graphgrc

DAT-04: Data Privacy (GDPR Compliance)

Objective

Ensure GDPR compliance and respect customer privacy rights.

Description

Customer data is processed according to GDPR requirements. Privacy rights are respected including access, portability, and deletion. Data Processing Agreements are in place with vendors.

Implementation Details

Legal Basis: Document legal basis for processing (contract, consent, legitimate interest). Obtain consent where required.

Privacy Rights: Process customer requests for data access, portability, deletion within 30 days. Maintain request log.

DPAs: Execute Data Processing Agreements with all vendors processing customer data. Maintain DPA register.

Privacy by Design: Conduct privacy assessments for new features. Minimize data collection to what’s necessary.

Examples

• Customer can download all their data via account settings (portability)
• Privacy team reviews all new features that collect/process customer data
• DPAs signed with AWS, Google Workspace, support ticketing system
• Data processing inventory documents purpose and legal basis for all customer data

Audit Evidence

• Privacy policy
• Customer rights request log
• DPA register with all vendors
• Privacy assessment documentation

---

Framework Mapping

SOC 2

• CC6.6 ^[Privacy controls restrict access to personal data based on user role and data sensitivity]
• CC6.7 ^[DPAs and privacy controls restrict transmission and movement of customer information to authorized parties]

GDPR

• Article 5 ^[Data processing principles implemented: lawfulness, fairness, transparency, purpose limitation, data minimization]
• Article 6 ^[Legal basis for processing documented (contract, consent, legitimate interest)]
• Article 15 ^[Data subject right of access - customers can access their data via account settings or request]
• Article 17 ^[Right to erasure implemented via customer deletion request process]
• Article 20 ^[Right to data portability - customers can download all their data]
• Article 28 ^[Data Processing Agreements (DPAs) in place with all vendors processing customer data]
• Article 32 ^[Technical and organizational measures ensure security of processing throughout data lifecycle]

---

Referenced By

This section is automatically generated by make generate-backlinks. Do not edit manually.

Standards:

• Data Retention Standard ^[Customer data deletion within 30 days, Right to Erasure implementation, data minimization]
• Incident Response Standard ^[GDPR breach notification within 72 hours, customer notification requirements]

Processes:

• Data Breach Response Process ^[10-step breach response: confirmation, leadership notification, regulatory timeline assessment, detailed assessment, authority notification within 72hrs, individual notification planning, execution, external notifications, support, PIR]
• Incident Response Process ^[GDPR breach notification within 72 hours, legal team involvement for external communication]
• Vendor Risk Assessment Process ^[Vendor DPAs for GDPR compliance, subprocessor disclosure, data residency requirements]

Policies:

• Data Access Policy ^[Customer data requests (GDPR rights: access, rectify, erase, port), respond within 30 days, data minimization, breach reporting]

Charter:

• Information Security Program Charter ^[Program component: privacy and regulatory compliance, GDPR DPIAs and breach notification]

This site is open source. Improve this page.