination, 18 identifiers, limited dataset, PHI.

Implements HIPAA workforce training requirements under 45 CFR §164.530(b) (Privacy Rule) and 45 CFR §164.308(a)(5) (Security Rule). Covers initial onboarding training, periodic refresher cadence, role-based content differentiation, documentation of training completion, and sanction policy integration. Keywords: HIPAA training, workforce training, security awareness, privacy training, §164.530(b), §164.308(a)(5).

Addresses HIPAA privacy and security requirements for health data interoperability under the 21st Century Cures Act, ONC Health IT Certification Program, and CMS Interoperability and Patient Access Final Rule. Covers information blocking prohibitions, FHIR API patient access, TEFCA exchange purposes, and privacy safeguards for health information exchange. Keywords: interoperability, information blocking, FHIR, TEFCA, Cures Act, patient access API, health information exchange.

Implements HIPAA minimum necessary standard under 45 CFR §164.502(b). Covers role-based access policies per workforce member category, routine vs non-routine disclosure protocols, reasonable reliance doctrine, documentation requirements, and HITECH amendments. Keywords: minimum necessary, role-based access, workforce, routine disclosure, HIPAA.

Addresses HIPAA compliance for mobile health (mHealth) applications, wearable devices, and remote patient monitoring. Covers OCR guidance on mobile device PHI, FDA-regulated mobile medical applications, FTC Health Breach Notification Rule for non-HIPAA apps, BYOD policies, and encryption requirements for ePHI on mobile platforms. Keywords: mHealth, mobile health, HIPAA mobile, wearable, remote monitoring, BYOD, mobile device management, app privacy.

Conducts comprehensive inventory of protected health information across the enterprise per HIPAA Security Rule requirements at 45 CFR §164.308(a)(1)(ii)(A) and §164.310(d). Covers identification of all ePHI repositories, data flow mapping, classification of PHI by sensitivity, and integration with risk analysis. Keywords: PHI inventory, ePHI, data mapping, information asset, data flow, HIPAA risk analysis, designated record set.

Implements HIPAA Privacy Rule requirements under 45 CFR §164.500-534 for covered entities and business associates. Covers minimum necessary standard, treatment-payment-operations exceptions, directory opt-out, personal representative rules, and authorization requirements. Keywords: HIPAA Privacy Rule, PHI, minimum necessary, TPO, authorization, covered entity.

Implements HIPAA Privacy Rule requirements for research uses of protected health information under 45 CFR §164.512(i). Covers IRB and Privacy Board waivers of authorization, individual authorization for research, limited data set and data use agreements, preparatory to research provisions, and decedent research provisions. Keywords: HIPAA research, IRB waiver, Privacy Board, authorization, limited data set, preparatory research, de-identification, Common Rule.

Conducts HIPAA risk analysis per 45 CFR §164.308(a)(1) following OCR guidance methodology. Covers threat identification, vulnerability assessment, likelihood and impact determination, risk scoring, and mitigation planning for electronic protected health information. Keywords: HIPAA risk analysis, OCR guidance, threat assessment, vulnerability, risk management, ePHI.

Implements HIPAA Security Rule technical safeguards under 45 CFR §164.312 for electronic protected health information. Covers access controls with unique user identification, emergency access procedures, automatic logoff, encryption, audit controls, integrity controls, and transmission security. Keywords: HIPAA Security Rule, ePHI, access controls, encryption, audit controls, technical safeguards.

Implements HITECH Act privacy and security requirements including breach notification expansion, four-tier penalty structure, state attorney general enforcement authority, EHR meaningful use privacy conditions, and business associate direct liability. Keywords: HITECH Act, breach notification, penalty tiers, state AG enforcement, meaningful use, EHR privacy.

Configures privacy settings for enterprise HR systems including SAP SuccessFactors, Workday, and BambooHR. Covers role-based access controls, automated data retention enforcement, cross-border transfer configurations, audit logging, data subject rights facilitation, and field-level security. Keywords: HR system, SAP SuccessFactors, Workday, BambooHR, RBAC, retention automation, cross-border transfer, privacy configuration.

Architecture patterns for GDPR Article 5(1)(c) data minimization and Article 25(1) data protection by design. Covers field-level encryption, data masking, aggregation, pseudonymization per Article 4(5), and anonymization per Recital 26. Includes ENISA pseudonymization techniques and a data minimization assessment matrix.

Technical implementation of GDPR Article 25(2) data protection by default. Covers strictest privacy settings as default configuration, minimum data collection, limited storage duration, restricted accessibility, and opt-in rather than opt-out patterns. Includes implementation checklist and system design requirements.

Guide to implementing homomorphic encryption for privacy-preserving computation under GDPR. Covers scheme selection (BFV, BGV, CKKS, TFHE), Microsoft SEAL, IBM HELib, and Google FHE transpiler. Includes performance benchmarks, parameter tuning, and basic HE example code for encrypted arithmetic operations.

Implementation guide for secure multi-party computation enabling privacy-preserving analytics across organizations. Covers secret sharing, garbled circuits, reference frameworks MP-SPDZ and CrypTen, practical deployment patterns, and GDPR alignment for joint controller analytics without revealing individual party inputs.

Guides compliance with India's Digital Personal Data Protection Act 2023. Covers consent manager registration, data fiduciary obligations under Sections 4-7, significant data fiduciary requirements under Section 10, data principal rights, and Board enforcement framework. Keywords: DPDP Act, India data protection, consent manager, data fiduciary, significant data fiduciary, data principal rights.

Provides GDPR Article 14 information for personal data obtained from sources other than the data subject, covering timing requirements (within reasonable period, max one month), source disclosure, all required elements, and exemptions under Art. 14(5). Activate for Art. 14, indirect collection, third-party data source, indirect data notice queries.

Guides internal privacy audit program design and execution including risk-based audit planning, scope definition, fieldwork procedures, finding classification, evidence gathering, remediation tracking, and management reporting. Covers audit universe definition, annual audit plan, working papers, and closure verification. Keywords: internal audit, privacy audit, fieldwork, remediation, findings, audit plan.

Iowa Consumer Data Protection Act (ICDPA) compliance. Effective January 1, 2025. Covers consumer rights (access, delete, opt-out), controller thresholds at 100,000 consumers, sensitive data opt-in consent, 90-day cure period, and AG-only enforcement. Iowa Code Chapter 715D.

Guides ISO 27701 Privacy Information Management System implementation extending ISO 27001/27002. Covers Clause 5 PIMS-specific requirements, Clause 6 PIMS guidance for ISO 27002, Clause 7 PII controller guidance (Annex A), Clause 8 PII processor guidance (Annex B), gap assessment, and certification path. Keywords: ISO 27701, PIMS, privacy management system, ISO 27001 extension, certification, Annex A, Annex B.

Guides compliance with Japan's Act on the Protection of Personal Information (APPI, 2022 amendments). Covers individual rights expansion, cross-border transfer restrictions including pre-transfer information requirements, PPC enforcement, and pseudonymised and anonymously processed information. Keywords: APPI, Japan data protection, PPC, cross-border transfer, pseudonymised information, individual rights.

Guides the establishment and management of joint controller arrangements under GDPR Article 26, including determination of joint controllership, allocation of responsibilities, and transparency obligations. Activate when two or more controllers jointly determine purposes and means of processing, or when evaluating shared data platforms. Keywords: joint controller, Article 26, shared responsibility, arrangement, joint determination.

Kentucky Consumer Privacy Protection Act (KPPA) compliance. Effective January 1, 2026. Covers consumer rights, controller thresholds at 100,000 consumers, sensitive data processing consent, cure period provisions, and AG enforcement framework.

Guides compliance with South Korea's Personal Information Protection Act (PIPA, 개인정보 보호법). Covers pseudonymisation framework, notification requirements, PIPC enforcement, consent standards, and cross-border transfer rules under the 2023 amendments. Keywords: PIPA, Korea data protection, PIPC, pseudonymisation, consent, cross-border transfers.

Guides determination of the correct lawful basis under GDPR Article 6(1)(a)-(f) for each processing activity. Includes decision tree logic for consent vs legitimate interest vs contract necessity. Activate when evaluating legal grounds for processing or reviewing lawful basis selections. Keywords: lawful basis, Article 6, consent, legitimate interest, legal obligation, contract.

Decision framework for choosing between consent and legitimate interest as the lawful basis for processing. Covers power imbalance indicators, conditionality prohibition under Article 7(4), granularity requirements, the three-part LIA test (purpose, necessity, balancing), and practical decision trees for common scenarios.

Guides the three-part Legitimate Interest Assessment (LIA) required under GDPR Article 6(1)(f): purpose test, necessity test, and balancing test. Activate when evaluating legitimate interest as a lawful basis, conducting LIA reviews, or documenting proportionality analysis. Keywords: LIA, legitimate interest, balancing test, necessity test, purpose test, Article 6(1)(f).

Conduct LINDDUN privacy threat modeling across all seven categories: Linking, Identifying, Non-repudiation, Detecting, Data Disclosure, Unawareness, and Non-compliance. Includes DFD-based analysis, threat trees, privacy-specific mitigation strategies, and integration with STRIDE security threat modeling.

Manages legal hold and data preservation processes including triggering events, custodian notification, hold-in-place technical implementation, release procedures, and interaction with retention schedules. Covers litigation hold registers, compliance monitoring, and Art. 17(3)(e) exception documentation. Activate for legal hold, litigation preservation, data freeze, e-discovery hold queries.

Assessing privacy risks in large language model outputs including training data memorisation, PII leakage in generated text, prompt injection leading to data extraction, and hallucinated personal data. Covers output filtering, guardrails, and monitoring. Keywords: LLM privacy, output risk, memorisation, PII leakage, prompt injection, hallucinated PII.

Guide for managing consent for children's personal data under GDPR Article 8 and COPPA. Covers parental consent mechanisms, age verification methods, country-specific age thresholds (ranging from 13 to 16), parental authorization workflows, and age-appropriate design per the UK ICO Children's Code.

Guide for managing consent for scientific research under GDPR Article 89 and Recital 33 broad consent provisions. Covers ethical review board coordination, purpose evolution management, appropriate safeguards including pseudonymization, and the interplay between consent and other lawful bases for research processing.

Guide for mobile-specific consent management covering Apple ATT framework for iOS, Android permission model, in-app consent flows, SDK consent propagation to third-party libraries, and IDFA/GAID handling. Addresses platform-specific requirements alongside GDPR and ePrivacy compliance for mobile applications.

Guides DPIA for marketing profiling, behavioural targeting, cross-device tracking, and advertising analytics. Covers ePrivacy Directive Art. 5(3) cookie consent, PECR regulations, legitimate interest balancing for direct marketing, and adtech processing chain assessment. Keywords: marketing analytics, DPIA, profiling, behavioural targeting, cross-device tracking, ePrivacy, PECR, adtech, legitimate interest.

Manages the absolute right to object to direct marketing under GDPR Article 21(2)-(3), covering immediate cessation of all direct marketing processing, suppression list management, cross-channel enforcement, and profiling for marketing purposes. Activate for marketing opt-out, unsubscribe, Art. 21(2), direct marketing objection queries.

Montana Consumer Data Privacy Act (MTDPA) compliance. Lowest consumer threshold at 50,000 consumers. Covers sensitive data consent, universal opt-out recognition, consumer rights, controller obligations, 60-day cure period, and AG enforcement. Effective October 1, 2024.

Guides building a multi-jurisdiction privacy compliance matrix for organisations operating across multiple countries. Covers common requirements identification, jurisdiction-specific deltas, gap analysis, and harmonised control frameworks. Keywords: multi-jurisdiction, compliance matrix, harmonised controls, gap analysis, jurisdiction mapping.

Multi-state harmonized privacy compliance program. Common requirements matrix across all US state privacy laws, state-specific deltas, unified privacy program architecture, and implementation strategy for operating across California, Virginia, Colorado, Connecticut, Texas, Oregon, Montana, and Kentucky.

New Jersey Data Privacy Act (NJDPA) compliance, effective January 15, 2025. Covers consumer rights (access, correction, deletion, portability, opt-out), controller obligations, sensitive data requirements, universal opt-out mechanism recognition, 30-day cure period (sunsets after 18 months), and AG enforcement. Keywords: NJDPA, New Jersey, data privacy, consumer rights, sensitive data, universal opt-out, AG enforcement.

Guides privacy impact assessment for emerging technologies including IoT, blockchain, AR/VR, quantum computing, and digital twins. Covers risk identification methodology, proportionality assessment, and technology-specific privacy challenges. Activate when evaluating new technology adoption, innovation projects, or emerging tech procurement. Keywords: PIA, emerging technology, IoT, blockchain, AR/VR, quantum computing, digital twins, innovation privacy.

Nigeria Data Protection Regulation (NDPR) and Nigeria Data Protection Act (NDPA) 2023 compliance. Covers lawful basis for processing, data subject rights, cross-border transfer mechanisms, Data Protection Compliance Organisation (DPCO) registration, mandatory DPIA filing, and breach notification. Keywords: NDPR, NDPA, Nigeria, NITDA, DPCO, Africa data protection, cross-border transfer.

Implement the NIST Privacy Framework COMMUNICATE function covering CM.AW awareness raising and CM.PO communication policies. Provides transparency mechanisms, stakeholder engagement frameworks, privacy notice templates, and communication workflow guidance.

Implement the NIST Privacy Framework CONTROL function covering CT.DM data management, CT.DP data processing policies and procedures, and CT.PO disassociated processing. Provides technical control architectures, data management workflows, and de-identification implementation guidance.

Implement the NIST Privacy Framework GOVERN function covering GV.AT awareness and training, GV.MT monitoring and review, GV.PO policy development, and GV.RR roles and responsibilities. Provides governance structure templates, training programs, and accountability frameworks for privacy governance.

Implement the NIST Privacy Framework IDENTIFY function including ID.BE business environment, ID.DA data actions, ID.IM improvement, and ID.RA risk assessment subcategories. Provides control mapping, gap analysis templates, and implementation workflows for privacy risk identification.

Implement the NIST Privacy Framework PROTECT function covering PR.AC access control, PR.DS data security, and PR.PO protective policies. Provides technical control implementation guidance, encryption standards, access management architectures, and security-privacy integration patterns.

Guides implementation of the NIST Privacy Framework IDENTIFY function covering ID.BE business environment, ID.DA data actions, ID.IM improvement, and ID.RA risk assessment subcategories. Maps NIST PF controls to GDPR requirements for dual-framework compliance. Keywords: NIST Privacy Framework, IDENTIFY function, ID.BE, ID.DA, ID.IM, ID.RA, privacy risk assessment, data actions.

Oregon Consumer Privacy Act (OCPA) compliance. Unique provisions for de-identified data requirements, employee data partial exemption, nonprofit applicability, 14-day cure period, and consumer rights. Effective July 1, 2024. AG enforcement only.

Classifies personal vs non-personal data per GDPR Art. 4(1) definition test with decision tree for borderline cases. References Breyer v Germany CJEU C-582/14 dynamic IP ruling and WP29 Opinion 4/2007. Keywords: personal data, GDPR Art 4, data classification, Breyer ruling, identifiability test, PII.

Conducts Privacy Impact Assessment for health data processing under GDPR Article 9, HIPAA, and sector-specific health privacy regulations. Covers special category data safeguards, clinical research data, patient portals, health wearables, genetic data, and cross-border health data transfers. Keywords: health data PIA, DPIA, Article 9, HIPAA, special category data, clinical research, patient privacy, genetic data.

Conducts Privacy Impact Assessment for large-scale systematic monitoring under GDPR Article 35(3)(c). Covers CCTV and video surveillance, employee monitoring, location tracking, internet monitoring, and behavioural analytics. Applies EDPB WP248rev.01 criteria for systematic monitoring of publicly accessible areas. Keywords: DPIA, large-scale monitoring, CCTV, employee monitoring, systematic monitoring, surveillance, location tracking.

Guides the periodic DPIA review lifecycle including trigger identification for regulatory changes, new data categories, technology changes, and breach incidents. Covers version control, stakeholder sign-off procedures, and DPIA register management per Art. 35(11). Keywords: DPIA review, PIA update, review cadence, version control, Art. 35(11), periodic review, trigger events, stakeholder sign-off.

Conducts pre-DPIA threshold screening to determine whether a full Data Protection Impact Assessment is required under GDPR Article 35. Applies the EDPB WP248rev.01 nine-criteria test, national supervisory authority blacklists, and organisational risk appetite to produce a documented screening decision. Keywords: threshold screening, DPIA trigger, pre-DPIA, WP248, Article 35(1), blacklist, screening decision.

Conducts Privacy Impact Assessment for vendor and third-party data processing arrangements. Covers processor due diligence, Data Processing Agreement (DPA) requirements under GDPR Article 28, sub-processor management, cross-border vendor transfers, cloud service provider assessments, and ongoing vendor monitoring. Keywords: vendor PIA, processor assessment, DPA, Article 28, sub-processor, cloud privacy, third-party risk.

Build automated PII detection and redaction pipelines using spaCy NER, Microsoft Presidio, and AWS Macie integration. Includes confidence scoring, custom entity type definitions, batch processing workflows, and multi-format document scanning for structured and unstructured data sources.

Detects PII in unstructured data including emails, documents, images, and logs using NER-based detection with spaCy and Microsoft Presidio, regex patterns, OCR integration, and confidence scoring. Keywords: PII detection, unstructured data, NER, spaCy, Presidio, OCR, regex, email scanning, document scanning.

Preparation guide for ISO 31700 privacy by design for consumer goods certification. Covers the 30 requirements across design, production, and disposal phases. Includes gap assessment methodology, remediation planning, and mapping to GDPR Article 25 data protection by design obligations for consumer-facing products and services.

Guides the Art. 36 prior consultation process when a DPIA indicates high residual risk that cannot be mitigated. Covers required documentation per Art. 36(3), the 8-week DPA response timeline, outcome management, and interaction protocols with supervisory authorities. Keywords: prior consultation, Art. 36, supervisory authority, DPA, high residual risk, DPIA escalation, consultation documentation.

Design privacy API patterns including data subject API for DSAR endpoints, consent API for preference management, deletion API with cascading delete orchestration, and audit API for compliance reporting. Provides OpenAPI specifications, error handling, rate limiting, and authentication patterns.

Build privacy-preserving data sharing platforms using synthetic data generation with the SDV library, data clean rooms, secure enclaves, and utility measurement. Covers end-to-end architecture for sharing analytical datasets while preserving individual privacy guarantees.

Guides conducting privacy law gap analysis for market entry into new jurisdictions. Covers target jurisdiction assessment, existing compliance mapping, remediation effort estimation, and implementation timeline planning. Keywords: gap analysis, market entry, jurisdiction assessment, remediation planning, compliance mapping.

Guides privacy law change monitoring and impact assessment for multi-jurisdiction organisations. Covers regulatory tracking sources, change classification, impact scoring methodology, and implementation prioritisation. Keywords: law monitoring, regulatory tracking, change management, impact assessment, implementation priority.

Guides privacy program maturity assessment using the AICPA/CIPT Privacy Maturity Model with five levels: Ad Hoc, Repeating, Defined, Managed, and Optimized. Covers assessment methodology across ten privacy domains, scoring criteria, gap analysis, maturity roadmap generation, and benchmarking against industry peers. Keywords: privacy maturity, AICPA, maturity model, assessment, roadmap, benchmarking.

Build privacy KPI dashboards tracking DSAR volume and response time, breach count and severity, DPIA completion rate, training coverage, and consent rates. Includes metric definitions, data collection patterns, visualization designs, and executive reporting templates for privacy program measurement.

Guides privacy program effectiveness measurement including leading and lagging indicators, KPI definition, benchmarking methodology, executive reporting formats, board-level privacy dashboards, and metric-driven program improvement. Covers operational, compliance, risk, and strategic privacy metrics across the program lifecycle. Keywords: privacy metrics, KPIs, benchmarking, executive reporting, dashboard, program effectiveness.

Implement privacy-preserving record linkage across datasets using Bloom filter encoding, secure hash matching, threshold tuning for precision and recall, and false positive management. Enables entity resolution without exposing raw personally identifiable information between parties.

Guides the Privacy Threshold Analysis screening process to determine whether a full DPIA is required. Provides a quick-screen questionnaire, threshold criteria based on WP248rev.01, escalation triggers, and documentation requirements. Activate when evaluating new processing activities, system changes, or procurement decisions. Keywords: PTA, privacy threshold analysis, DPIA screening, quick-screen, threshold criteria, WP248, escalation triggers.

Creates GDPR Article 30(2) Records of Processing Activities for data processors with all four mandatory fields: processor and controller names and contact details, categories of processing, third country transfers, and security measures description. Activate for processor RoPA, Art. 30(2), processor records, sub-processor documentation.

Classifies data as pseudonymised or anonymised using Recital 26 reasonably likely test, Breyer ruling C-582/14, motivated intruder test, and WP29 Opinion 05/2014 on anonymisation techniques. Covers singling out, linkability, and inference tests. Keywords: pseudonymisation, anonymisation, Recital 26, re-identification, k-anonymity, differential privacy, WP29 Opinion 05/2014.

Assessment of pseudonymization techniques and re-identification risk. Covers tokenization, hashing, encryption-based pseudonymization, and hybrid approaches. Includes re-identification risk scoring using the motivated intruder test, quantitative metrics (marketer, journalist, prosecutor models), and linkage attack resilience evaluation. References ENISA 2019 pseudonymization report.

Design and implement Purpose-Based Access Control (PBAC) architecture including purpose ontology definition, policy engine configuration, audit logging of purpose verification at query time, and integration with existing IAM systems. Enforces GDPR Article 5(1)(b) purpose limitation technically.

Manages responses to regulatory complaints lodged with supervisory authorities under GDPR Article 77, covering internal escalation procedures, DPA response coordination, remediation tracking, and compliance documentation. Activate for regulatory complaint, supervisory authority complaint, Art. 77, DPA response, ICO complaint queries.

Establishes boundaries for monitoring remote and hybrid workers including screen capture, productivity tracking, camera and microphone activation, attendance verification, and activity logging. Applies proportionality principles, transparency requirements, and evaluates less intrusive alternatives per EDPB and national DPA guidance. Keywords: remote work, monitoring, screen capture, productivity tracking, webcam, home office, hybrid work, proportionality, surveillance.

Handles GDPR Article 18 right to restriction of processing requests, covering the four grounds for restriction (accuracy contest, unlawful processing, erasure opposition, legitimate interest pending), technical flagging mechanisms, and lifting procedures. Activate for restriction request, Art. 18, processing freeze queries.

Manages retention exception workflows including request-approval processes, duration limits, periodic review cycles, documentation requirements, and audit trail maintenance. Covers legitimate grounds for extending retention beyond scheduled periods and governance controls to prevent indefinite data hoarding. Activate for retention exception, retention extension, data hoarding prevention, retention override queries.

Conducts retention impact assessments for new processing activities to determine appropriate data retention periods. Covers regulatory requirements scanning, proportionality review, purpose-based retention determination, and retention period documentation aligned with GDPR Article 5(1)(e) and Article 25 data protection by design. Activate for retention assessment, new processing retention, retention period determination queries.

Designs and implements data retention schedules compliant with GDPR Article 5(1)(e) storage limitation principle. Maps data categories to retention periods with legal basis justification, regulatory minimum holding periods, and automated review triggers for schedule maintenance. Activate for retention policy, storage limitation, data lifecycle, retention period queries.

Implements the GDPR Article 17 right to erasure (right to be forgotten) workflow, covering all six grounds for erasure, five exceptions, technical deletion versus anonymization decisions, and third-party notification under Article 19. Activate for erasure request, deletion request, right to be forgotten, Art. 17 queries.

Handles GDPR Article 21 right to object to processing, including compelling legitimate grounds assessment, ceasing processing obligations, documentation requirements, and the relationship with erasure under Article 17(1)(c). Activate for right to object, Art. 21, objection to processing, legitimate interest queries.

Processes GDPR Article 16 right to rectification requests, covering verification of corrected data accuracy, notification to recipients under Article 19, timeline management, and completion of incomplete data. Activate for rectification, correction request, inaccurate data, Art. 16, data correction queries.

Assesses the GDPR Article 30(5) exemption for organisations under 250 employees. Covers the three exception conditions that negate the exemption: non-occasional processing, risk to data subject rights, and special category data processing. Activate for Art. 30(5), 250 employee exemption, small business RoPA, SME exemption, occasional processing.

Audits Records of Processing Activities against supervisory authority templates from CNIL, ICO, and BfDI. Provides completeness scoring, gap identification, and remediation tracking. Activate for RoPA audit, completeness check, supervisory authority readiness, CNIL template, ICO template, BfDI template, gap analysis.

Links RoPA entries to Data Protection Impact Assessments and lawful basis assessments. Covers cross-reference systems, dependency tracking, and update cascade triggers between RoPA, DPIA register, and lawful basis documentation. Activate for RoPA-DPIA link, cross-reference, dependency tracking, impact assessment linkage, cascade updates.

Creates executive reporting and visualization from RoPA data including processing activity counts, risk heatmaps, compliance scores, trend analysis, and supervisory authority readiness indicators. Activate for RoPA dashboard, executive reporting, risk heatmap, compliance score, trend analysis, board reporting, KPI.

Establishes ongoing RoPA maintenance processes including update triggers, change management integration, version control, stakeholder review cycles, and completeness verification procedures. Activate for RoPA updates, record maintenance, change management, version history, review scheduling.

Integrates Records of Processing Activities with privacy management platforms including OneTrust, TrustArc, Collibra, and DataGrail. Covers API-based synchronization, data mapping import, and automated RoPA population from enterprise tools. Activate for RoPA tool setup, OneTrust integration, TrustArc sync, privacy platform configuration.

SaaS vendor data processing inventory management. Covers shadow IT discovery, API-based data flow detection, processing purpose mapping, contract status tracking, and continuous inventory reconciliation for cloud service providers.

Guides implementation of EU Standard Contractual Clauses under Commission Decision 2021/914 across all four modules (C2C, C2P, P2P, P2C). Covers clause-by-clause completion, Annex I-III drafting, and SCC module selection. Keywords: SCCs, standard contractual clauses, module selection, data transfers, Annex completion.

Implements the right to be forgotten in search engines under GDPR Article 17 and the CJEU Google Spain ruling (C-131/12). Covers delisting request procedures, criteria assessment balancing privacy against public interest, and geographic scope determination. Activate for right to be forgotten, search delisting, Google Spain, de-indexing queries.

Implements NIST SP 800-88 Rev. 1 media sanitization procedures including Clear, Purge, and Destroy methods for all media types. Covers certificate of destruction generation, verification procedures, vendor management for third-party destruction, and chain of custody documentation. Activate for data destruction, media sanitization, secure erasure, certificate of destruction queries.

Comprehensive PET selection guide covering differential privacy, homomorphic encryption, secure multi-party computation, federated learning, zero-knowledge proofs, and trusted execution environments. Includes use-case matching matrix, performance comparison, and GDPR alignment assessment for each technology.

Implementing server-side tracking with privacy controls using Google Tag Manager server containers. Covers first-party data collection, IP anonymization, consent-aware event forwarding, and reducing client-side third-party cookie exposure.

Guides compliance with Singapore's Personal Data Protection Act 2012 (PDPA). Covers PDPC advisory guidelines, Do Not Call Registry, data intermediary obligations, deemed consent, notification requirements, and the 2020-2021 amendments. Keywords: Singapore PDPA, PDPC, Do Not Call Registry, deemed consent, data intermediary, advisory guidelines.

Guides SOC 2 Type II Privacy Trust Services Criteria preparation and audit execution. Covers AICPA TSP Section 100 Privacy criteria P1-P8 including notice, choice/consent, collection, use/retention/disposal, access, disclosure, security, and quality. Includes evidence collection, control testing, and report review. Keywords: SOC 2, privacy criteria, TSP, AICPA, Type II, trust services.

Implements compliance with South Africa's Protection of Personal Information Act (POPIA), Act No. 4 of 2013. Covers conditions for lawful processing, data subject rights, cross-border transfer restrictions, Information Regulator enforcement, and responsible party obligations. Keywords: POPIA, South Africa, Information Regulator, responsible party, operator, prior authorisation.

Identifies and classifies GDPR Art. 9 special category data including racial origin, political opinions, religious beliefs, trade union membership, genetic, biometric, health, and sexual orientation data. Covers processing conditions under Art. 9(2)(a)-(j). Keywords: special category, Art 9, sensitive data, biometric, genetic, health data, explicit consent.

US state privacy law applicability assessment tool. Evaluates revenue thresholds, data volume thresholds, business exemptions (GLBA, HIPAA, nonprofits), employee data carve-outs, and SBA small business determinations across all enacted state privacy laws.

Tracks and monitors US state privacy legislation across all 50 states, DC, and territories. Covers enacted comprehensive privacy laws (California CCPA/CPRA, Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA, and subsequent enactments), pending bills, effective dates, and key requirement differences. Keywords: state privacy law, CCPA, CPRA, VCDPA, CPA, CTDPA, UCPA, multi-state.

GDPR Article 28(2) sub-processor approval workflow management. Covers prior specific and general authorization mechanisms, change notification procedures, objection windows, flow-down obligation enforcement, and sub-processor chain risk monitoring.

Guides implementation of technical, contractual, and organisational supplementary measures for international data transfers per EDPB Recommendations 01/2020. Covers encryption, pseudonymisation, split processing, audit rights, transparency obligations, and internal policies. Keywords: supplementary measures, encryption, pseudonymisation, EDPB recommendations, transfer safeguards.

Implementing the IAB Transparency and Consent Framework v2.2 for programmatic advertising consent management. Covers CMP registration, Global Vendor List integration, TC String encoding, publisher restrictions, and compliance validation.

Implements telehealth privacy compliance covering HIPAA requirements for virtual care, state licensing and recording consent laws, platform security with BAA requirements for telehealth vendors, cross-state prescribing rules, and OCR enforcement discretion during public health emergencies. Keywords: telehealth privacy, virtual care, HIPAA, recording consent, platform BAA, cross-state licensing, OCR enforcement.

Texas Data Privacy and Security Act (TDPSA) compliance. No revenue threshold applies to all businesses. Covers data broker registration requirements, biometric identifier provisions under CUBI, consumer rights, AG enforcement, and 30-day cure period. Effective July 1, 2024.

Guides compliance with Thailand's Personal Data Protection Act B.E. 2562 (2019). Covers consent framework, DPO requirements, PDPC enforcement, lawful bases for processing, cross-border transfer mechanisms, and data subject rights under the PDPA. Keywords: Thailand PDPA, PDPC, consent, DPO, cross-border transfers, data subject rights.

Guides the post-Schrems II Transfer Impact Assessment process following EDPB Recommendations 01/2020 six-step methodology. Covers destination country surveillance law assessment, European Essential Guarantees evaluation, and supplementary measures determination. Keywords: TIA, transfer impact assessment, Schrems II, EDPB recommendations, supplementary measures.

Guides the post-Schrems II Transfer Impact Assessment process following EDPB Recommendations 01/2020 six-step methodology. Covers assessment of third country legal frameworks, supplementary measures evaluation, and TIA scoring. Activate for international data transfers, SCCs, third-country adequacy, or Chapter V compliance. Keywords: TIA, Schrems II, transfer assessment, EDPB, supplementary measures, SCCs, international transfer.

Guides maintenance of cross-border transfer registers, audit trails, and compliance documentation under GDPR Art. 30 and Art. 46, EDPB record-keeping guidance, and supervisory authority expectations. Keywords: transfer register, audit trail, Art. 30, Art. 46, documentation, compliance records.

Implements GDPR Article 12 transparent information and communication requirements, covering concise, intelligible, and plain language obligations, response timelines, fee and refusal provisions, and layered notice design. Activate for transparent communication, Art. 12, privacy notice, plain language, response timeline queries.

Implements compliance with Turkey's Personal Data Protection Law (Kisisel Verilerin Korunmasi Kanunu, KVKK, Law No. 6698). Covers data controller obligations, data subject rights, VERBIS registration, cross-border transfer restrictions, Board decisions, and administrative fines. Keywords: KVKK, Turkey, VERBIS, data controller registry, Board decision, cross-border.

Implements compliance with the UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (UAE PDP Law) and its Executive Regulations. Covers data controller and processor obligations, data subject rights, cross-border transfer requirements, sensitive data processing, and UAE Data Office enforcement. Keywords: UAE PDP, Federal Decree-Law 45, UAE Data Office, DIFC, ADGM, cross-border transfer.

Implements the UK Age Appropriate Design Code (Children's Code) 15 standards under the Data Protection Act 2018 Section 123. Covers best interests assessment, age-appropriate application, transparency, data minimization, geolocation restrictions, and profiling defaults. Keywords: AADC, Children's Code, ICO, age appropriate design, UK.

Guides implementation of UK international data transfer mechanisms post-Brexit including the International Data Transfer Agreement (IDTA), UK Addendum to EU SCCs, UK adequacy assessments, and ICO transfer risk assessment tool. Keywords: UK IDTA, UK addendum, ICO TRA, post-Brexit transfers, UK GDPR.

Universal opt-out mechanism implementation across US state privacy laws. Covers Global Privacy Control (GPC) signal technical implementation, state-by-state recognition requirements, browser detection methods, authenticated vs unauthenticated handling, and compliance testing.

Maps the US federal privacy landscape including sectoral laws (HIPAA, GLBA, FERPA, COPPA, FCRA, ECPA, VPPA), FTC Section 5 enforcement, proposed federal comprehensive legislation, and the interaction between federal and state privacy regimes. Keywords: federal privacy, HIPAA, GLBA, FERPA, COPPA, FCRA, FTC, sectoral, preemption.

Virginia Consumer Data Protection Act (VCDPA) compliance implementation. Covers 5 consumer rights, controller obligations, processor requirements, opt-in for sensitive data, data protection impact assessments, AG enforcement, and cure period provisions. Effective January 1, 2023.

Vendor breach notification cascade management per GDPR Article 33(2). Covers processor-to-controller notification without undue delay, escalation paths, coordinated multi-party breach response, liability allocation, and regulatory notification coordination.

Vendor certification acceptance criteria and equivalence mapping. Covers ISO 27701, SOC 2 Privacy, APEC CBPR, EU Code of Conduct evaluation, certification scope analysis, gap supplementation requirements, and cross-framework equivalence assessment.

Ongoing vendor privacy compliance monitoring program. Covers annual reassessment procedures, continuous monitoring signals, contract renewal privacy triggers, performance metrics, KPIs, and vendor governance reporting dashboards.

On-site and remote vendor audit procedures per GDPR Article 28(3)(h). Covers audit planning, evidence collection methodologies, finding classification, remediation tracking, and audit report generation for processor compliance verification.

Pre-contract vendor privacy due diligence per GDPR Article 28(1). Covers risk questionnaires, technical controls assessment, certification review, data flow analysis, and documented sufficiency decisions for processor engagement.

Vendor privacy risk tiering methodology for processor management. Covers scoring factors including data volume, sensitivity, transfer locations, certifications, breach history, and control maturity with weighted risk calculation and tier assignment.

Vendor termination data return and deletion procedures per GDPR Article 28(3)(g). Covers data extraction formats, deletion certification requirements, transition planning, residual data handling, and post-termination verification.

Implements data protection compliance for whistleblowing systems under EU Directive 2019/1937 and GDPR. Covers anonymous reporting channels, identity protection for whistleblowers and accused persons, retention limits, access restrictions, and retaliation prevention. Addresses national transpositions and DPA guidance. Keywords: whistleblower, Directive 2019/1937, anonymous reporting, identity protection, retaliation, retention, reporting channel.

Implements email and internet monitoring compliance in the workplace per Barbulescu v Romania (ECHR Grand Chamber), EDPB guidance, and national labour law. Covers acceptable use policies, legitimate expectation of privacy, proportionality testing, and content vs metadata monitoring. Keywords: email monitoring, Barbulescu, workplace privacy, internet monitoring, acceptable use policy, ECHR, proportionality.