Privacy
Skill packages tagged with “Privacy”
Canada Privacy & PIA
Guide to Canadian privacy law (PIPEDA, provincial private-sector laws, Bill C-27 status) and Privacy Impact Assessments for federal and private-sector data handling. Use with PIA outline and references to elaborate PIAs.
CCPA/CPRA Privacy Program — Compliance Documentation Package
Draft and validate the core privacy compliance documentation package required under the California Consumer Privacy Act as amended by CPRA. Covers the privacy policy, DSAR procedures, data inventory, privacy impact assessment, opt-out mechanisms, and service provider/contractor agreements.
Data Privacy — AIPD (CNIL Standard)
Conduct a Privacy Impact Assessment (AIPD) under the CNIL standard for France (RGPD). Three-step methodology: Context, Principles, Risks. Validates retention periods against CNIL 'droit à l'oubli' (right to erasure).
Data Processing Agreement (DPA) — SCC & sub-processor sync
Draft the legal annex for DPAs governing controller–processor data transfers under GDPR and CCPA. Inserts the correct Standard Contractual Clauses by data importer country and validates sub-processor list against the privacy portal.
DPC Cross-Border Data Processing (Lead SSA)
Draft Article 30 Records of Processing Activities for US firms using Ireland as Lead Supervisory Authority. Covers main establishment justification (GDPR Art. 4(16), EDPB criteria) and validation so the Irish DPC remains the competent authority.
FERPA Compliance Documentation — Student Records Policy
Draft and validate FERPA compliance documentation: annual notification, directory information policy, records access and amendment, disclosure log, and school official exception for edtech vendors per 34 CFR Part 99.
GDPR Consent Form (Art. 7)
Draft consent forms and consent notices for personal data processing under GDPR Article 7. Covers all conditions for valid consent: freely given, specific, informed, unambiguous. Includes validation against EDPB Guidelines 05/2020.
GDPR Gap Assessment
Perform a structured gap assessment against GDPR (Regulation 2016/679). Mandatory artifact detector scans for missing compliance documents; maturity rater suggests 0-5 maturity per domain across all compliance domains (principles, lawful basis, transparency, data subject rights including Art. 19, controller obligations, security, breach notification, DPIA including Art. 36 prior consultation, DPO governance, processor management, international transfers, training). Produces findings register and prioritized remediation roadmap with Art. 83 fine tier analysis.
GDPR Legitimate Interest Assessment (Art. 6(1)(f))
Conduct a three-part Legitimate Interest Assessment (LIA) under GDPR Art. 6(1)(f): purpose test, necessity test, and balancing test. Validates against EDPB Opinion 08/2024, WP217, and CJEU case law (Rigas, Fashion ID, Meta/Bundeskartellamt).
GDPR Privacy by Design & Default (Art. 25)
Assess and document data protection by design and by default measures per GDPR Article 25 and EDPB Guidelines 4/2019. Covers the seven foundational principles, Hoepman's eight design strategies, Art. 25(2) four-dimension default settings review, controller/processor scope, DPIA necessity assessment (EDPB WP248 rev.01), and organisational measures.
GDPR ROPA & DPIA Author
Guided elaboration of Records of Processing Activities (ROPA) and Data Protection Impact Assessments (DPIA): processing purposes, legal basis, data categories, recipients, retention, safeguards, and DPIA necessity assessment and risk mitigation.
GDPR Vendor & Processor Audit (Art. 28)
Plan and document processor audits under GDPR Art. 28(3)(h). Covers Art. 28(3)(a-h) contract compliance, sub-processor chain review, international transfer assessment (SCCs, adequacy, BCRs, TIA), Art. 32 technical measures evaluation, Art. 28(5) certification review, and corrective action tracking.
India DPDP Act — Data Protection Impact Assessment
Draft and validate a Data Protection Impact Assessment for Significant Data Fiduciaries under India's Digital Personal Data Protection Act 2023. Covers processing inventory, consent framework, data principal rights, and cross-border transfers.
ISO 27701 Controller Controls (Annex A)
Implement and document ISO 27701 Clause 7 and Annex A controls specific to PII controllers. Covers conditions for collection/processing, obligations to PII principals, privacy by design/default, and PII sharing/transfer/disclosure with implementation status, evidence, and justification for exclusions.
ISO 27701 DPIA Program
Establish a Data Protection Impact Assessment (DPIA) program aligned to ISO 27701 Clause 7.2.5 and GDPR Article 35. Create DPIA methodology with WP29/EDPB screening criteria, screen processing activities for high-risk triggers, conduct individual DPIAs, and track risk mitigation with residual risk assessment.
ISO 27701 PII Processing Inventory
Build the PII processing inventory (Record of Processing Activities / ROPA) and data flow map for ISO 27701. Catalogs every processing activity with purpose, legal basis, data categories, PII principals, recipients, retention periods, and cross-border transfers. Produces a data flow map showing PII flows between systems, parties, and jurisdictions.
ISO 27701 PIMS Extension Author
Guided elaboration of PIMS documentation as an extension to ISMS: PII processing inventory, privacy objectives, processing purposes and legal basis, controller/processor annex controls, and privacy policy drafting aligned to Clause 6 controller obligations.
ISO 27701 PIMS Internal Audit
Plan and document a PIMS-specific internal audit. Covers audit planning, execution checklist, findings, nonconformities, and corrective actions focused on privacy controls and PII processing compliance.
ISO 27701 PIMS Scope Definition
Define the Privacy Information Management System (PIMS) scope per ISO/IEC 27701:2019+AMD1:2024 Clauses 5.2.1–5.2.4 — organization role as PII controller, processor, or both (5.2.1); interested parties and their privacy needs (5.2.2); PII principal categories, applicable regulations (GDPR, LGPD, CCPA/CPRA, PIPEDA, PDPA, APPI, POPIA, PIPL), PIMS boundaries, cross-border transfers, privacy objectives, and exclusions (5.2.3); and ISMS linkage (5.2.4). Foundation skill for all ISO 27701 documentation.
ISO 27701 PIMS Statement of Applicability
Create the PIMS Statement of Applicability covering both Annex A (controller) and Annex B (processor) controls. Maps each control to In/Out with justification, implementation status, and evidence — the PIMS-specific equivalent of the ISO 27001 SoA.
ISO 27701 Privacy Policy Generator
Generate a comprehensive privacy policy/notice aligned to ISO 27701 Clause 6 controller obligations. Uses PII inventory and controller controls as inputs to produce a legally-grounded, auditable privacy policy covering all 15 mandatory topics, plus a condensed privacy notice for user-facing communication.
ISO 27701 Privacy Risk Assessment
Conduct a privacy-specific risk assessment focusing on risks to PII principals per ISO 27701 Clause 5.4 (2019) / Clause 6.6 (2025). Defines all 8 individual-focused privacy impact criteria (physical harm, financial loss, discrimination, reputational damage, emotional distress, loss of autonomy, identity theft, social disadvantage — not organizational CIA-triad categories), identifies privacy threats per processing activity and PII principal category, scores risks on a 5x5 privacy impact matrix, assesses DPIA triggers per GDPR Art. 35 / EDPB WP248 rev.01, and plans treatment using privacy-specific options (minimize, pseudonymize, anonymize, consent, purpose limitation, encryption, deletion).
ISO 27701 Processor Controls (Annex B)
Implement and document ISO 27701 Clause 8 and Annex B controls specific to PII processors. Covers conditions for processing, obligations to PII principals, privacy by design/default, sub-processor management, and PII sharing/transfer/disclosure with implementation status, evidence, and justification for exclusions.
ISO 27701 Security Controls Overlay
Create the privacy overlay for the 93 ISO 27002:2022 security controls. For each control in the SoA, document what additional privacy-specific implementation is needed per ISO 27701 Clause 6. Covers all four control themes (Organizational, People, Physical, Technological) with privacy augmentation guidance and evidence mapping.
Japan APPI — Privacy Impact Assessment
Draft and validate a Privacy Impact Assessment for processing under Japan's Act on the Protection of Personal Information (APPI, amended 2022). Covers data categorisation, cross-border transfer assessment, and PPC guidelines compliance.
Multi-Jurisdiction Data Processing Agreement (GDPR + CCPA + UK)
Draft an integrated Data Processing Agreement covering EU GDPR Article 28, EU Standard Contractual Clauses (SCCs), UK IDTA or UK Addendum, and US state privacy laws (CCPA/CPRA, CPA, VCDPA). Includes jurisdiction checker, SCC module selection, and Transfer Impact Assessment.
NDB Incident Drafter
Draft and validate the Statement to the Commissioner and Notification to Individuals under Australia's Notifiable Data Breaches (NDB) scheme. Ensures the four mandatory sections under Privacy Act s 26WK are present and supports assessment of likelihood of serious harm by data type (e.g. TFN, Medicare).
PDPA — Data Protection Management Programme (Singapore)
Draft and validate the Data Protection Management Programme (DPMP) required by Singapore's Personal Data Protection Act 2012. Covers governance, data inventory, DPIA, breach management plan, and DPO appointment per PDPC guidance.
PIPEDA Privacy Management Framework
Draft and validate the Privacy Management Framework documentation for compliance with Canada's PIPEDA and the ten CSA Model Code principles. Covers privacy governance, PIA, breach reporting, and cross-border transfer documentation.
POPIA Compliance Framework — Manual & PAIA Manual (South Africa)
Draft and validate POPIA (Act 4 of 2013) compliance framework documentation and the mandatory PAIA Manual. Covers the eight conditions for lawful processing, PAIA manual, Information Officer registration, and breach notification.
Privacy & PII Protection Program
Build a comprehensive privacy program aligned with ISO 27001:2022 A.5.34 and major privacy regulations (GDPR, LGPD, CCPA). Produces five core privacy documents: external-facing privacy policy, Record of Processing Activities (ROPA), Data Protection Impact Assessment (DPIA) template, data subject rights procedure, and data breach notification procedure with jurisdiction-specific regulatory timelines.
Saudi PDPL — Personal Data Protection Assessment
Draft and validate data protection compliance documentation under Saudi Arabia's Personal Data Protection Law (Royal Decree M/19 of 2021, amended 2023) and its Implementing Regulations. Covers data inventory, consent, cross-border transfers, and 72-hour breach notification.
UAE Federal PDPL — Data Protection Impact Assessment
Draft and validate a DPIA under UAE Federal Decree-Law No. 45/2021 on the Protection of Personal Data (PDPL) and its Executive Regulations. Covers data inventory, lawful basis, cross-border transfers, and 72-hour breach notification.
UK GDPR & DPIA (Data Protection)
Conduct and validate Data Protection Impact Assessments (DPIAs) under the UK GDPR and ICO guidance for high-risk processing. Suggests technical and organisational safeguards aligned with UK Adequacy standards. Validates breach-notification policies against the 72-hour ICO reporting window.