npx skills add mukul975/Anthropic-Cybersecurity-SkillsMITRE ATT&CK
NIST CSF 2.0
MITRE ATLAS
Overview
The General Data Protection Regulation (EU) 2016/679 (GDPR) is the EU's comprehensive data protection law governing the collection, processing, storage, and transfer of personal data. This skill covers implementing the technical and organizational measures required by GDPR, including data protection by design and by default, Data Protection Impact Assessments (DPIAs), data subject rights management, breach notification procedures, and cross-border data transfer mechanisms.
When to Use
- When deploying or configuring implementing gdpr data protection controls capabilities in your environment
- When establishing security controls aligned to compliance requirements
- When building or improving security architecture for this domain
- When conducting security assessments that require this implementation
Prerequisites
- Understanding of EU data protection law and its territorial scope
- Knowledge of personal data processing activities within the organization
- Familiarity with data architecture, databases, and application systems
- Understanding of data flows including cross-border transfers
Core Concepts
Key GDPR Articles for Technical Controls
| Article | Requirement |
|---|---|
| Art. 5 | Principles: lawfulness, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality, accountability |
| Art. 6 | Lawful basis for processing (consent, contract, legal obligation, vital interests, public task, legitimate interest) |
| Art. 25 | Data protection by design and by default |
| Art. 28 | Processor obligations and contractual requirements |
| Art. 30 | Records of processing activities (ROPA) |
| Art. 32 | Security of processing (technical and organizational measures) |
| Art. 33 | Breach notification to supervisory authority (72 hours) |
| Art. 34 | Communication of breach to data subjects |
| Art. 35 | Data Protection Impact Assessment (DPIA) |
| Art. 37-39 | Data Protection Officer (DPO) appointment and role |
| Art. 44-49 | Cross-border data transfers (adequacy, SCCs, BCRs) |
Article 32 Security Measures
The regulation requires organizations to implement measures appropriate to the risk:
- Pseudonymization and encryption of personal data
- Confidentiality, integrity, availability, and resilience of processing systems
- Ability to restore availability and access to personal data in a timely manner
- Regular testing and evaluation of technical and organizational measures
Data Subject Rights (Articles 12-22)
| Right | Article | Description |
|---|---|---|
| Right to be informed | 13-14 | Transparent information about processing |
| Right of access | 15 | Obtain copy of personal data |
| Right to rectification | 16 | Correct inaccurate data |
| Right to erasure | 17 | "Right to be forgotten" |
| Right to restrict processing | 18 | Limit processing of data |
| Right to data portability | 20 | Receive data in machine-readable format |
| Right to object | 21 | Object to processing (especially direct marketing) |
| Automated decision-making | 22 | Not be subject to solely automated decisions |
Workflow
Phase 1: Data Mapping and Assessment (Weeks 1-6)
- Create comprehensive data inventory:
- What personal data is collected
- From whom (data subjects)
- Why (purposes and lawful bases)
- Where it's stored (systems, locations, countries)
- Who has access (internal and external)
- How long it's retained
- What security measures protect it
- Document Records of Processing Activities (ROPA) per Article 30
- Identify lawful basis for each processing activity
- Map cross-border data transfers and transfer mechanisms
- Identify processing activities requiring DPIA
Phase 2: Gap Analysis and Risk Assessment (Weeks 7-10)
- Assess current state against GDPR requirements
- Perform DPIAs for high-risk processing activities
- Identify security gaps in Article 32 compliance
- Evaluate data retention compliance
- Assess data subject rights request handling capabilities
Phase 3: Technical Controls Implementation (Weeks 11-24)
- Encryption:
- Data at rest: AES-256 for databases, file systems, backups
- Data in transit: TLS 1.2+ for all personal data transfers
- Key management: secure key storage and rotation procedures
- Pseudonymization:
- Implement tokenization for sensitive identifiers
- Separate pseudonymization keys from data stores
- Access Controls:
- Role-based access control (RBAC) for personal data
- Principle of least privilege
- MFA for systems processing personal data
- Regular access reviews
- Data Minimization:
- Implement data collection limits at application layer
- Default privacy settings (data protection by default)
- Automated data retention enforcement
- Erasure and Portability:
- Build data deletion workflows across all systems
- Implement data export in machine-readable formats (JSON, CSV)
- Cascade deletion to backups and archives
- Consent Management:
- Implement granular consent collection mechanisms
- Consent withdrawal functionality
- Consent audit trail and versioning
- Breach Detection:
- SIEM for personal data access monitoring
- Data loss prevention (DLP) controls
- Anomalous access detection
Phase 4: Organizational Controls (Weeks 11-24)
- Appoint Data Protection Officer (DPO) if required
- Develop data protection policies and procedures
- Create breach notification procedures (72-hour timeline)
- Establish data subject request (DSR) handling procedures
- Implement vendor management with Data Processing Agreements (DPAs)
- Deploy privacy awareness training for all staff
- Create data protection by design guidance for development teams
Phase 5: Documentation and Compliance Evidence (Weeks 25-30)
- Finalize ROPA documentation
- Document all DPIAs and outcomes
- Create data protection policies
- Document technical and organizational measures
- Establish privacy notice and consent records
- Create international transfer documentation (SCCs, TIAs)
Phase 6: Ongoing Compliance (Continuous)
- Regular DPIA reviews for new processing activities
- Annual data mapping refresh
- Periodic security measure testing (Art. 32 requirement)
- Data subject request tracking and SLA monitoring
- Breach response readiness testing
- Training refresh and awareness campaigns
Key Artifacts
- Records of Processing Activities (ROPA)
- Data Protection Impact Assessments (DPIAs)
- Data Processing Agreements (DPAs)
- Privacy Notices and Consent Records
- Breach Response Procedures and Register
- Data Subject Request Handling Procedures
- International Data Transfer Mechanisms (SCCs, BCRs)
- Technical and Organizational Measures Documentation
Common Pitfalls
- Treating GDPR as only a legal/compliance exercise without technical implementation
- Incomplete data mapping missing shadow IT or legacy systems
- Failing to maintain consent audit trails
- Not testing 72-hour breach notification capability
- Ignoring cross-border transfer requirements for cloud services
- Over-reliance on consent as lawful basis when legitimate interest applies
References
- GDPR Official Text: https://gdpr-info.eu/
- European Data Protection Board (EDPB) Guidelines
- ICO (UK) GDPR Guidance: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/
- CNIL (France) GDPR Compliance Toolkit
- Article 29 Working Party Guidelines on DPIAs
References and resources
Everything below is rendered for inspection. Script files are read-only and never run.
References 3
api-reference.md2.1 KB
API Reference: Implementing GDPR Data Protection Controls
Key GDPR Articles
| Article | Requirement | Technical Control |
|---|---|---|
| Art 5 | Processing principles | Data minimization, retention policies |
| Art 25 | Privacy by design | Default privacy settings |
| Art 30 | Records of processing | ROPA documentation system |
| Art 32 | Security of processing | Encryption, access controls, testing |
| Art 33 | Breach notification | 72-hour DPA notification |
| Art 35 | DPIA | Impact assessment for high-risk processing |
Data Subject Rights (Art 12-22)
| Right | Article | SLA |
|---|---|---|
| Access | Art 15 | 1 month |
| Rectification | Art 16 | 1 month |
| Erasure | Art 17 | 1 month |
| Portability | Art 20 | 1 month |
| Object | Art 21 | Without undue delay |
PII Detection Patterns
import re
patterns = {
"email": r"\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b",
"iban": r"\b[A-Z]{2}\d{2}[A-Z0-9]{11,30}\b",
"ip_address": r"\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b",
}ROPA Required Fields (Art 30)
| Field | Description |
|---|---|
| controller_name | Data controller identity |
| purposes | Processing purposes |
| data_categories | Types of personal data |
| data_subjects | Categories of data subjects |
| recipients | Data recipients |
| transfers | Cross-border transfers |
| retention_periods | Data retention schedules |
| security_measures | Art 32 controls |
Cross-Border Transfer Mechanisms (Art 44-49)
| Mechanism | Use Case |
|---|---|
| Adequacy Decision | Transfer to adequate countries (Art 45) |
| Standard Contractual Clauses (SCCs) | Most common mechanism (Art 46) |
| Binding Corporate Rules (BCRs) | Intra-group transfers (Art 47) |
| Derogations | Consent, contract necessity (Art 49) |
References
standards.md5.4 KB
GDPR Standards Reference
Primary Legislation
Regulation (EU) 2016/679 - General Data Protection Regulation
- Adopted: April 14, 2016
- Effective: May 25, 2018
- Scope: Applies to any organization processing personal data of EU/EEA residents
- Chapters: 11 chapters, 99 articles, 173 recitals
- Enforcement: Supervisory authorities in each EU member state
- Penalties: Up to EUR 20 million or 4% of annual global turnover (whichever is greater)
Key Articles Reference
Chapter II - Principles (Articles 5-11)
- Art. 5: Core processing principles (lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality, accountability)
- Art. 6: Six lawful bases for processing
- Art. 7: Conditions for consent
- Art. 8: Child's consent (minimum age varies by member state, 13-16)
- Art. 9: Special categories of data (health, biometric, genetic, racial/ethnic, political, religious, trade union, sexual orientation)
- Art. 10: Criminal conviction data
Chapter III - Rights of the Data Subject (Articles 12-23)
- Art. 12: Transparent communication (one month response deadline)
- Art. 13: Information for direct collection
- Art. 14: Information for indirect collection
- Art. 15: Right of access (copy of data, processing purposes, recipients, retention periods, safeguards for transfers)
- Art. 16: Right to rectification
- Art. 17: Right to erasure (applies when: consent withdrawn, purpose fulfilled, unlawful processing, legal obligation)
- Art. 18: Right to restriction of processing
- Art. 20: Right to data portability (structured, commonly used, machine-readable format)
- Art. 21: Right to object (especially direct marketing - absolute right)
- Art. 22: Automated individual decision-making including profiling
Chapter IV - Controller and Processor (Articles 24-43)
- Art. 24: Responsibility of the controller
- Art. 25: Data protection by design and by default
- Art. 26: Joint controllers
- Art. 28: Processor (DPA requirements: subject-matter, duration, nature/purpose, personal data types, data subject categories, controller obligations/rights)
- Art. 30: Records of processing activities
- Art. 32: Security of processing
- Art. 33: Notification to supervisory authority (72 hours)
- Art. 34: Communication to data subject (when high risk to rights and freedoms)
- Art. 35: Data Protection Impact Assessment (DPIA)
- Art. 36: Prior consultation with supervisory authority
- Art. 37-39: Data Protection Officer
Chapter V - International Transfers (Articles 44-49)
- Art. 45: Adequacy decision (EU Commission determines adequate countries)
- Art. 46: Appropriate safeguards (SCCs, BCRs, codes of conduct, certification)
- Art. 47: Binding Corporate Rules
- Art. 49: Derogations (explicit consent, contract, public interest)
Supporting Standards and Guidance
ISO/IEC 27701:2019
- Privacy Information Management System (PIMS) extension to ISO 27001
- Maps GDPR requirements to ISO management system controls
- Provides controller and processor-specific guidance
EDPB Guidelines
- Guidelines on Data Protection Impact Assessment (WP 248)
- Guidelines on Data Breach Notification (WP 250)
- Guidelines on Consent (updated 2020)
- Guidelines on International Data Transfers (post-Schrems II)
- Guidelines on Data Protection by Design and Default (04/2019)
Transfer Mechanisms Post-Schrems II
- Standard Contractual Clauses (SCCs): New modular SCCs adopted June 2021
- Module 1: Controller to Controller
- Module 2: Controller to Processor
- Module 3: Processor to Processor
- Module 4: Processor to Controller
- Transfer Impact Assessment (TIA): Required to supplement SCCs
- Supplementary Measures: Technical (encryption, pseudonymization), contractual, organizational
- EU-US Data Privacy Framework: Adequacy decision adopted July 2023
DPIA Criteria (Article 35(3) and EDPB)
DPIA required when processing involves:
- Systematic and extensive evaluation of personal aspects (profiling)
- Large-scale processing of special categories or criminal data
- Systematic monitoring of publicly accessible areas
- New technologies with potential high risk
- Large-scale data processing
- Matching or combining datasets
- Data concerning vulnerable subjects
- Innovative use of biometric data
- Data transfers outside EU without adequacy
- Processing that prevents data subjects from exercising rights
Supervisory Authorities
| Country | Authority | Website |
|---|---|---|
| EU-wide | European Data Protection Board (EDPB) | edpb.europa.eu |
| France | CNIL | cnil.fr |
| Germany | BfDI (Federal), State DPAs | bfdi.bund.de |
| Ireland | DPC | dataprotection.ie |
| Netherlands | Autoriteit Persoonsgegevens | autoriteitpersoonsgegevens.nl |
| Spain | AEPD | aepd.es |
| Italy | Garante | garanteprivacy.it |
| UK | ICO (UK GDPR post-Brexit) | ico.org.uk |
Key Enforcement Decisions (Benchmark)
- Meta (Ireland DPC, 2023): EUR 1.2 billion - Transfers to US without adequate safeguards
- Amazon (Luxembourg CNPD, 2021): EUR 746 million - Advertising targeting
- WhatsApp (Ireland DPC, 2021): EUR 225 million - Transparency failures
- Google (CNIL, 2022): EUR 150 million - Cookie consent
- H&M (Hamburg DPA, 2020): EUR 35.3 million - Employee surveillance
workflows.md7.0 KB
GDPR Data Protection Control Workflows
Workflow 1: Data Subject Request (DSR) Handling
Start
|
v
[Receive DSR from Data Subject]
- Via email, web form, phone, in-person
- Record receipt timestamp (30-day clock starts)
|
v
[Verify Identity of Requestor]
- Request additional identification if needed
- Clock pauses until identity verified
|
v
[Classify Request Type]
|
+--> Access Request (Art. 15) --> Locate all personal data
+--> Rectification (Art. 16) --> Identify incorrect data
+--> Erasure (Art. 17) --> Verify grounds for erasure
+--> Restriction (Art. 18) --> Flag data for restriction
+--> Portability (Art. 20) --> Export in machine-readable format
+--> Objection (Art. 21) --> Assess processing basis
|
v
[Check for Exemptions]
- Legal obligation to retain
- Freedom of expression
- Public health
- Archiving in public interest
- Legal claims
|
v
[Execute Request Across All Systems]
- Production databases
- Backups and archives
- Third-party processors
- Cloud services
- Analytics platforms
|
v
[Document Action Taken]
|
v
[Respond to Data Subject within 30 days]
- Extension to 60 additional days if complex (notify subject)
|
v
EndWorkflow 2: Data Breach Notification (Art. 33-34)
Start
|
v
[Breach Detected or Reported]
- Technical detection (SIEM, DLP, IDS)
- Employee report
- External notification
- Third-party processor notification
|
v
[72-hour Clock Starts]
|
v
[Assess Breach Severity]
- Number of data subjects affected
- Types of personal data compromised
- Special categories involved?
- Risk to rights and freedoms
|
v
[Determine Notification Requirements]
|
+--> [Risk to Rights and Freedoms?]
|
+--> No Risk --> Document in breach register only
|
+--> Risk exists --> Notify Supervisory Authority (72 hours)
| |
| v
+--> High Risk --> Notify Supervisory Authority (72 hours)
AND notify affected data subjects
|
v
[Prepare Supervisory Authority Notification]
- Nature of the breach
- Categories and approximate number of data subjects
- Categories and approximate number of records
- Name and contact details of DPO
- Likely consequences of the breach
- Measures taken or proposed to address the breach
|
v
[Submit Notification to Lead Supervisory Authority]
|
v
[If High Risk: Notify Data Subjects]
- Clear and plain language
- Description of breach
- DPO contact information
- Likely consequences
- Measures taken to mitigate
|
v
[Conduct Post-Breach Review]
- Root cause analysis
- Control improvements
- Update breach register
|
v
EndWorkflow 3: Data Protection Impact Assessment (DPIA)
Start
|
v
[Identify Processing Activity]
|
v
[Screen Against DPIA Criteria]
- Profiling or automated decision-making?
- Large-scale special category data?
- Systematic monitoring of public areas?
- New technology application?
- Cross-border data transfer?
- Vulnerable data subjects?
|
+--> [No DPIA triggers] --> Document screening decision --> End
|
+--> [DPIA required]
|
v
[Describe Processing Operation]
- Purpose and scope
- Data elements collected
- Data subjects categories
- Recipients and transfers
- Retention period
- Technology used
|
v
[Assess Necessity and Proportionality]
- Is processing necessary for the purpose?
- Could purpose be achieved with less data?
- Is lawful basis appropriate?
- Are data subject rights supported?
|
v
[Identify and Assess Risks]
- Risks to confidentiality
- Risks to integrity
- Risks to availability
- Risks to rights and freedoms
- Likelihood and severity of each risk
|
v
[Identify Mitigation Measures]
- Technical measures (encryption, pseudonymization, access controls)
- Organizational measures (policies, training, DPO oversight)
- Contractual measures (DPAs, SCCs)
|
v
[Determine Residual Risk]
|
+--> [Residual Risk Acceptable] --> Approve and proceed
|
+--> [Residual Risk High] --> Consult DPO
| |
| +--> [Can mitigate further] --> Add measures
| |
| +--> [Cannot mitigate] --> Prior consultation
| with Supervisory Authority (Art. 36)
|
v
[Document DPIA]
- Keep under review
- Reassess when processing changes
|
v
EndWorkflow 4: International Data Transfer Assessment
Start
|
v
[Identify Cross-Border Transfer]
- Data flowing outside EEA
- Cloud services in non-EEA regions
- Group company data sharing
- Vendor/processor locations
|
v
[Check Adequacy Decision]
- Is destination country on EU adequacy list?
- (Andorra, Argentina, Canada, Faroe Islands, Guernsey,
Israel, Isle of Man, Japan, Jersey, New Zealand, Republic
of Korea, Switzerland, UK, Uruguay, US under DPF)
|
+--> [Adequate] --> Document and proceed
|
+--> [Not Adequate]
|
v
[Select Transfer Mechanism]
|
+--> Standard Contractual Clauses (SCCs)
+--> Binding Corporate Rules (BCRs)
+--> Approved Code of Conduct
+--> Certification Mechanism
+--> Derogations (Art. 49) - limited circumstances
|
v
[Conduct Transfer Impact Assessment (TIA)]
- Laws of destination country
- Government surveillance powers
- Data protection standards
- Access by public authorities
|
v
[Identify Supplementary Measures]
- Technical: encryption with EEA-held keys
- Contractual: additional processor obligations
- Organizational: policies limiting access
|
v
[Document Transfer Mechanism]
- Signed SCCs with correct module
- TIA findings and conclusions
- Supplementary measures implemented
|
v
EndWorkflow 5: Records of Processing Activities (ROPA)
Start
|
v
[Identify All Processing Activities]
- Interview business units
- Review system inventory
- Analyze data flows
- Check vendor agreements
|
v
[For Each Processing Activity Document:]
|
v
[Controller Record (Art. 30(1))]
- Name and contact details of controller (and DPO)
- Purposes of processing
- Categories of data subjects
- Categories of personal data
- Categories of recipients
- Transfers to third countries (safeguards)
- Retention periods
- Technical and organizational security measures
|
v
[Processor Record (Art. 30(2))]
- Name and contact details of processor and controller
- Categories of processing carried out
- Transfers to third countries (safeguards)
- Technical and organizational security measures
|
v
[Maintain and Update ROPA]
- Review quarterly or when processing changes
- Update for new systems, vendors, purposes
- Make available to supervisory authority on request
|
v
EndScripts 2
agent.py9.1 KB
#!/usr/bin/env python3
"""Agent for assessing and managing GDPR data protection compliance."""
import json
import argparse
import re
from datetime import datetime
from collections import Counter
GDPR_ARTICLES = {
"Art5": "Principles of processing",
"Art6": "Lawful basis",
"Art13": "Information to data subject (direct collection)",
"Art14": "Information to data subject (indirect collection)",
"Art15": "Right of access",
"Art17": "Right to erasure",
"Art20": "Right to data portability",
"Art25": "Data protection by design and by default",
"Art30": "Records of processing activities",
"Art32": "Security of processing",
"Art33": "Breach notification (72h to DPA)",
"Art34": "Breach communication to data subjects",
"Art35": "Data Protection Impact Assessment",
"Art44": "Cross-border transfer principles",
}
PII_PATTERNS = {
"email": r"\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b",
"phone_eu": r"\b\+?[0-9]{1,3}[\s.-]?[0-9]{6,14}\b",
"iban": r"\b[A-Z]{2}\d{2}[A-Z0-9]{11,30}\b",
"ip_address": r"\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b",
"date_of_birth": r"\b\d{2}[/.-]\d{2}[/.-]\d{4}\b",
"national_id": r"\b\d{3}-\d{2}-\d{4}\b",
"passport": r"\b[A-Z]{1,2}\d{6,9}\b",
}
def scan_for_pii(file_path, max_bytes=1024 * 1024):
"""Scan a file for GDPR-relevant personal data patterns."""
try:
with open(file_path, "r", encoding="utf-8", errors="ignore") as f:
content = f.read(max_bytes)
except (OSError, PermissionError):
return None
matches = {}
for pii_type, pattern in PII_PATTERNS.items():
found = re.findall(pattern, content)
if found:
matches[pii_type] = len(found)
if not matches:
return None
return {"file": str(file_path), "pii_types": matches,
"total_matches": sum(matches.values()),
"category": classify_data_category(matches)}
def classify_data_category(matches):
"""Classify data into GDPR special categories."""
if any(k in matches for k in ["national_id", "passport"]):
return "special_category"
if "iban" in matches:
return "financial"
return "standard_personal_data"
def assess_ropa_completeness(ropa_json):
"""Assess Records of Processing Activities (ROPA) completeness per Art 30."""
with open(ropa_json) as f:
ropa = json.load(f)
required_fields = [
"controller_name", "purposes", "data_categories", "data_subjects",
"recipients", "transfers", "retention_periods", "security_measures",
]
findings = []
activities = ropa if isinstance(ropa, list) else ropa.get("activities", [])
for activity in activities:
missing = [f for f in required_fields if not activity.get(f)]
findings.append({
"activity": activity.get("name", activity.get("purpose", "unknown")),
"complete": len(missing) == 0,
"missing_fields": missing,
"compliance": "COMPLIANT" if not missing else "NON_COMPLIANT",
})
total = len(findings)
compliant = sum(1 for f in findings if f["compliance"] == "COMPLIANT")
return {
"activities_assessed": total,
"compliant": compliant,
"compliance_rate": round(compliant / total * 100, 1) if total else 0,
"details": findings,
}
def assess_dsr_handling(dsr_log_path):
"""Assess Data Subject Request handling compliance."""
with open(dsr_log_path) as f:
requests_log = json.load(f)
dsrs = requests_log if isinstance(requests_log, list) else requests_log.get("requests", [])
findings = []
for dsr in dsrs:
received = datetime.fromisoformat(dsr.get("received_date", "2024-01-01"))
completed = dsr.get("completed_date")
if completed:
completed_dt = datetime.fromisoformat(completed)
days = (completed_dt - received).days
else:
days = (datetime.utcnow() - received).days
overdue = days > 30 # GDPR requires response within one month
findings.append({
"request_id": dsr.get("id", ""),
"type": dsr.get("type", dsr.get("right", "")),
"status": dsr.get("status", "pending"),
"days_elapsed": days,
"overdue": overdue,
"severity": "HIGH" if overdue else "INFO",
})
overdue_count = sum(1 for f in findings if f["overdue"])
return {
"total_requests": len(findings),
"overdue": overdue_count,
"by_type": dict(Counter(f["type"] for f in findings)),
"details": findings,
}
def assess_breach_notification_readiness(breach_log_path):
"""Assess breach notification compliance (Art 33/34)."""
with open(breach_log_path) as f:
breaches = json.load(f)
breach_list = breaches if isinstance(breaches, list) else breaches.get("breaches", [])
findings = []
for breach in breach_list:
detected = datetime.fromisoformat(breach.get("detected", "2024-01-01"))
notified = breach.get("dpa_notified")
if notified:
notified_dt = datetime.fromisoformat(notified)
hours = (notified_dt - detected).total_seconds() / 3600
else:
hours = None
compliant = hours is not None and hours <= 72
findings.append({
"breach_id": breach.get("id", ""),
"detected": str(detected),
"notification_hours": round(hours, 1) if hours else None,
"art33_compliant": compliant,
"data_subjects_affected": breach.get("subjects_affected", 0),
"severity": breach.get("severity", "HIGH"),
})
return {"total_breaches": len(findings), "details": findings,
"art33_compliance_rate": round(
sum(1 for f in findings if f["art33_compliant"]) / len(findings) * 100, 1
) if findings else 0}
def generate_art32_checklist():
"""Generate Article 32 security measures compliance checklist."""
return {
"encryption": {
"data_at_rest": {"required": True, "standard": "AES-256"},
"data_in_transit": {"required": True, "standard": "TLS 1.2+"},
"key_management": {"required": True, "standard": "HSM or KMS"},
},
"pseudonymization": {
"tokenization": {"required": True},
"key_separation": {"required": True},
},
"access_controls": {
"rbac": {"required": True},
"mfa": {"required": True},
"least_privilege": {"required": True},
"access_reviews": {"required": True, "frequency": "quarterly"},
},
"resilience": {
"backup_strategy": {"required": True},
"disaster_recovery": {"required": True, "rto": "4h", "rpo": "1h"},
"business_continuity": {"required": True},
},
"testing": {
"penetration_testing": {"required": True, "frequency": "annual"},
"vulnerability_scanning": {"required": True, "frequency": "monthly"},
"security_awareness": {"required": True, "frequency": "annual"},
},
}
def main():
parser = argparse.ArgumentParser(description="GDPR Data Protection Agent")
parser.add_argument("--scan-pii", help="File or directory to scan for PII")
parser.add_argument("--ropa", help="ROPA JSON file for completeness check")
parser.add_argument("--dsr-log", help="Data Subject Request log JSON")
parser.add_argument("--breach-log", help="Breach notification log JSON")
parser.add_argument("--action", choices=["scan", "ropa", "dsr", "breach",
"art32", "full"], default="full")
parser.add_argument("--output", default="gdpr_compliance_report.json")
args = parser.parse_args()
report = {"generated_at": datetime.utcnow().isoformat(), "results": {}}
if args.action in ("scan", "full") and args.scan_pii:
result = scan_for_pii(args.scan_pii)
report["results"]["pii_scan"] = result
if result:
print(f"[+] PII found: {result['total_matches']} matches ({result['category']})")
else:
print("[+] No PII detected")
if args.action in ("ropa", "full") and args.ropa:
result = assess_ropa_completeness(args.ropa)
report["results"]["ropa"] = result
print(f"[+] ROPA compliance: {result['compliance_rate']}%")
if args.action in ("dsr", "full") and args.dsr_log:
result = assess_dsr_handling(args.dsr_log)
report["results"]["dsr"] = result
print(f"[+] DSRs: {result['total_requests']} total, {result['overdue']} overdue")
if args.action in ("breach", "full") and args.breach_log:
result = assess_breach_notification_readiness(args.breach_log)
report["results"]["breach"] = result
print(f"[+] Art 33 compliance rate: {result['art33_compliance_rate']}%")
if args.action in ("art32", "full"):
checklist = generate_art32_checklist()
report["results"]["art32_checklist"] = checklist
print("[+] Article 32 security checklist generated")
with open(args.output, "w") as f:
json.dump(report, f, indent=2, default=str)
print(f"[+] Report saved to {args.output}")
if __name__ == "__main__":
main()
process.py21.6 KB
#!/usr/bin/env python3
"""
GDPR Data Protection Compliance Automation
Automates data mapping, ROPA creation, DPIA assessment, data subject
request tracking, breach notification management, and compliance reporting.
"""
import json
import csv
import os
from datetime import datetime, timedelta
from pathlib import Path
from dataclasses import dataclass, field, asdict
from enum import Enum
from typing import Optional
class LawfulBasis(Enum):
CONSENT = "Consent (Art. 6(1)(a))"
CONTRACT = "Contract (Art. 6(1)(b))"
LEGAL_OBLIGATION = "Legal Obligation (Art. 6(1)(c))"
VITAL_INTERESTS = "Vital Interests (Art. 6(1)(d))"
PUBLIC_TASK = "Public Task (Art. 6(1)(e))"
LEGITIMATE_INTEREST = "Legitimate Interest (Art. 6(1)(f))"
class DSRType(Enum):
ACCESS = "Right of Access (Art. 15)"
RECTIFICATION = "Right to Rectification (Art. 16)"
ERASURE = "Right to Erasure (Art. 17)"
RESTRICTION = "Right to Restriction (Art. 18)"
PORTABILITY = "Right to Data Portability (Art. 20)"
OBJECTION = "Right to Object (Art. 21)"
AUTOMATED = "Automated Decision-Making (Art. 22)"
class BreachSeverity(Enum):
NO_RISK = "No Risk"
RISK = "Risk to Rights and Freedoms"
HIGH_RISK = "High Risk to Rights and Freedoms"
class TransferMechanism(Enum):
ADEQUACY = "Adequacy Decision (Art. 45)"
SCCS = "Standard Contractual Clauses (Art. 46(2)(c))"
BCRS = "Binding Corporate Rules (Art. 47)"
CONSENT = "Explicit Consent (Art. 49(1)(a))"
CONTRACT = "Necessary for Contract (Art. 49(1)(b))"
DEROGATION = "Other Derogation (Art. 49)"
ADEQUATE_COUNTRIES = [
"Andorra", "Argentina", "Canada", "Faroe Islands", "Guernsey",
"Israel", "Isle of Man", "Japan", "Jersey", "New Zealand",
"Republic of Korea", "Switzerland", "United Kingdom", "Uruguay",
"United States (Data Privacy Framework participants)"
]
@dataclass
class ProcessingActivity:
activity_id: str
name: str
purpose: str
lawful_basis: str
data_subjects: list
personal_data_categories: list
special_categories: bool = False
recipients: list = field(default_factory=list)
international_transfers: list = field(default_factory=list)
retention_period: str = ""
systems: list = field(default_factory=list)
security_measures: list = field(default_factory=list)
dpia_required: bool = False
controller_name: str = ""
processor_name: str = ""
@dataclass
class DataSubjectRequest:
dsr_id: str
request_type: str
data_subject_name: str
data_subject_email: str
received_date: str
identity_verified: bool = False
identity_verified_date: str = ""
deadline: str = ""
status: str = "Received"
systems_searched: list = field(default_factory=list)
response_date: str = ""
notes: str = ""
def __post_init__(self):
if not self.deadline and self.received_date:
received = datetime.strptime(self.received_date, "%Y-%m-%d")
self.deadline = (received + timedelta(days=30)).strftime("%Y-%m-%d")
@dataclass
class BreachRecord:
breach_id: str
detected_date: str
detected_time: str
description: str
data_categories: list
subjects_affected: int
severity: str
notification_deadline: str = ""
authority_notified: bool = False
authority_notification_date: str = ""
subjects_notified: bool = False
subjects_notification_date: str = ""
root_cause: str = ""
remediation: str = ""
status: str = "Investigating"
def __post_init__(self):
if not self.notification_deadline and self.detected_date:
detected = datetime.strptime(self.detected_date, "%Y-%m-%d")
self.notification_deadline = (detected + timedelta(hours=72)).strftime("%Y-%m-%d %H:%M")
@dataclass
class DPIARecord:
dpia_id: str
processing_activity: str
description: str
necessity_assessment: str
risks_identified: list
mitigation_measures: list
residual_risk: str
dpo_consultation: bool = False
authority_consultation: bool = False
approved: bool = False
approval_date: str = ""
reviewer: str = ""
class GDPRComplianceManager:
"""Manages GDPR compliance controls and tracking."""
def __init__(self, output_dir: str = "./gdpr_output"):
self.output_dir = Path(output_dir)
self.output_dir.mkdir(parents=True, exist_ok=True)
self.processing_activities: list[ProcessingActivity] = []
self.dsr_log: list[DataSubjectRequest] = []
self.breach_register: list[BreachRecord] = []
self.dpia_register: list[DPIARecord] = []
def create_ropa(self, activities: list[dict]) -> list[ProcessingActivity]:
"""Create Records of Processing Activities (Art. 30)."""
print("\n" + "=" * 70)
print("RECORDS OF PROCESSING ACTIVITIES (ROPA)")
print("=" * 70)
for act_data in activities:
activity = ProcessingActivity(**act_data)
self.processing_activities.append(activity)
print(f"\n [{activity.activity_id}] {activity.name}")
print(f" Purpose: {activity.purpose}")
print(f" Lawful Basis: {activity.lawful_basis}")
print(f" Data Subjects: {', '.join(activity.data_subjects)}")
print(f" Special Categories: {'Yes' if activity.special_categories else 'No'}")
print(f" International Transfers: {'Yes' if activity.international_transfers else 'No'}")
print(f" DPIA Required: {'Yes' if activity.dpia_required else 'No'}")
# Summary statistics
total = len(self.processing_activities)
special = sum(1 for a in self.processing_activities if a.special_categories)
transfers = sum(1 for a in self.processing_activities if a.international_transfers)
dpia_needed = sum(1 for a in self.processing_activities if a.dpia_required)
print(f"\n ROPA Summary:")
print(f" Total Processing Activities: {total}")
print(f" Special Category Processing: {special}")
print(f" International Transfers: {transfers}")
print(f" DPIA Required: {dpia_needed}")
# Lawful basis breakdown
basis_counts = {}
for a in self.processing_activities:
basis_counts.setdefault(a.lawful_basis, 0)
basis_counts[a.lawful_basis] += 1
print(f"\n Lawful Basis Breakdown:")
for basis, count in basis_counts.items():
print(f" {basis}: {count}")
# Save ROPA
ropa_path = self.output_dir / "ropa.json"
with open(ropa_path, "w") as f:
json.dump([asdict(a) for a in self.processing_activities], f, indent=2)
csv_path = self.output_dir / "ropa.csv"
with open(csv_path, "w", newline="", encoding="utf-8") as f:
writer = csv.writer(f)
writer.writerow([
"Activity ID", "Name", "Purpose", "Lawful Basis",
"Data Subjects", "Personal Data Categories", "Special Categories",
"Recipients", "International Transfers", "Retention Period",
"Systems", "Security Measures", "DPIA Required"
])
for a in self.processing_activities:
writer.writerow([
a.activity_id, a.name, a.purpose, a.lawful_basis,
"; ".join(a.data_subjects), "; ".join(a.personal_data_categories),
"Yes" if a.special_categories else "No",
"; ".join(a.recipients), "; ".join(a.international_transfers),
a.retention_period, "; ".join(a.systems),
"; ".join(a.security_measures), "Yes" if a.dpia_required else "No"
])
print(f"\n ROPA saved to: {ropa_path}")
return self.processing_activities
def process_dsr(self, requests: list[dict]) -> dict:
"""Track and manage data subject requests."""
print("\n" + "=" * 70)
print("DATA SUBJECT REQUEST TRACKER")
print("=" * 70)
for req_data in requests:
dsr = DataSubjectRequest(**req_data)
self.dsr_log.append(dsr)
print(f"\n [{dsr.dsr_id}] {dsr.request_type}")
print(f" Subject: {dsr.data_subject_name}")
print(f" Received: {dsr.received_date}")
print(f" Deadline: {dsr.deadline}")
print(f" Status: {dsr.status}")
print(f" Identity Verified: {'Yes' if dsr.identity_verified else 'No'}")
# Overdue check
today = datetime.now().strftime("%Y-%m-%d")
overdue = [d for d in self.dsr_log if d.deadline < today and d.status != "Completed"]
if overdue:
print(f"\n ALERT: {len(overdue)} overdue DSRs!")
for d in overdue:
print(f" [{d.dsr_id}] {d.request_type} - Deadline: {d.deadline}")
# Summary
type_counts = {}
for d in self.dsr_log:
type_counts.setdefault(d.request_type, 0)
type_counts[d.request_type] += 1
print(f"\n DSR Summary:")
for rtype, count in type_counts.items():
print(f" {rtype}: {count}")
print(f" Total: {len(self.dsr_log)}")
print(f" Overdue: {len(overdue)}")
dsr_path = self.output_dir / "dsr_log.json"
with open(dsr_path, "w") as f:
json.dump([asdict(d) for d in self.dsr_log], f, indent=2)
print(f"\n DSR Log saved to: {dsr_path}")
return {"total": len(self.dsr_log), "overdue": len(overdue), "by_type": type_counts}
def manage_breach(self, breaches: list[dict]) -> list[BreachRecord]:
"""Manage breach register and notification tracking."""
print("\n" + "=" * 70)
print("BREACH REGISTER AND NOTIFICATION TRACKER")
print("=" * 70)
for breach_data in breaches:
breach = BreachRecord(**breach_data)
self.breach_register.append(breach)
print(f"\n [{breach.breach_id}] {breach.description[:60]}...")
print(f" Detected: {breach.detected_date} {breach.detected_time}")
print(f" Severity: {breach.severity}")
print(f" Subjects Affected: {breach.subjects_affected}")
print(f" Notification Deadline: {breach.notification_deadline}")
print(f" Authority Notified: {'Yes' if breach.authority_notified else 'No'}")
if breach.severity == BreachSeverity.HIGH_RISK.value:
print(f" Subjects Notified: {'Yes' if breach.subjects_notified else 'No'}")
print(f" Status: {breach.status}")
breach_path = self.output_dir / "breach_register.json"
with open(breach_path, "w") as f:
json.dump([asdict(b) for b in self.breach_register], f, indent=2)
print(f"\n Breach Register saved to: {breach_path}")
return self.breach_register
def conduct_dpia(self, dpias: list[dict]) -> list[DPIARecord]:
"""Conduct and record Data Protection Impact Assessments."""
print("\n" + "=" * 70)
print("DATA PROTECTION IMPACT ASSESSMENTS (DPIAs)")
print("=" * 70)
for dpia_data in dpias:
dpia = DPIARecord(**dpia_data)
self.dpia_register.append(dpia)
print(f"\n [{dpia.dpia_id}] {dpia.processing_activity}")
print(f" Description: {dpia.description[:60]}...")
print(f" Risks Identified: {len(dpia.risks_identified)}")
print(f" Mitigation Measures: {len(dpia.mitigation_measures)}")
print(f" Residual Risk: {dpia.residual_risk}")
print(f" DPO Consulted: {'Yes' if dpia.dpo_consultation else 'No'}")
print(f" Approved: {'Yes' if dpia.approved else 'No'}")
dpia_path = self.output_dir / "dpia_register.json"
with open(dpia_path, "w") as f:
json.dump([asdict(d) for d in self.dpia_register], f, indent=2)
print(f"\n DPIA Register saved to: {dpia_path}")
return self.dpia_register
def assess_compliance(self) -> dict:
"""Generate overall GDPR compliance assessment."""
print("\n" + "=" * 70)
print("GDPR COMPLIANCE ASSESSMENT")
print("=" * 70)
checks = {
"Article 5 - Principles": {
"All processing has documented lawful basis": bool(self.processing_activities),
"Purpose limitation documented for each activity": False,
"Data minimization assessed": False,
"Accuracy procedures in place": False,
"Retention periods defined": any(a.retention_period for a in self.processing_activities),
"Security measures documented": any(a.security_measures for a in self.processing_activities),
},
"Article 25 - Privacy by Design": {
"Development processes include privacy reviews": False,
"Default privacy settings implemented": False,
"Data minimization built into systems": False,
},
"Article 30 - ROPA": {
"Records of processing maintained": bool(self.processing_activities),
"Controller details documented": any(a.controller_name for a in self.processing_activities),
"All processing activities captured": len(self.processing_activities) > 0,
},
"Article 32 - Security Measures": {
"Encryption implemented for personal data": False,
"Pseudonymization implemented where appropriate": False,
"Access controls for personal data systems": False,
"Regular security testing performed": False,
},
"Articles 33-34 - Breach Notification": {
"Breach detection capabilities in place": False,
"72-hour notification process documented": False,
"Breach register maintained": bool(self.breach_register),
"Breach response tested": False,
},
"Article 35 - DPIA": {
"DPIA criteria documented": False,
"DPIAs conducted for high-risk processing": bool(self.dpia_register),
"DPO consulted on DPIAs": any(d.dpo_consultation for d in self.dpia_register),
},
"Articles 12-22 - Data Subject Rights": {
"DSR handling process documented": False,
"30-day response capability": bool(self.dsr_log),
"Identity verification process": any(d.identity_verified for d in self.dsr_log),
"Erasure capability across systems": False,
"Portability export capability": False,
},
"Articles 44-49 - International Transfers": {
"Cross-border transfers mapped": any(a.international_transfers for a in self.processing_activities),
"Transfer mechanisms in place (SCCs/BCRs)": False,
"Transfer impact assessments conducted": False,
},
}
total = sum(len(v) for v in checks.values())
passed = sum(sum(1 for x in v.values() if x) for v in checks.values())
pct = (passed / total * 100) if total > 0 else 0
print(f"\n Compliance Score: {passed}/{total} ({pct:.1f}%)")
for article, items in checks.items():
cat_passed = sum(1 for x in items.values() if x)
cat_total = len(items)
print(f"\n {article} ({cat_passed}/{cat_total}):")
for item, status in items.items():
icon = "[PASS]" if status else "[FAIL]"
print(f" {icon} {item}")
report = {
"date": datetime.now().isoformat(),
"compliance_percentage": pct,
"checks": checks,
"ropa_count": len(self.processing_activities),
"dsr_count": len(self.dsr_log),
"breach_count": len(self.breach_register),
"dpia_count": len(self.dpia_register),
}
report_path = self.output_dir / "gdpr_compliance_report.json"
with open(report_path, "w") as f:
json.dump(report, f, indent=2)
print(f"\n Compliance Report saved to: {report_path}")
return report
def main():
"""Run GDPR compliance assessment."""
manager = GDPRComplianceManager()
# ROPA
sample_activities = [
{
"activity_id": "PROC-001",
"name": "Customer Account Management",
"purpose": "Managing customer accounts and providing services",
"lawful_basis": LawfulBasis.CONTRACT.value,
"data_subjects": ["Customers"],
"personal_data_categories": ["Name", "Email", "Phone", "Address", "Payment details"],
"recipients": ["Payment processor", "CRM provider"],
"international_transfers": ["US (Payment processor - SCCs)"],
"retention_period": "Duration of contract + 6 years",
"systems": ["CRM", "Payment gateway", "Database"],
"security_measures": ["Encryption at rest", "TLS in transit", "RBAC", "MFA"],
"controller_name": "Example Corp Ltd",
},
{
"activity_id": "PROC-002",
"name": "Employee HR Processing",
"purpose": "Employment administration, payroll, benefits",
"lawful_basis": LawfulBasis.CONTRACT.value,
"data_subjects": ["Employees", "Job applicants"],
"personal_data_categories": ["Name", "Address", "DOB", "NI number", "Bank details", "Health data"],
"special_categories": True,
"recipients": ["Payroll provider", "Pension provider", "HMRC"],
"retention_period": "Employment + 7 years",
"systems": ["HRIS", "Payroll system"],
"security_measures": ["Encryption", "Access controls", "Audit logging"],
"dpia_required": True,
"controller_name": "Example Corp Ltd",
},
{
"activity_id": "PROC-003",
"name": "Website Analytics",
"purpose": "Analyzing website usage to improve user experience",
"lawful_basis": LawfulBasis.CONSENT.value,
"data_subjects": ["Website visitors"],
"personal_data_categories": ["IP address", "Cookie identifiers", "Browsing behavior"],
"recipients": ["Analytics provider"],
"international_transfers": ["US (Analytics provider - EU-US DPF)"],
"retention_period": "26 months",
"systems": ["Website", "Analytics platform"],
"security_measures": ["IP anonymization", "Cookie consent", "Data pseudonymization"],
"controller_name": "Example Corp Ltd",
},
]
manager.create_ropa(sample_activities)
# DSRs
sample_dsrs = [
{
"dsr_id": "DSR-001",
"request_type": DSRType.ACCESS.value,
"data_subject_name": "John Smith",
"data_subject_email": "john.smith@email.com",
"received_date": "2024-12-01",
"identity_verified": True,
"identity_verified_date": "2024-12-02",
"status": "In Progress",
"systems_searched": ["CRM", "Email", "Analytics"],
},
{
"dsr_id": "DSR-002",
"request_type": DSRType.ERASURE.value,
"data_subject_name": "Jane Doe",
"data_subject_email": "jane.doe@email.com",
"received_date": "2024-12-15",
"identity_verified": True,
"identity_verified_date": "2024-12-16",
"status": "Completed",
"response_date": "2024-12-28",
},
]
manager.process_dsr(sample_dsrs)
# Breaches
sample_breaches = [
{
"breach_id": "BREACH-001",
"detected_date": "2024-11-15",
"detected_time": "14:30",
"description": "Unauthorized access to customer database via compromised admin credentials",
"data_categories": ["Name", "Email", "Phone"],
"subjects_affected": 2500,
"severity": BreachSeverity.HIGH_RISK.value,
"authority_notified": True,
"authority_notification_date": "2024-11-16",
"subjects_notified": True,
"subjects_notification_date": "2024-11-18",
"root_cause": "Credential compromise via phishing",
"remediation": "MFA enforced, passwords reset, phishing training deployed",
"status": "Closed",
},
]
manager.manage_breach(sample_breaches)
# DPIAs
sample_dpias = [
{
"dpia_id": "DPIA-001",
"processing_activity": "Employee HR Processing",
"description": "Processing of employee health data for occupational health and benefits administration",
"necessity_assessment": "Processing is necessary for employment contract and legal obligations",
"risks_identified": [
"Unauthorized access to health data",
"Data breach exposing sensitive employee information",
"Excessive data collection beyond what is necessary",
],
"mitigation_measures": [
"Encryption of all health data at rest and in transit",
"Strict RBAC limiting access to HR and OH staff only",
"Audit logging of all access to health records",
"Annual access reviews",
"Staff training on handling special category data",
],
"residual_risk": "Low",
"dpo_consultation": True,
"approved": True,
"approval_date": "2024-06-15",
"reviewer": "DPO",
},
]
manager.conduct_dpia(sample_dpias)
# Overall compliance assessment
manager.assess_compliance()
print("\n" + "=" * 70)
print("GDPR COMPLIANCE ASSESSMENT COMPLETE")
print("=" * 70)
if __name__ == "__main__":
main()