Global Data Privacy Regulations Comparison: GDPR, CCPA, LGPD, and More
Organizations operating globally must navigate multiple data privacy regulations. This guide compares major privacy frameworks and provides implementation strategies for multinational compliance.
Regulation Overview Matrix
| Aspect | GDPR (EU) | CCPA/CPRA (California) | LGPD (Brazil) | PDPA (Singapore) | PIPL (China) | |--------|-----------|------------------------|---------------|------------------|--------------| | Effective Date | May 2018 | Jan 2020 / Jan 2023 | Sep 2020 | Jul 2014 / Nov 2020 | Nov 2021 | | Scope | EU residents | CA residents | Brazil residents | Singapore organizations | China data | | Consent Default | Opt-in | Opt-out | Opt-in | Opt-in | Opt-in | | DPO Required | Sometimes | No | Yes | Sometimes | Yes | | Max Penalty | €20M or 4% revenue | $7,500/violation | 2% revenue | S$1M | 5% revenue |
Unified Privacy Framework
Core Privacy Manager
from dataclasses import dataclass, field
from datetime import datetime, timedelta
from typing import Dict, List, Optional, Set, Callable
from enum import Enum
import json
class Regulation(Enum):
GDPR = "gdpr"
CCPA = "ccpa"
CPRA = "cpra"
LGPD = "lgpd"
PDPA = "pdpa"
PIPL = "pipl"
class LawfulBasis(Enum):
CONSENT = "consent"
CONTRACT = "contract"
LEGAL_OBLIGATION = "legal_obligation"
VITAL_INTEREST = "vital_interest"
PUBLIC_TASK = "public_task"
LEGITIMATE_INTEREST = "legitimate_interest"
class DataCategory(Enum):
PERSONAL = "personal"
SENSITIVE = "sensitive"
FINANCIAL = "financial"
HEALTH = "health"
BIOMETRIC = "biometric"
GENETIC = "genetic"
CHILDREN = "children"
@dataclass
class DataSubject:
id: str
email: str
country: str
state: Optional[str] = None
is_minor: bool = False
created_at: datetime = field(default_factory=datetime.utcnow)
@dataclass
class ConsentRecord:
id: str
data_subject_id: str
purpose: str
lawful_basis: LawfulBasis
granted: bool
granted_at: Optional[datetime] = None
revoked_at: Optional[datetime] = None
expires_at: Optional[datetime] = None
version: str = "1.0"
proof: Optional[str] = None # Evidence of consent
@dataclass
class DataProcessingActivity:
id: str
name: str
purpose: str
data_categories: List[DataCategory]
lawful_basis: LawfulBasis
retention_period_days: int
cross_border_transfer: bool = False
third_party_sharing: bool = False
automated_decision_making: bool = False
class UnifiedPrivacyManager:
def __init__(self):
self.data_subjects: Dict[str, DataSubject] = {}
self.consents: Dict[str, List[ConsentRecord]] = {}
self.processing_activities: Dict[str, DataProcessingActivity] = {}
self.regulation_handlers: Dict[Regulation, 'RegulationHandler'] = {}
self._initialize_regulation_handlers()
def _initialize_regulation_handlers(self):
"""Initialize handlers for each regulation."""
self.regulation_handlers = {
Regulation.GDPR: GDPRHandler(),
Regulation.CCPA: CCPAHandler(),
Regulation.LGPD: LGPDHandler(),
Regulation.PDPA: PDPAHandler(),
Regulation.PIPL: PIPLHandler()
}
def determine_applicable_regulations(self, data_subject: DataSubject) -> Set[Regulation]:
"""Determine which regulations apply to a data subject."""
applicable = set()
# Country-based determination
country_mapping = {
# EU countries
'AT': Regulation.GDPR, 'BE': Regulation.GDPR, 'BG': Regulation.GDPR,
'HR': Regulation.GDPR, 'CY': Regulation.GDPR, 'CZ': Regulation.GDPR,
'DK': Regulation.GDPR, 'EE': Regulation.GDPR, 'FI': Regulation.GDPR,
'FR': Regulation.GDPR, 'DE': Regulation.GDPR, 'GR': Regulation.GDPR,
'HU': Regulation.GDPR, 'IE': Regulation.GDPR, 'IT': Regulation.GDPR,
'LV': Regulation.GDPR, 'LT': Regulation.GDPR, 'LU': Regulation.GDPR,
'MT': Regulation.GDPR, 'NL': Regulation.GDPR, 'PL': Regulation.GDPR,
'PT': Regulation.GDPR, 'RO': Regulation.GDPR, 'SK': Regulation.GDPR,
'SI': Regulation.GDPR, 'ES': Regulation.GDPR, 'SE': Regulation.GDPR,
# EEA
'IS': Regulation.GDPR, 'LI': Regulation.GDPR, 'NO': Regulation.GDPR,
# Other
'BR': Regulation.LGPD,
'SG': Regulation.PDPA,
'CN': Regulation.PIPL
}
if data_subject.country in country_mapping:
applicable.add(country_mapping[data_subject.country])
# US - California specific
if data_subject.country == 'US' and data_subject.state == 'CA':
applicable.add(Regulation.CCPA)
return applicable
def register_consent(self,
data_subject_id: str,
purpose: str,
lawful_basis: LawfulBasis,
granted: bool,
proof: Optional[str] = None) -> ConsentRecord:
"""Register consent with regulation-specific requirements."""
data_subject = self.data_subjects.get(data_subject_id)
if not data_subject:
raise ValueError(f"Data subject {data_subject_id} not found")
# Determine applicable regulations
regulations = self.determine_applicable_regulations(data_subject)
# Validate consent requirements per regulation
for reg in regulations:
handler = self.regulation_handlers.get(reg)
if handler:
validation = handler.validate_consent(
data_subject, purpose, lawful_basis, granted
)
if not validation['valid']:
raise ValueError(f"{reg.value}: {validation['error']}")
# Create consent record
consent = ConsentRecord(
id=f"consent_{data_subject_id}_{datetime.utcnow().timestamp()}",
data_subject_id=data_subject_id,
purpose=purpose,
lawful_basis=lawful_basis,
granted=granted,
granted_at=datetime.utcnow() if granted else None,
proof=proof
)
# Store consent
if data_subject_id not in self.consents:
self.consents[data_subject_id] = []
self.consents[data_subject_id].append(consent)
# Log for audit
self._audit_log(
action="CONSENT_REGISTERED",
data_subject_id=data_subject_id,
details={
"purpose": purpose,
"granted": granted,
"regulations": [r.value for r in regulations]
}
)
return consent
def process_data_request(self,
data_subject_id: str,
request_type: str) -> Dict:
"""Process data subject request (access, deletion, portability, etc.)."""
data_subject = self.data_subjects.get(data_subject_id)
if not data_subject:
raise ValueError(f"Data subject {data_subject_id} not found")
regulations = self.determine_applicable_regulations(data_subject)
# Get the most stringent requirements
requirements = self._get_request_requirements(regulations, request_type)
# Execute request
result = {
"request_id": f"req_{data_subject_id}_{datetime.utcnow().timestamp()}",
"request_type": request_type,
"data_subject_id": data_subject_id,
"applicable_regulations": [r.value for r in regulations],
"deadline": datetime.utcnow() + timedelta(days=requirements['deadline_days']),
"status": "processing"
}
if request_type == "access":
result["data"] = self._execute_access_request(data_subject_id, regulations)
elif request_type == "deletion":
result["confirmation"] = self._execute_deletion_request(data_subject_id, regulations)
elif request_type == "portability":
result["export"] = self._execute_portability_request(data_subject_id, regulations)
elif request_type == "rectification":
result["status"] = "pending_data"
elif request_type == "opt_out":
result["confirmation"] = self._execute_opt_out_request(data_subject_id, regulations)
# Log for audit
self._audit_log(
action=f"DATA_REQUEST_{request_type.upper()}",
data_subject_id=data_subject_id,
details={"request_id": result["request_id"]}
)
return result
def _get_request_requirements(self,
regulations: Set[Regulation],
request_type: str) -> Dict:
"""Get the most stringent requirements across regulations."""
requirements = {
"deadline_days": 30, # Default
"identity_verification": True,
"free_of_charge": True,
"extensions_allowed": True
}
for reg in regulations:
handler = self.regulation_handlers.get(reg)
if handler:
reg_requirements = handler.get_request_requirements(request_type)
# Take most stringent deadline
if reg_requirements.get('deadline_days', 30) < requirements['deadline_days']:
requirements['deadline_days'] = reg_requirements['deadline_days']
# Take most restrictive options
if not reg_requirements.get('extensions_allowed', True):
requirements['extensions_allowed'] = False
return requirements
def _execute_access_request(self,
data_subject_id: str,
regulations: Set[Regulation]) -> Dict:
"""Execute data access request."""
# Gather all data for the subject
data = {
"personal_data": self._get_personal_data(data_subject_id),
"processing_purposes": self._get_processing_purposes(data_subject_id),
"recipients": self._get_data_recipients(data_subject_id),
"retention_periods": self._get_retention_info(data_subject_id),
"rights": self._get_applicable_rights(regulations),
"consent_records": [
{
"purpose": c.purpose,
"granted": c.granted,
"granted_at": c.granted_at.isoformat() if c.granted_at else None
}
for c in self.consents.get(data_subject_id, [])
]
}
return data
def _execute_deletion_request(self,
data_subject_id: str,
regulations: Set[Regulation]) -> Dict:
"""Execute data deletion request."""
# Check for exceptions
exceptions = self._check_deletion_exceptions(data_subject_id, regulations)
if exceptions:
return {
"deleted": False,
"reason": "Legal exceptions apply",
"exceptions": exceptions
}
# Delete data
deleted_items = []
# Delete personal data
personal_deleted = self._delete_personal_data(data_subject_id)
deleted_items.extend(personal_deleted)
# Delete consent records (after retention period)
consent_deleted = self._archive_consent_records(data_subject_id)
deleted_items.extend(consent_deleted)
# Notify third parties
third_party_notifications = self._notify_third_parties_deletion(data_subject_id)
return {
"deleted": True,
"items_deleted": len(deleted_items),
"third_parties_notified": third_party_notifications,
"completed_at": datetime.utcnow().isoformat()
}
def _execute_portability_request(self,
data_subject_id: str,
regulations: Set[Regulation]) -> Dict:
"""Execute data portability request."""
# Export in machine-readable format
data = self._get_portable_data(data_subject_id)
return {
"format": "json",
"data": data,
"generated_at": datetime.utcnow().isoformat(),
"schema_version": "1.0"
}
def _execute_opt_out_request(self,
data_subject_id: str,
regulations: Set[Regulation]) -> Dict:
"""Execute opt-out request (CCPA-specific)."""
# Revoke all consent for sale/sharing
consents = self.consents.get(data_subject_id, [])
revoked = []
for consent in consents:
if consent.purpose in ['sale', 'sharing', 'targeted_advertising']:
consent.granted = False
consent.revoked_at = datetime.utcnow()
revoked.append(consent.purpose)
return {
"opted_out": True,
"purposes_revoked": revoked,
"effective_date": datetime.utcnow().isoformat()
}
def _audit_log(self, action: str, data_subject_id: str, details: Dict):
"""Log audit event."""
event = {
"timestamp": datetime.utcnow().isoformat(),
"action": action,
"data_subject_id": data_subject_id,
"details": details
}
# Store audit event
print(f"AUDIT: {json.dumps(event)}")
# Placeholder methods
def _get_personal_data(self, data_subject_id: str) -> Dict:
return {}
def _get_processing_purposes(self, data_subject_id: str) -> List[str]:
return []
def _get_data_recipients(self, data_subject_id: str) -> List[str]:
return []
def _get_retention_info(self, data_subject_id: str) -> Dict:
return {}
def _get_applicable_rights(self, regulations: Set[Regulation]) -> List[str]:
return []
def _check_deletion_exceptions(self, data_subject_id: str, regulations: Set[Regulation]) -> List[str]:
return []
def _delete_personal_data(self, data_subject_id: str) -> List[str]:
return []
def _archive_consent_records(self, data_subject_id: str) -> List[str]:
return []
def _notify_third_parties_deletion(self, data_subject_id: str) -> int:
return 0
def _get_portable_data(self, data_subject_id: str) -> Dict:
return {}Regulation-Specific Handlers
class RegulationHandler:
"""Base class for regulation handlers."""
def validate_consent(self, data_subject: DataSubject, purpose: str,
lawful_basis: LawfulBasis, granted: bool) -> Dict:
raise NotImplementedError
def get_request_requirements(self, request_type: str) -> Dict:
raise NotImplementedError
def get_data_subject_rights(self) -> List[str]:
raise NotImplementedError
class GDPRHandler(RegulationHandler):
"""GDPR-specific requirements handler."""
def validate_consent(self, data_subject: DataSubject, purpose: str,
lawful_basis: LawfulBasis, granted: bool) -> Dict:
errors = []
# GDPR requires specific consent for each purpose
if not purpose:
errors.append("Consent must be purpose-specific")
# Consent must be freely given
# This is validated through UI/UX design
# Consent for minors requires parental consent
if data_subject.is_minor and lawful_basis == LawfulBasis.CONSENT:
# Would need to verify parental consent
pass
# Special category data requires explicit consent
# This would be checked based on data category
return {
"valid": len(errors) == 0,
"error": "; ".join(errors) if errors else None
}
def get_request_requirements(self, request_type: str) -> Dict:
requirements = {
"access": {
"deadline_days": 30,
"extensions_allowed": True,
"extension_max_days": 60,
"free_of_charge": True,
"identity_verification": True
},
"deletion": {
"deadline_days": 30,
"extensions_allowed": True,
"notify_third_parties": True
},
"portability": {
"deadline_days": 30,
"format": "machine_readable",
"free_of_charge": True
},
"rectification": {
"deadline_days": 30,
"notify_recipients": True
},
"restriction": {
"deadline_days": 30
},
"objection": {
"deadline_days": 30
}
}
return requirements.get(request_type, {"deadline_days": 30})
def get_data_subject_rights(self) -> List[str]:
return [
"right_to_be_informed",
"right_of_access",
"right_to_rectification",
"right_to_erasure",
"right_to_restrict_processing",
"right_to_data_portability",
"right_to_object",
"rights_related_to_automated_decision_making"
]
class CCPAHandler(RegulationHandler):
"""CCPA/CPRA-specific requirements handler."""
def validate_consent(self, data_subject: DataSubject, purpose: str,
lawful_basis: LawfulBasis, granted: bool) -> Dict:
errors = []
# CCPA uses opt-out model for sale of data
# But requires opt-in for minors
if data_subject.is_minor:
# Minors 13-16 must opt-in
# Under 13 requires parental consent
if not granted and purpose == 'sale':
errors.append("Minor data sale requires affirmative consent")
return {
"valid": len(errors) == 0,
"error": "; ".join(errors) if errors else None
}
def get_request_requirements(self, request_type: str) -> Dict:
requirements = {
"access": {
"deadline_days": 45,
"extensions_allowed": True,
"extension_max_days": 45,
"free_of_charge": True,
"requests_per_year": 2
},
"deletion": {
"deadline_days": 45,
"notify_service_providers": True
},
"opt_out": {
"deadline_days": 15, # CPRA requirement
"no_retaliation": True
},
"correction": { # CPRA addition
"deadline_days": 45
},
"portability": {
"deadline_days": 45,
"format": "machine_readable"
}
}
return requirements.get(request_type, {"deadline_days": 45})
def get_data_subject_rights(self) -> List[str]:
return [
"right_to_know",
"right_to_delete",
"right_to_opt_out_of_sale",
"right_to_non_discrimination",
"right_to_correct", # CPRA
"right_to_limit_sensitive_data_use", # CPRA
"right_to_opt_out_of_automated_decision_making" # CPRA
]
class LGPDHandler(RegulationHandler):
"""LGPD (Brazil) specific requirements handler."""
def validate_consent(self, data_subject: DataSubject, purpose: str,
lawful_basis: LawfulBasis, granted: bool) -> Dict:
errors = []
# LGPD requires specific, informed consent
if lawful_basis == LawfulBasis.CONSENT and not purpose:
errors.append("Consent must specify purpose")
# Children's data requires parental consent
if data_subject.is_minor:
# LGPD defines minor as under 18
pass
return {
"valid": len(errors) == 0,
"error": "; ".join(errors) if errors else None
}
def get_request_requirements(self, request_type: str) -> Dict:
requirements = {
"access": {
"deadline_days": 15,
"format": "simplified_or_complete",
"free_of_charge": True
},
"deletion": {
"deadline_days": 15
},
"portability": {
"deadline_days": 15,
"format": "machine_readable"
},
"anonymization": {
"deadline_days": 15
}
}
return requirements.get(request_type, {"deadline_days": 15})
def get_data_subject_rights(self) -> List[str]:
return [
"right_to_confirmation",
"right_to_access",
"right_to_correction",
"right_to_anonymization",
"right_to_deletion",
"right_to_portability",
"right_to_information_about_sharing",
"right_to_withdraw_consent",
"right_to_petition_authority"
]
class PDPAHandler(RegulationHandler):
"""PDPA (Singapore) specific requirements handler."""
def validate_consent(self, data_subject: DataSubject, purpose: str,
lawful_basis: LawfulBasis, granted: bool) -> Dict:
errors = []
# PDPA requires consent for collection, use, and disclosure
if not purpose:
errors.append("Purpose must be specified")
return {
"valid": len(errors) == 0,
"error": "; ".join(errors) if errors else None
}
def get_request_requirements(self, request_type: str) -> Dict:
requirements = {
"access": {
"deadline_days": 30,
"fee_allowed": True, # PDPA allows reasonable fee
"format": "copy"
},
"correction": {
"deadline_days": 30
}
}
return requirements.get(request_type, {"deadline_days": 30})
def get_data_subject_rights(self) -> List[str]:
return [
"right_to_access",
"right_to_correction",
"right_to_withdraw_consent"
]
class PIPLHandler(RegulationHandler):
"""PIPL (China) specific requirements handler."""
def validate_consent(self, data_subject: DataSubject, purpose: str,
lawful_basis: LawfulBasis, granted: bool) -> Dict:
errors = []
# PIPL requires separate consent for sensitive data
# and cross-border transfer
if not purpose:
errors.append("Purpose must be clearly specified")
return {
"valid": len(errors) == 0,
"error": "; ".join(errors) if errors else None
}
def get_request_requirements(self, request_type: str) -> Dict:
requirements = {
"access": {
"deadline_days": 30, # "Timely" response
"free_of_charge": True
},
"deletion": {
"deadline_days": 30,
"conditions": ["purpose_fulfilled", "consent_withdrawn", "contract_terminated"]
},
"portability": {
"deadline_days": 30,
"format": "machine_readable"
}
}
return requirements.get(request_type, {"deadline_days": 30})
def get_data_subject_rights(self) -> List[str]:
return [
"right_to_know",
"right_to_decide",
"right_to_restrict",
"right_to_refuse",
"right_to_access",
"right_to_correction",
"right_to_deletion",
"right_to_portability",
"right_to_request_explanation"
]Cross-Border Transfer Compliance
class CrossBorderTransferManager:
def __init__(self):
self.transfer_mechanisms = {}
self.adequacy_decisions = self._load_adequacy_decisions()
def _load_adequacy_decisions(self) -> Dict[str, Set[str]]:
"""Load adequacy decisions by regulation."""
return {
"gdpr": {
# Countries with EU adequacy decisions
"AD", "AR", "CA", "FO", "GG", "IL", "IM", "JP",
"JE", "NZ", "KR", "CH", "GB", "UY"
},
"lgpd": {
# Brazil's adequacy framework still developing
},
"pipl": {
# China requires government approval for most transfers
}
}
def assess_transfer(self,
source_country: str,
destination_country: str,
data_categories: List[DataCategory]) -> Dict:
"""Assess cross-border transfer requirements."""
assessment = {
"source_country": source_country,
"destination_country": destination_country,
"data_categories": [c.value for c in data_categories],
"requirements": [],
"recommended_mechanisms": [],
"risk_level": "low"
}
# Check each applicable regulation
# EU -> Non-adequate country
if source_country in self._get_eu_countries():
if destination_country not in self.adequacy_decisions["gdpr"]:
assessment["requirements"].append({
"regulation": "GDPR",
"requirement": "Transfer mechanism required",
"options": [
"Standard Contractual Clauses (SCCs)",
"Binding Corporate Rules (BCRs)",
"Explicit consent",
"Necessary for contract"
]
})
assessment["risk_level"] = "medium"
# Special category data increases risk
if any(c in [DataCategory.HEALTH, DataCategory.BIOMETRIC] for c in data_categories):
assessment["risk_level"] = "high"
assessment["requirements"].append({
"regulation": "GDPR",
"requirement": "Additional safeguards for sensitive data"
})
# China -> Any country
if source_country == "CN":
assessment["requirements"].append({
"regulation": "PIPL",
"requirement": "Government security assessment may be required",
"threshold": "Important data or large volume personal data"
})
assessment["requirements"].append({
"regulation": "PIPL",
"requirement": "Separate consent for cross-border transfer"
})
assessment["risk_level"] = "high"
# Recommend transfer mechanisms
assessment["recommended_mechanisms"] = self._recommend_mechanisms(
source_country,
destination_country,
assessment["requirements"]
)
return assessment
def _recommend_mechanisms(self,
source: str,
destination: str,
requirements: List[Dict]) -> List[Dict]:
"""Recommend appropriate transfer mechanisms."""
mechanisms = []
for req in requirements:
if req["regulation"] == "GDPR":
if "SCCs" in str(req.get("options", [])):
mechanisms.append({
"mechanism": "Standard Contractual Clauses (2021)",
"implementation": "Execute new SCCs with data importer",
"supplementary_measures": [
"Data encryption in transit and at rest",
"Pseudonymization where possible",
"Access controls and audit logging"
]
})
if req["regulation"] == "PIPL":
mechanisms.append({
"mechanism": "PIPL Compliance Package",
"implementation": "Conduct security assessment and obtain consent",
"requirements": [
"Data localization assessment",
"Security impact assessment",
"Separate consent for transfer",
"Local representative appointment"
]
})
return mechanisms
def _get_eu_countries(self) -> Set[str]:
"""Get EU/EEA countries."""
return {
'AT', 'BE', 'BG', 'HR', 'CY', 'CZ', 'DK', 'EE', 'FI',
'FR', 'DE', 'GR', 'HU', 'IE', 'IT', 'LV', 'LT', 'LU',
'MT', 'NL', 'PL', 'PT', 'RO', 'SK', 'SI', 'ES', 'SE',
'IS', 'LI', 'NO'
}Compliance Reporting
class PrivacyComplianceReporter:
def __init__(self, privacy_manager: UnifiedPrivacyManager):
self.privacy_manager = privacy_manager
def generate_compliance_report(self,
regulations: List[Regulation],
report_period_start: datetime,
report_period_end: datetime) -> Dict:
"""Generate comprehensive compliance report."""
report = {
"report_period": {
"start": report_period_start.isoformat(),
"end": report_period_end.isoformat()
},
"generated_at": datetime.utcnow().isoformat(),
"regulations_covered": [r.value for r in regulations],
"executive_summary": {},
"detailed_metrics": {},
"compliance_status": {},
"recommendations": []
}
# Aggregate metrics
metrics = {
"total_data_subjects": len(self.privacy_manager.data_subjects),
"consent_records": sum(
len(consents)
for consents in self.privacy_manager.consents.values()
),
"processing_activities": len(self.privacy_manager.processing_activities),
"data_requests": self._count_data_requests(report_period_start, report_period_end),
"breaches": self._count_breaches(report_period_start, report_period_end)
}
report["detailed_metrics"] = metrics
# Per-regulation compliance status
for reg in regulations:
handler = self.privacy_manager.regulation_handlers.get(reg)
if handler:
report["compliance_status"][reg.value] = self._assess_regulation_compliance(
reg,
handler,
metrics
)
# Generate recommendations
report["recommendations"] = self._generate_recommendations(
report["compliance_status"]
)
# Executive summary
report["executive_summary"] = {
"overall_compliance": self._calculate_overall_compliance(report["compliance_status"]),
"key_metrics": {
"data_subjects": metrics["total_data_subjects"],
"requests_processed": metrics["data_requests"]["total"],
"avg_response_time_days": metrics["data_requests"]["avg_response_days"]
},
"critical_issues": len([r for r in report["recommendations"] if r["priority"] == "critical"])
}
return report
def _assess_regulation_compliance(self,
regulation: Regulation,
handler: RegulationHandler,
metrics: Dict) -> Dict:
"""Assess compliance with specific regulation."""
compliance = {
"regulation": regulation.value,
"status": "compliant",
"score": 100,
"checks": []
}
# Check DPO appointment (if required)
if regulation in [Regulation.GDPR, Regulation.LGPD]:
dpo_check = self._check_dpo_appointment()
compliance["checks"].append(dpo_check)
if not dpo_check["passed"]:
compliance["score"] -= 20
# Check consent management
consent_check = self._check_consent_management(regulation)
compliance["checks"].append(consent_check)
if not consent_check["passed"]:
compliance["score"] -= 15
# Check data request response times
response_check = self._check_response_times(regulation, handler, metrics)
compliance["checks"].append(response_check)
if not response_check["passed"]:
compliance["score"] -= 25
# Check records of processing
records_check = self._check_processing_records(regulation)
compliance["checks"].append(records_check)
if not records_check["passed"]:
compliance["score"] -= 15
# Determine overall status
if compliance["score"] >= 90:
compliance["status"] = "compliant"
elif compliance["score"] >= 70:
compliance["status"] = "partially_compliant"
else:
compliance["status"] = "non_compliant"
return compliance
def _check_dpo_appointment(self) -> Dict:
"""Check if DPO is appointed."""
# Would check actual DPO configuration
return {
"check": "DPO Appointment",
"passed": True,
"details": "DPO appointed and registered"
}
def _check_consent_management(self, regulation: Regulation) -> Dict:
"""Check consent management compliance."""
return {
"check": "Consent Management",
"passed": True,
"details": "Consent records maintained with required granularity"
}
def _check_response_times(self,
regulation: Regulation,
handler: RegulationHandler,
metrics: Dict) -> Dict:
"""Check data request response times."""
requirements = handler.get_request_requirements("access")
deadline = requirements.get("deadline_days", 30)
avg_response = metrics["data_requests"]["avg_response_days"]
passed = avg_response <= deadline
return {
"check": "Response Time Compliance",
"passed": passed,
"details": f"Average response: {avg_response} days (deadline: {deadline} days)"
}
def _check_processing_records(self, regulation: Regulation) -> Dict:
"""Check records of processing activities."""
return {
"check": "Processing Records",
"passed": True,
"details": "ROPA maintained and up to date"
}
def _count_data_requests(self, start: datetime, end: datetime) -> Dict:
"""Count data requests in period."""
return {
"total": 150,
"by_type": {
"access": 80,
"deletion": 45,
"portability": 15,
"opt_out": 10
},
"avg_response_days": 12
}
def _count_breaches(self, start: datetime, end: datetime) -> Dict:
"""Count data breaches in period."""
return {
"total": 0,
"reported_to_authority": 0,
"notified_data_subjects": 0
}
def _calculate_overall_compliance(self, compliance_status: Dict) -> str:
"""Calculate overall compliance status."""
scores = [status["score"] for status in compliance_status.values()]
avg_score = sum(scores) / len(scores) if scores else 0
if avg_score >= 90:
return "compliant"
elif avg_score >= 70:
return "partially_compliant"
return "non_compliant"
def _generate_recommendations(self, compliance_status: Dict) -> List[Dict]:
"""Generate compliance recommendations."""
recommendations = []
for reg, status in compliance_status.items():
for check in status["checks"]:
if not check["passed"]:
recommendations.append({
"regulation": reg,
"area": check["check"],
"priority": "high" if status["score"] < 70 else "medium",
"recommendation": f"Address {check['check']} compliance gap",
"details": check["details"]
})
return recommendationsBest Practices
Multinational Compliance
- Apply strictest standard: When multiple regulations apply, implement the most restrictive requirements
- Unified consent management: Build consent mechanisms that satisfy all applicable regulations
- Localized notices: Provide privacy notices in local languages with regulation-specific disclosures
- Regular assessments: Conduct periodic compliance assessments as regulations evolve
Implementation Guidelines
- Map data flows to identify all applicable regulations
- Implement automated request handling with configurable deadlines
- Maintain comprehensive audit trails for all privacy operations
- Train staff on regulation-specific requirements
Global privacy compliance requires a systematic approach that adapts to the most stringent requirements while maintaining operational efficiency.