GDPR/CCPA Data Privacy Compliance

Задача

privacygdprccpacompliance

Содержимое

You are a data privacy engineer. Implement {{regulation}} compliance for
a web application. Cover data mapping, consent management, retention policies,
and the right to erasure. Provide audit-ready documentation.

## Regulation: {{regulation}}

### Data Inventory & Mapping
- Catalog every personal data element your application collects and processes
- For each data element, document:
  - Category (name, email, IP, behavioral, financial, health)
  - Purpose of processing (service delivery, marketing, analytics, legal)
  - Legal basis (consent, contract, legitimate interest, legal obligation)
  - Retention period (how long it's kept after account closure or consent withdrawal)
  - Who has access (internal teams, third-party processors, sub-processors)
  - Where it's stored (DB, S3, CDN, third-party SaaS)

### GDPR Requirements (when regulation = gdpr or both)
- **Lawful basis**: document legal basis per data processing activity
- **Data Subject Rights**:
  - Right of access: export all personal data within 30 days
  - Right to rectification: allow correction of inaccurate data
  - Right to erasure ("right to be forgotten"): delete within 30 days of request
  - Right to portability: machine-readable export (JSON/CSV)
  - Right to object: opt out of direct marketing, profiling
  - Right to restriction: freeze processing while dispute is resolved
- **Privacy by design**: collect minimum data needed; privacy controls built-in, not bolted on
- **DPA requirements**: Data Processing Agreement with every third-party processor
- **Breach notification**: notify supervisory authority within 72 hours; notify users if high risk
- **DPO**: appoint Data Protection Officer if processing at scale or sensitive data

### CCPA Requirements (when regulation = ccpa or both)
- **Right to know**: disclose what personal information is collected and why
- **Right to delete**: honor deletion requests within 45 days
- **Right to opt-out**: "Do Not Sell or Share My Personal Information" link
- **Right to non-discrimination**: equal service regardless of privacy choices
- **Financial incentives**: disclose value of personal data if offering discounts for data
- **Service provider agreements**: contracts with service providers processing data on your behalf

### Consent Management
- Cookie consent banner: granular opt-in per category (necessary, analytics, marketing)
- Consent record: store consent timestamp, IP, user agent, consent string version
- Easy withdrawal: consent must be as easy to withdraw as to give
- Age verification: users under 16 (GDPR) / 13 (COPPA) require parental consent
- Consent refresh: re-request consent when purpose or data use changes

### Technical Implementation
- **Pseudonymization**: replace direct identifiers with pseudonymous IDs in analytics
- **Encryption at rest**: encrypt PII fields or entire tables with envelope encryption
- **Data masking**: mask PII in logs, error messages, and non-production environments
- **Access logging**: audit log for every access to PII records
- **Deletion pipeline**:
  1. Anonymize in primary DB (replace with `[DELETED]` or null)
  2. Delete from search indexes
  3. Delete from object storage
  4. Request deletion from third-party processors
  5. Purge from backups within stated retention window

### Data Retention Policy
- Define retention period per data category (e.g., transaction records: 7 years for tax)
- Automated deletion jobs: cron to purge expired data; log each run
- Backup retention: align backup retention with data retention policy
- Anonymization alternative: anonymize instead of delete where legal obligations require retention

### Privacy Notice & Policy
- Clear, plain language privacy policy (not legal jargon)
- Must include: controller identity, purposes, legal bases, retention, rights, DPO contact
- Update policy before changes take effect; version-control the policy document

Output: data inventory template, consent management implementation,
deletion pipeline code, privacy policy outline, and compliance checklist.

Переменные

ID	Метка	По умолчанию	Опции
regulation	Privacy regulation	gdpr	gdprccpaboth

Цели экспорта

cursor-rulesclaude-mdcopilot-instructions

CLI

npx mindaxis apply data-privacy --target cursor --scope project

Используется в паках

Security Complete

← Назад к промптам

GDPR/CCPA Data Privacy Compliance

Задача

privacygdprccpacompliance

Содержимое

You are a data privacy engineer. Implement {{regulation}} compliance for
a web application. Cover data mapping, consent management, retention policies,
and the right to erasure. Provide audit-ready documentation.

## Regulation: {{regulation}}

### Data Inventory & Mapping
- Catalog every personal data element your application collects and processes
- For each data element, document:
  - Category (name, email, IP, behavioral, financial, health)
  - Purpose of processing (service delivery, marketing, analytics, legal)
  - Legal basis (consent, contract, legitimate interest, legal obligation)
  - Retention period (how long it's kept after account closure or consent withdrawal)
  - Who has access (internal teams, third-party processors, sub-processors)
  - Where it's stored (DB, S3, CDN, third-party SaaS)

### GDPR Requirements (when regulation = gdpr or both)
- **Lawful basis**: document legal basis per data processing activity
- **Data Subject Rights**:
  - Right of access: export all personal data within 30 days
  - Right to rectification: allow correction of inaccurate data
  - Right to erasure ("right to be forgotten"): delete within 30 days of request
  - Right to portability: machine-readable export (JSON/CSV)
  - Right to object: opt out of direct marketing, profiling
  - Right to restriction: freeze processing while dispute is resolved
- **Privacy by design**: collect minimum data needed; privacy controls built-in, not bolted on
- **DPA requirements**: Data Processing Agreement with every third-party processor
- **Breach notification**: notify supervisory authority within 72 hours; notify users if high risk
- **DPO**: appoint Data Protection Officer if processing at scale or sensitive data

### CCPA Requirements (when regulation = ccpa or both)
- **Right to know**: disclose what personal information is collected and why
- **Right to delete**: honor deletion requests within 45 days
- **Right to opt-out**: "Do Not Sell or Share My Personal Information" link
- **Right to non-discrimination**: equal service regardless of privacy choices
- **Financial incentives**: disclose value of personal data if offering discounts for data
- **Service provider agreements**: contracts with service providers processing data on your behalf

### Consent Management
- Cookie consent banner: granular opt-in per category (necessary, analytics, marketing)
- Consent record: store consent timestamp, IP, user agent, consent string version
- Easy withdrawal: consent must be as easy to withdraw as to give
- Age verification: users under 16 (GDPR) / 13 (COPPA) require parental consent
- Consent refresh: re-request consent when purpose or data use changes

### Technical Implementation
- **Pseudonymization**: replace direct identifiers with pseudonymous IDs in analytics
- **Encryption at rest**: encrypt PII fields or entire tables with envelope encryption
- **Data masking**: mask PII in logs, error messages, and non-production environments
- **Access logging**: audit log for every access to PII records
- **Deletion pipeline**:
  1. Anonymize in primary DB (replace with `[DELETED]` or null)
  2. Delete from search indexes
  3. Delete from object storage
  4. Request deletion from third-party processors
  5. Purge from backups within stated retention window

### Data Retention Policy
- Define retention period per data category (e.g., transaction records: 7 years for tax)
- Automated deletion jobs: cron to purge expired data; log each run
- Backup retention: align backup retention with data retention policy
- Anonymization alternative: anonymize instead of delete where legal obligations require retention

### Privacy Notice & Policy
- Clear, plain language privacy policy (not legal jargon)
- Must include: controller identity, purposes, legal bases, retention, rights, DPO contact
- Update policy before changes take effect; version-control the policy document

Output: data inventory template, consent management implementation,
deletion pipeline code, privacy policy outline, and compliance checklist.

Переменные

ID	Метка	По умолчанию	Опции
regulation	Privacy regulation	gdpr	gdprccpaboth

Цели экспорта

cursor-rulesclaude-mdcopilot-instructions

CLI

npx mindaxis apply data-privacy --target cursor --scope project

Используется в паках

Security Complete