gdpr-compliance

# GDPR Compliance Planning

Comprehensive guidance for General Data Protection Regulation compliance before development begins.

## When to Use This Skill

- Planning systems that process EU residents' personal data
- Designing consent management and preference centers
- Implementing data subject rights (access, erasure, portability)
- Conducting Data Protection Impact Assessments (DPIA)
- Defining data processing agreements and controller/processor relationships

## GDPR Fundamentals

### The 7 Principles

| Principle | Description | Implementation Focus |
|-----------|-------------|---------------------|
| **Lawfulness, Fairness, Transparency** | Valid legal basis, fair processing, clear privacy notices | Consent flows, privacy policies |
| **Purpose Limitation** | Collect for specified, explicit purposes | Purpose tracking, use restriction |
| **Data Minimization** | Adequate, relevant, limited to purpose | Field-level justification |
| **Accuracy** | Keep data accurate and up to date | Update mechanisms, verification |
| **Storage Limitation** | Keep only as long as necessary | Retention policies, auto-deletion |
| **Integrity and Confidentiality** | Appropriate security measures | Encryption, access control |
| **Accountability** | Demonstrate compliance | Audit logs, documentation |

### Lawful Bases for Processing

```text
1. Consent - Freely given, specific, informed, unambiguous
2. Contract - Necessary for contract performance
3. Legal Obligation - Required by law
4. Vital Interests - Protect someone's life
5. Public Task - Official authority/public interest
6. Legitimate Interest - Balanced against data subject rights
```

**Legitimate Interest Assessment (LIA):**

1. Purpose test: Is there a legitimate interest?
2. Necessity test: Is processing necessary for that interest?
3. Balancing test: Do subject's interests override?

## Data Subject Rights Implementation

### Rights Checklist

| Right | Description | Response Time | Implementation |
|-------|-----