Multi-regulation privacy compliance navigator. Use for GDPR, CCPA, LGPD, POPIA, PIPEDA, PDPA, Privacy Act, PIPL, UK GDPR compliance assessments, DPA reviews, and data subject request management.
Tools and guidance for multi-regulation privacy compliance across 9 major global privacy frameworks, DPA review, and data subject request lifecycle management.
Determines which privacy regulations apply to an organization based on its location, data subjects, data types, and processing activities. Generates a compliance obligations matrix and flags gaps.
# Basic check — organization in Germany processing EU and US data
python scripts/privacy_regulation_checker.py \
--org-location DE \
--data-subjects EU,US \
--data-types personal,sensitive,financial \
--processing-activities marketing,analytics,hr
# JSON output for integration
python scripts/privacy_regulation_checker.py \
--org-location SG \
--data-subjects SG,AU,CN \
--data-types personal,health \
--processing-activities healthcare,research \
--json
# Include gap analysis against current practices
python scripts/privacy_regulation_checker.py \
--org-location US-CA \
--data-subjects EU,US,BR \
--data-types personal,biometric \
--processing-activities ecommerce,profiling \
--current-practices consent_mechanism,breach_process,retention_policy
Determines:
Output:
Manages Data Subject Request lifecycle across multiple regulations with deadline calculation, status tracking, and overdue alerts.
# Add a new GDPR access request
python scripts/dsr_tracker.py add \
--type access --regulation gdpr \
--subject "Jane Smith" --email "[email protected]"
# Add CCPA deletion request
python scripts/dsr_tracker.py add \
--type deletion --regulation ccpa \
--subject "John Doe" --email "[email protected]"
# List all open requests
python scripts/dsr_tracker.py list
# List overdue requests only
python scripts/dsr_tracker.py list --overdue
# Update request status
python scripts/dsr_tracker.py update --id DSR-0001 --status verified
# Dashboard view with time remaining
python scripts/dsr_tracker.py dashboard
# Export as JSON
python scripts/dsr_tracker.py dashboard --json
Supported Request Types:
| Type | GDPR Art. | CCPA Section | LGPD Art. |
|---|---|---|---|
| Access | Art. 15 | §1798.100 | Art. 18 |
| Deletion/Erasure | Art. 17 | §1798.105 | Art. 18(VI) |
| Correction/Rectification | Art. 16 | §1798.106 | Art. 18(III) |
| Portability | Art. 20 | §1798.130 | Art. 18(V) |
| Restriction | Art. 18 | — | Art. 18(IV) |
| Objection | Art. 21 | §1798.120 | Art. 18(IV) |
| Automated Decision Opt-Out | Art. 22 | §1798.185 | Art. 20 |
| Withdraw Consent | Art. 7(3) | — | Art. 18(IX) |
Deadline Calculation:
| Regulation | Initial Deadline | Extension | Extension Deadline |
|---|---|---|---|
| GDPR | 30 calendar days | +60 days (complex) | 90 calendar days |
| CCPA | 10 business days (ack) + 45 calendar days | +45 days | 90 calendar days |
| LGPD | 15 calendar days | — | — |
| POPIA | 30 calendar days | — | — |
| PIPEDA | 30 calendar days | +30 days | 60 calendar days |
| PDPA (SG) | 30 calendar days | — | — |
| Privacy Act (AU) | 30 calendar days | +30 days | 60 calendar days |
| PIPL | 15 calendar days | +15 days | 30 calendar days |
| UK GDPR | 30 calendar days | +60 days | 90 calendar days |
Statuses: received → verified → processing → completed | denied | extended
references/global_privacy_regulations.md
Comprehensive comparison of 9 major privacy regulations covering:
references/dpa_review_checklist.md
Complete Data Processing Agreement review guide:
references/dsr_handling_guide.md
Data Subject Request handling reference:
Step 1: Identify organization parameters
→ Location, data subjects, data types, processing activities
Step 2: Run regulation checker
→ python scripts/privacy_regulation_checker.py --org-location [LOC] ...
Step 3: Review applicable regulations and obligations
→ Prioritize by risk (penalties, data volume, enforcement activity)
Step 4: Gap analysis against current practices
→ Re-run with --current-practices flag
Step 5: Build remediation roadmap
→ Address critical gaps first (missing legal basis, no breach process)
Step 1: Receive and log request
→ python scripts/dsr_tracker.py add --type [type] --regulation [reg] ...
Step 2: Verify identity (proportionate to sensitivity)
→ See references/dsr_handling_guide.md for methods
→ python scripts/dsr_tracker.py update --id [ID] --status verified
Step 3: Gather data from all systems
→ python scripts/dsr_tracker.py update --id [ID] --status processing
Step 4: Apply exemptions if applicable
→ Check references/dsr_handling_guide.md exemptions table
Step 5: Prepare and send response within deadline
→ python scripts/dsr_tracker.py update --id [ID] --status completed
Step 6: Monitor dashboard for overdue requests
→ python scripts/dsr_tracker.py dashboard
Step 1: Check DPA against Art. 28 required elements
→ Use references/dpa_review_checklist.md
Step 2: Verify processor obligations (10 items)
→ Sub-processing, deletion, audit rights, etc.
Step 3: Assess international transfer provisions
→ SCC module selection (C2P, C2C, P2P, P2C)
→ Transfer impact assessment
→ Supplementary measures
Step 4: Review practical considerations
→ Liability caps, insurance, termination, data locations
Step 5: Document findings and negotiate amendments
Step 1: Run regulation checker for full scope
→ python scripts/privacy_regulation_checker.py [params]
Step 2: Map overlapping obligations across regulations
→ Use references/global_privacy_regulations.md comparison matrix
Step 3: Build unified controls (satisfy strictest requirement)
→ GDPR-first approach covers most other regulations
Step 4: Layer regulation-specific requirements
→ CCPA opt-out mechanisms, LGPD DPO, PIPL localization
Step 5: Monitor regulatory changes
→ See references/dsr_handling_guide.md monitoring approach
| Problem | Possible Cause | Resolution |
|---|---|---|
| Regulation checker flags unexpected regulation | Data subjects in jurisdiction not considered | Review data flow maps; even indirect data collection (analytics, cookies) can trigger territorial scope |
| DSR deadline missed | Request not logged promptly or status not updated | Implement intake SLA (log within 24 hours); use dashboard daily for overdue alerts |
| DPA missing Art. 28 elements | Template from processor is incomplete | Use DPA review checklist to identify gaps; require amendments before signing |
| Cross-border transfer mechanism unclear | Multiple transfer layers (controller → processor → sub-processor) | Map full data flow chain; each transfer leg needs its own mechanism |
| Conflicting obligations across regulations | Retention vs. deletion requirements differ | Document conflicts; apply strictest obligation unless local law mandates otherwise; seek legal counsel |
| Identity verification proportionality unclear | Over-verification deters legitimate requests | Match verification to risk: low-risk data = email confirmation; high-risk = ID verification |
In Scope:
Out of Scope:
dpia-assessment skill)| Anti-Pattern | Why It Fails | Better Approach |
|---|---|---|
| GDPR-only compliance | Organizations assume GDPR covers all obligations; miss CCPA opt-out requirements, LGPD DPO mandate, PIPL data localization | Run regulation checker against all jurisdictions where data subjects reside; layer regulation-specific controls |
| One-size-fits-all DSR process | Applying GDPR 30-day timeline to all regulations misses CCPA 10-business-day acknowledgment or PIPL 15-day deadline | Configure per-regulation deadlines; use DSR tracker with regulation parameter for accurate deadline calculation |
| Ignoring sub-processor chains in DPA review | DPA covers direct processor but sub-processors transfer data to third countries without TIA | Map full processing chain in DPA review; require Art. 28(2) sub-processor obligations; validate each transfer leg |
| Treating privacy as a one-time project | Regulations evolve; new laws enacted; enforcement priorities shift | Implement regulatory monitoring with escalation criteria; quarterly compliance reviews |
Determines applicable privacy regulations and maps obligations based on organization parameters.
| Flag | Required | Description |
|---|---|---|
--org-location <code> | Yes | Organization headquarters (ISO country code, e.g., DE, US-CA, SG) |
--data-subjects <list> | Yes | Comma-separated locations of data subjects (EU, US, BR, ZA, CA, SG, AU, CN, UK) |
--data-types <list> | Yes | Comma-separated data types (personal, sensitive, financial, health, biometric, children) |
--processing-activities <list> | Yes | Comma-separated activities (marketing, analytics, hr, ecommerce, profiling, healthcare, research) |
--current-practices <list> | No | Comma-separated current practices for gap analysis |
--json | No | Output in JSON format |
Tracks Data Subject Request lifecycle with multi-regulation deadline calculation.
| Subcommand | Description |
|---|---|
add | Add new DSR (--type, --regulation, --subject, --email required) |
list | List all requests (--overdue for overdue only) |
update | Update request status (--id, --status required) |
dashboard | Show dashboard with time remaining and alerts |
| Flag | Description |
|---|---|
--type <type> | Request type: access, deletion, correction, portability, restriction, objection, automated_decision, withdraw_consent |
--regulation <reg> | Regulation: gdpr, ccpa, lgpd, popia, pipeda, pdpa, privacy_act_au, pipl, uk_gdpr |
--subject <name> | Data subject name |
--email <email> | Data subject email |
--id <id> | Request ID (e.g., DSR-0001) |
--status <status> | Status: received, verified, processing, completed, denied, extended |
--overdue | Filter to overdue requests only |
--json | Output in JSON format |
--data-file <path> | Custom data file path (default: dsr_requests.json) |