Overview
ISO 27001 Control A.5.34 requires organizations to identify and meet privacy and PII protection requirements from applicable legislation, regulations, and contractual obligations. This skill builds a comprehensive privacy program producing five core documents tailored to the organization’s jurisdictions and data processing activities, with validation tools that enforce completeness against GDPR, LGPD, and CCPA requirements.
For a step-by-step walkthrough of how this skill fits into the full ISMS flow, see the ISO 27001 ISMS workspace tutorial .
What It Covers
- Privacy Policy — external-facing policy covering data collection, purposes, legal basis, rights, transfers, retention, and cookies
- Record of Processing Activities (ROPA) — structured register of processing activities with purpose, legal basis, data categories, recipients, retention, and transfers
- DPIA Template — Data Protection Impact Assessment template for evaluating new processing activities
- Data Subject Rights Procedure — handling access, rectification, erasure, portability, objection, and restriction requests
- Data Breach Notification Procedure — detection, assessment, authority notification (72h GDPR / LGPD), individual notification, and record-keeping
Example Conversation
You: Build the privacy program for our Brazilian SaaS company. We’re subject to LGPD and have EU enterprise clients under GDPR. We process customer project data, authentication data, payment data via Stripe, and email via SendGrid.
Agent: I’ll create all 5 privacy documents tailored to LGPD and GDPR. Let me start with the ROPA, then validate it.
I’ve documented 5 processing activities in the ROPA. Running validation…
ROPA completeness checker: PASS — All 5 processing activities have complete entries: purpose, legal basis, data categories, recipients, retention period, and international transfer status.
Legal basis validator: PASS with 1 advisory — 4 activities use legitimate interest or contractual necessity. The analytics processing uses consent — flagged for DPIA consideration since consent-based processing may require a Data Protection Impact Assessment under GDPR Article 35 and LGPD Article 38.
Breach notification timeline enforcer: PASS — The procedure includes both LGPD’s “reasonable time” requirement with ANPD notification and GDPR’s 72-hour supervisory authority notification. Severity classification, containment steps, and post-breach review are documented.
Excerpt of a generated ROPA
Below is a condensed example from the Record of Processing Activities:
## Processing Activities Register
| # | Activity | Purpose | Legal Basis | Data Categories | Recipients | Retention | Int'l Transfers |
|---|----------|---------|-------------|-----------------|------------|-----------|-----------------|
| 1 | Customer project data storage | Provide SaaS platform services | Contract (Art. 7, V LGPD) | Project data, user profiles | Cloud provider (GCP) | Duration of contract + 5 years | Yes — GCP US regions (SCCs) |
| 2 | User authentication | Verify user identity | Legitimate interest | Credentials, session tokens | Okta (SSO provider) | Active account + 90 days | Yes — Okta US (SCCs) |
| 3 | Payment processing | Process subscription payments | Contract | Payment card data (tokenized) | Stripe | Per PCI DSS requirements | Yes — Stripe US (SCCs) |
Validation tools
The skill includes three extension tools:
ROPA completeness checker — Validates each processing activity entry in the ROPA document. Required (errors if missing): (1) processing purpose, (2) legal basis, (3) data categories, (4) recipients, (5) retention period, (6) international transfers. Recommended (warnings): data subjects identified, activity name/description, security measures referenced.
Legal basis validator — Checks that processing activities have valid legal bases from recognized privacy regulations (consent, legitimate interest, contract, legal obligation, vital interest, public interest). Warns when consent-based processing may require a DPIA and when legitimate interest lacks a balance test reference.
Breach notification timeline enforcer — Validates the breach notification procedure against jurisdiction-specific regulatory timelines. Required (errors if missing): (1) notification timeline (GDPR 72h, LGPD reasonable time), (2) supervisory authority notification, (3) individual/data subject notification, (4) breach assessment/severity classification. Recommended (warnings): breach register/log, post-breach review.
Getting Started
Add your organization profile and legal requirements register to the project workspace, then activate the Privacy & PII Protection Program skill. The agent will identify applicable privacy regulations, draft all 5 documents tailored to your jurisdictions and data processing activities, and validate them with the completeness, legal basis, and timeline enforcement tools.