Compliance Check

1---2name: compliance-check3description: Run a compliance check on a proposed action, product feature, or business initiative, surfacing applicable regulations, required approvals, and risk areas. Use when launching a feature that touches personal data, when marketing or product proposes something with regulatory implications, or when you need to know which approvals and jurisdictional requirements apply before proceeding.4argument-hint: "<action or initiative to check>"5---6 7# /compliance-check -- Compliance Review8 9> If you see unfamiliar placeholders or need to check which tools are connected, see [CONNECTORS.md](../../CONNECTORS.md).10 11Run a compliance check on a proposed action, product feature, marketing campaign, or business initiative.12 13**Important**: This command assists with legal workflows but does not provide legal advice. Compliance assessments should be reviewed by qualified legal professionals. Regulatory requirements change frequently; always verify current requirements with authoritative sources.14 15## Usage16 17```18/compliance-check $ARGUMENTS19```20 21## What I Need From You22 23Describe what you're planning to do. Examples:24- "We want to launch a referral program with cash rewards"25- "We're adding biometric authentication to our mobile app"26- "We need to process EU customer data in our US data center"27- "Marketing wants to use customer testimonials in ads"28 29## Output30 31```markdown32## Compliance Check: [Initiative]33 34### Summary35[Quick assessment: Proceed / Proceed with conditions / Requires further review]36 37### Applicable Regulations and Policies38| Regulation/Policy | Relevance | Key Requirements |39|-------------------|-----------|-----------------|40| [GDPR / CCPA / HIPAA / etc.] | [How it applies] | [What you need to do] |41 42### Requirements43| # | Requirement | Status | Action Needed |44|---|-------------|--------|---------------|45| 1 | [Requirement] | [Met / Not Met / Unknown] | [What to do] |46 47### Risk Areas48| Risk | Severity | Mitigation |49|------|----------|------------|50| [Risk] | [High/Med/Low] | [How to address] |51 52### Recommended Actions531. [Most important action]542. [Second priority]553. [Third priority]56 57### Approvals Needed58| Approver | Why | Status |59|----------|-----|--------|60| [Person/Team] | [Reason] | [Pending] |61 62### Further Review Recommended63[Areas where outside counsel or specialist review is advised]64```65 66## Privacy Regulation Overview67 68### GDPR (General Data Protection Regulation)69 70**Scope**: Applies to processing of personal data of individuals in the EU/EEA, regardless of where the processing organization is located.71 72**Key Obligations for In-House Legal Teams**:73- **Lawful basis**: Identify and document lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation, vital interest, public task)74- **Data subject rights**: Respond to access, rectification, erasure, portability, restriction, and objection requests within 30 days (extendable by 60 days for complex requests)75- **Data protection impact assessments (DPIAs)**: Required for processing likely to result in high risk to individuals76- **Breach notification**: Notify supervisory authority within 72 hours of becoming aware of a personal data breach; notify affected individuals without undue delay if high risk77- **Records of processing**: Maintain Article 30 records of processing activities78- **International transfers**: Ensure appropriate safeguards for transfers outside EEA (SCCs, adequacy decisions, BCRs)79- **DPO requirement**: Appoint a Data Protection Officer if required (public authority, large-scale processing of special categories, large-scale systematic monitoring)80 81**Common In-House Legal Touchpoints**:82- Reviewing vendor DPAs for GDPR compliance83- Advising product teams on privacy by design requirements84- Responding to supervisory authority inquiries85- Managing cross-border data transfer mechanisms86- Reviewing consent mechanisms and privacy notices87 88### CCPA / CPRA (California Consumer Privacy Act / California Privacy Rights Act)89 90**Scope**: Applies to businesses that collect personal information of California residents and meet revenue, data volume, or data sale thresholds.91 92**Key Obligations**:93- **Right to know**: Consumers can request disclosure of personal information collected, used, and shared94- **Right to delete**: Consumers can request deletion of their personal information95- **Right to opt-out**: Consumers can opt out of the sale or sharing of personal information96- **Right to correct**: Consumers can request correction of inaccurate personal information (CPRA addition)97- **Right to limit use of sensitive personal information**: Consumers can limit use of sensitive PI to specific purposes (CPRA addition)98- **Non-discrimination**: Cannot discriminate against consumers who exercise their rights99- **Privacy notice**: Must provide a privacy notice at or before collection describing categories of PI collected and purposes100- **Service provider agreements**: Contracts with service providers must restrict use of PI to the specified business purpose101 102**Response Timelines**:103- Acknowledge receipt within 10 business days104- Respond substantively within 45 calendar days (extendable by 45 days with notice)105 106### Other Key Regulations to Monitor107 108| Regulation | Jurisdiction | Key Differentiators |109|---|---|---|110| **LGPD** (Brazil) | Brazil | Similar to GDPR; requires DPO appointment; National Data Protection Authority (ANPD) enforcement |111| **POPIA** (South Africa) | South Africa | Information Regulator oversight; required registration of processing |112| **PIPEDA** (Canada) | Canada (federal) | Consent-based framework; OPC oversight; being modernized |113| **PDPA** (Singapore) | Singapore | Do Not Call registry; mandatory breach notification; PDPC enforcement |114| **Privacy Act** (Australia) | Australia | Australian Privacy Principles (APPs); notifiable data breaches scheme |115| **PIPL** (China) | China | Strict cross-border transfer rules; data localization requirements; CAC oversight |116| **UK GDPR** | United Kingdom | Post-Brexit UK version; ICO oversight; similar to EU GDPR with UK-specific adequacy |117 118## DPA Review Checklist119 120When reviewing a Data Processing Agreement or Data Processing Addendum, verify the following:121 122### Required Elements (GDPR Article 28)123 124- [ ] **Subject matter and duration**: Clearly defined scope and term of processing125- [ ] **Nature and purpose**: Specific description of what processing will occur and why126- [ ] **Type of personal data**: Categories of personal data being processed127- [ ] **Categories of data subjects**: Whose personal data is being processed128- [ ] **Controller obligations and rights**: Controller's instructions and oversight rights129 130### Processor Obligations131 132- [ ] **Process only on documented instructions**: Processor commits to process only per controller's instructions (with exception for legal requirements)133- [ ] **Confidentiality**: Personnel authorized to process have committed to confidentiality134- [ ] **Security measures**: Appropriate technical and organizational measures described (Article 32 reference)135- [ ] **Sub-processor requirements**:136  - [ ] Written authorization requirement (general or specific)137  - [ ] If general authorization: notification of changes with opportunity to object138  - [ ] Sub-processors bound by same obligations via written agreement139  - [ ] Processor remains liable for sub-processor performance140- [ ] **Data subject rights assistance**: Processor will assist controller in responding to data subject requests141- [ ] **Security and breach assistance**: Processor will assist with security obligations, breach notification, DPIAs, and prior consultation142- [ ] **Deletion or return**: On termination, delete or return all personal data (at controller's choice) and delete existing copies unless legal retention required143- [ ] **Audit rights**: Controller has right to conduct audits and inspections (or accept third-party audit reports)144- [ ] **Breach notification**: Processor will notify controller of personal data breaches without undue delay (ideally within 24-48 hours; must enable controller to meet 72-hour regulatory deadline)145 146### International Transfers147 148- [ ] **Transfer mechanism identified**: SCCs, adequacy decision, BCRs, or other valid mechanism149- [ ] **SCCs version**: Using current EU SCCs (June 2021 version) if applicable150- [ ] **Correct module**: Appropriate SCC module selected (C2P, C2C, P2P, P2C)151- [ ] **Transfer impact assessment**: Completed if transferring to countries without adequacy decisions152- [ ] **Supplementary measures**: Technical, organizational, or contractual measures to address gaps identified in transfer impact assessment153- [ ] **UK addendum**: If UK personal data is in scope, UK International Data Transfer Addendum included154 155### Practical Considerations156 157- [ ] **Liability**: DPA liability provisions align with (or don't conflict with) the main services agreement158- [ ] **Termination alignment**: DPA term aligns with the services agreement159- [ ] **Data locations**: Processing locations specified and acceptable160- [ ] **Security standards**: Specific security standards or certifications required (SOC 2, ISO 27001, etc.)161- [ ] **Insurance**: Adequate insurance coverage for data processing activities162 163### Common DPA Issues164 165| Issue | Risk | Standard Position |166|---|---|---|167| Blanket sub-processor authorization without notification | Loss of control over processing chain | Require notification with right to object |168| Breach notification timeline > 72 hours | May prevent timely regulatory notification | Require notification within 24-48 hours |169| No audit rights (or audit rights only via third-party reports) | Cannot verify compliance | Accept SOC 2 Type II + right to audit upon cause |170| Data deletion timeline not specified | Data retained indefinitely | Require deletion within 30-90 days of termination |171| No data processing locations specified | Data could be processed anywhere | Require disclosure of processing locations |172| Outdated SCCs | Invalid transfer mechanism | Require current EU SCCs (2021 version) |173 174## Data Subject Request Handling175 176### Request Intake177 178When a data subject request is received:179 1801. **Identify the request type**:181   - Access (copy of personal data)182   - Rectification (correction of inaccurate data)183   - Erasure / deletion ("right to be forgotten")184   - Restriction of processing185   - Data portability (structured, machine-readable format)186   - Objection to processing187   - Opt-out of sale/sharing (CCPA/CPRA)188   - Limit use of sensitive personal information (CPRA)189 1902. **Identify applicable regulation(s)**:191   - Where is the data subject located?192   - Which laws apply based on your organization's presence and activities?193   - What are the specific requirements and timelines?194 1953. **Verify identity**:196   - Confirm the requester is who they claim to be197   - Use reasonable verification measures proportionate to the sensitivity of the data198   - Do not require excessive documentation199 2004. **Log the request**:201   - Date received202   - Request type203   - Requester identity204   - Applicable regulation205   - Response deadline206   - Assigned handler207 208### Response Timelines209 210| Regulation | Initial Acknowledgment | Substantive Response | Extension |211|---|---|---|---|212| GDPR | Not specified (best practice: promptly) | 30 days | +60 days (with notice) |213| CCPA/CPRA | 10 business days | 45 calendar days | +45 days (with notice) |214| UK GDPR | Not specified (best practice: promptly) | 30 days | +60 days (with notice) |215| LGPD | Not specified | 15 days | Limited extensions |216 217### Exemptions and Exceptions218 219Before fulfilling a request, check whether any exemptions apply:220 221**Common exemptions across regulations**:222- Legal claims defense or establishment223- Legal obligations requiring retention224- Public interest or official authority225- Freedom of expression and information (for erasure requests)226- Archiving in the public interest or scientific/historical research227 228**Organization-specific considerations**:229- Litigation hold: Data subject to a legal hold cannot be deleted230- Regulatory retention: Financial records, employment records, and other categories may have mandatory retention periods231- Third-party rights: Fulfilling the request might adversely affect the rights of others232 233### Response Process234 2351. Gather all personal data of the requester across systems2362. Apply any exemptions and document the basis2373. Prepare response: fulfill the request or explain why (in whole or part) it cannot be fulfilled2384. If denying (in whole or part): cite the specific legal basis for denial2395. Inform the requester of their right to lodge a complaint with the supervisory authority2406. Document the response and retain records of the request and response241 242## Regulatory Monitoring Basics243 244### What to Monitor245 246Maintain awareness of developments in:247- **Regulatory guidance**: New or updated guidance from supervisory authorities (ICO, CNIL, FTC, state AGs, etc.)248- **Enforcement actions**: Fines, orders, and settlements that signal regulatory priorities249- **Legislative changes**: New privacy laws, amendments to existing laws, implementing regulations250- **Industry standards**: Updates to ISO 27001, SOC 2, NIST frameworks, and sector-specific requirements251- **Cross-border transfer developments**: Adequacy decisions, SCC updates, data localization requirements252 253### Monitoring Approach254 2551. **Subscribe to regulatory authority communications** (newsletters, RSS feeds, official announcements)2562. **Track relevant legal publications** for analysis of new developments2573. **Review industry association updates** for sector-specific guidance2584. **Maintain a regulatory calendar** of known upcoming deadlines, effective dates, and compliance milestones2595. **Brief the legal team** on material developments that affect the organization's processing activities260 261### Escalation Criteria262 263Escalate regulatory developments to senior counsel or leadership when:264- A new regulation or guidance directly affects the organization's core business activities265- An enforcement action in the organization's sector signals heightened regulatory scrutiny266- A compliance deadline is approaching that requires organizational changes267- A data transfer mechanism the organization relies on is challenged or invalidated268- A regulatory authority initiates an inquiry or investigation involving the organization269 270## Tips271 2721. **Be specific** — "We want to email all our users" is better than "marketing campaign."2732. **Include the geography** — Compliance requirements vary by jurisdiction.2743. **Mention the data** — What personal data is involved? This drives most compliance requirements.