@greenarmor/ges-policy-engine 1.2.7 → 1.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (17) hide show
  1. package/dist/index.d.ts +7 -0
  2. package/dist/index.js +51 -0
  3. package/dist/packs/countries.d.ts +13 -0
  4. package/dist/packs/countries.js +156 -0
  5. package/dist/packs/privacy-africa-me.d.ts +4 -0
  6. package/dist/packs/privacy-africa-me.js +369 -0
  7. package/dist/packs/privacy-americas.d.ts +4 -0
  8. package/dist/packs/privacy-americas.js +509 -0
  9. package/dist/packs/privacy-asia.d.ts +7 -0
  10. package/dist/packs/privacy-asia.js +991 -0
  11. package/dist/packs/privacy-core.d.ts +2 -0
  12. package/dist/packs/privacy-core.js +643 -0
  13. package/dist/packs/privacy-countries.d.ts +15 -0
  14. package/dist/packs/privacy-countries.js +805 -0
  15. package/dist/packs/privacy-europe.d.ts +3 -0
  16. package/dist/packs/privacy-europe.js +372 -0
  17. package/package.json +3 -3
package/dist/packs/privacy-core.js ADDED
@@ -0,0 +1,643 @@
1
+ export function createPrivacyCorePolicyPack() {
2
+ const controls = [
3
+ // ============================================================
4
+ // PRIV-GOV — GOVERNANCE
5
+ // ============================================================
6
+ {
7
+ id: "PRIV-GOV-01",
8
+ name: "Privacy Program",
9
+ description: "Establish and maintain a formal privacy program with defined scope, objectives, and oversight.",
10
+ category: "privacy-governance",
11
+ framework: "PRIVACY-CORE",
12
+ status: "not-implemented",
13
+ severity: "critical",
14
+ implementation_guidance: "Define a privacy program charter with scope, objectives, governance structure, and reporting cadence. Assign executive sponsorship. Document the program's alignment with business objectives and regulatory requirements. Review and update the charter annually.",
15
+ checks: [
16
+ { id: "PRIV-GOV-01-C1", description: "Privacy program charter documented and approved", status: "not-implemented" },
17
+ { id: "PRIV-GOV-01-C2", description: "Executive sponsor assigned and documented", status: "not-implemented" },
18
+ { id: "PRIV-GOV-01-C3", description: "Program reviewed and updated annually", status: "not-implemented" },
19
+ ],
20
+ },
21
+ {
22
+ id: "PRIV-GOV-02",
23
+ name: "Privacy Policies",
24
+ description: "Develop, approve, and maintain privacy policies that govern personal data processing.",
25
+ category: "privacy-governance",
26
+ framework: "PRIVACY-CORE",
27
+ status: "not-implemented",
28
+ severity: "high",
29
+ implementation_guidance: "Create a comprehensive privacy policy covering data collection, use, sharing, retention, and individual rights. Ensure policies are accessible, written in plain language, and available in relevant languages. Review and update policies at least annually or upon significant changes.",
30
+ checks: [
31
+ { id: "PRIV-GOV-02-C1", description: "Privacy policy published and accessible", status: "not-implemented" },
32
+ { id: "PRIV-GOV-02-C2", description: "Internal privacy procedures documented", status: "not-implemented" },
33
+ { id: "PRIV-GOV-02-C3", description: "Policies reviewed at least annually", status: "not-implemented" },
34
+ ],
35
+ },
36
+ {
37
+ id: "PRIV-GOV-03",
38
+ name: "Data Protection Officer",
39
+ description: "Appoint a Data Protection Officer (DPO) or privacy lead with defined responsibilities and authority.",
40
+ category: "privacy-governance",
41
+ framework: "PRIVACY-CORE",
42
+ status: "not-implemented",
43
+ severity: "high",
44
+ implementation_guidance: "Appoint a DPO or equivalent privacy lead. Define their responsibilities: monitoring compliance, advising on privacy impact assessments, cooperating with regulators, and serving as a contact point for data subjects. Ensure the DPO reports to the highest level of management and operates independently.",
45
+ checks: [
46
+ { id: "PRIV-GOV-03-C1", description: "DPO or privacy lead appointed and documented", status: "not-implemented" },
47
+ { id: "PRIV-GOV-03-C2", description: "DPO responsibilities defined and communicated", status: "not-implemented" },
48
+ { id: "PRIV-GOV-03-C3", description: "DPO contact information publicly available", status: "not-implemented" },
49
+ ],
50
+ },
51
+ {
52
+ id: "PRIV-GOV-04",
53
+ name: "Privacy Risk Management",
54
+ description: "Establish a privacy risk management process integrated with the overall risk management framework.",
55
+ category: "privacy-governance",
56
+ framework: "PRIVACY-CORE",
57
+ status: "not-implemented",
58
+ severity: "high",
59
+ implementation_guidance: "Define a privacy risk assessment methodology. Identify, analyze, and evaluate privacy risks. Define risk thresholds and treatment strategies (accept, mitigate, transfer, avoid). Document risk decisions and track remediation. Integrate with enterprise risk management.",
60
+ checks: [
61
+ { id: "PRIV-GOV-04-C1", description: "Privacy risk methodology documented", status: "not-implemented" },
62
+ { id: "PRIV-GOV-04-C2", description: "Privacy risk register maintained", status: "not-implemented" },
63
+ { id: "PRIV-GOV-04-C3", description: "Risk treatment decisions documented", status: "not-implemented" },
64
+ ],
65
+ },
66
+ {
67
+ id: "PRIV-GOV-05",
68
+ name: "Management Review",
69
+ description: "Conduct regular management reviews of the privacy program's effectiveness.",
70
+ category: "privacy-governance",
71
+ framework: "PRIVACY-CORE",
72
+ status: "not-implemented",
73
+ severity: "medium",
74
+ implementation_guidance: "Schedule privacy program reviews at least quarterly with senior management. Review metrics, incident trends, audit findings, risk status, and regulatory changes. Document review outcomes and action items. Track action item completion.",
75
+ checks: [
76
+ { id: "PRIV-GOV-05-C1", description: "Management review conducted at least quarterly", status: "not-implemented" },
77
+ { id: "PRIV-GOV-05-C2", description: "Review outcomes and actions documented", status: "not-implemented" },
78
+ ],
79
+ },
80
+ // ============================================================
81
+ // PRIV-INV — DATA INVENTORY
82
+ // ============================================================
83
+ {
84
+ id: "PRIV-INV-01",
85
+ name: "Data Inventory Register",
86
+ description: "Maintain a comprehensive inventory of all personal data collected, processed, and stored.",
87
+ category: "data-inventory",
88
+ framework: "PRIVACY-CORE",
89
+ status: "not-implemented",
90
+ severity: "critical",
91
+ implementation_guidance: "Create and maintain a data inventory that documents: data categories, data sources, collection methods, processing purposes, storage locations, retention periods, access controls, and third-party sharing. Use automated discovery tools where possible. Review and update the inventory at least annually.",
92
+ checks: [
93
+ { id: "PRIV-INV-01-C1", description: "Data inventory register maintained and up-to-date", status: "not-implemented" },
94
+ { id: "PRIV-INV-01-C2", description: "Inventory includes all required metadata fields", status: "not-implemented" },
95
+ { id: "PRIV-INV-01-C3", description: "Inventory reviewed at least annually", status: "not-implemented" },
96
+ ],
97
+ },
98
+ {
99
+ id: "PRIV-INV-02",
100
+ name: "Data Flow Mapping",
101
+ description: "Document the flow of personal data through systems, applications, and third parties.",
102
+ category: "data-inventory",
103
+ framework: "PRIVACY-CORE",
104
+ status: "not-implemented",
105
+ severity: "high",
106
+ implementation_guidance: "Create data flow maps showing how personal data moves through the organization: collection points, processing systems, storage locations, third-party transfers, and deletion points. Identify cross-border data flows. Update maps when processing activities change.",
107
+ checks: [
108
+ { id: "PRIV-INV-02-C1", description: "Data flow maps documented for all processing activities", status: "not-implemented" },
109
+ { id: "PRIV-INV-02-C2", description: "Cross-border data flows identified and mapped", status: "not-implemented" },
110
+ { id: "PRIV-INV-02-C3", description: "Maps updated when processing activities change", status: "not-implemented" },
111
+ ],
112
+ },
113
+ {
114
+ id: "PRIV-INV-03",
115
+ name: "Processing Activity Records",
116
+ description: "Maintain records of processing activities (ROPA) as required by applicable privacy laws.",
117
+ category: "data-inventory",
118
+ framework: "PRIVACY-CORE",
119
+ status: "not-implemented",
120
+ severity: "critical",
121
+ implementation_guidance: "Maintain a ROPA documenting: processing purposes, data categories, data subjects, recipients, third-country transfers, retention periods, and security measures. Keep records current and available for regulatory inspection. Align format with applicable legal requirements (e.g., GDPR Article 30).",
122
+ checks: [
123
+ { id: "PRIV-INV-03-C1", description: "ROPA maintained and accessible for regulatory inspection", status: "not-implemented" },
124
+ { id: "PRIV-INV-03-C2", description: "ROPA includes all legally required fields", status: "not-implemented" },
125
+ ],
126
+ },
127
+ {
128
+ id: "PRIV-INV-04",
129
+ name: "System Classification",
130
+ description: "Classify systems and applications based on the sensitivity of personal data they process.",
131
+ category: "data-inventory",
132
+ framework: "PRIVACY-CORE",
133
+ status: "not-implemented",
134
+ severity: "medium",
135
+ implementation_guidance: "Assign data classification levels (public, internal, confidential, restricted) to all systems processing personal data. Define handling requirements per classification level. Implement access controls aligned with classification. Review classifications when processing changes.",
136
+ checks: [
137
+ { id: "PRIV-INV-04-C1", description: "All systems classified by data sensitivity", status: "not-implemented" },
138
+ { id: "PRIV-INV-04-C2", description: "Handling requirements defined per classification", status: "not-implemented" },
139
+ ],
140
+ },
141
+ // ============================================================
142
+ // PRIV-CNS — CONSENT & LEGAL BASIS
143
+ // ============================================================
144
+ {
145
+ id: "PRIV-CNS-01",
146
+ name: "Consent Collection",
147
+ description: "Implement mechanisms for collecting, recording, and managing consent for personal data processing.",
148
+ category: "consent-management",
149
+ framework: "PRIVACY-CORE",
150
+ status: "not-implemented",
151
+ severity: "critical",
152
+ implementation_guidance: "Implement a consent management platform that captures granular, informed, and freely given consent. Record: what was consented to, when, how, the privacy policy version, and withdrawal options. Support separate consent for different processing purposes. Ensure consent is as easy to withdraw as to give.",
153
+ checks: [
154
+ { id: "PRIV-CNS-01-C1", description: "Consent management platform deployed", status: "not-implemented" },
155
+ { id: "PRIV-CNS-01-C2", description: "Granular consent per processing purpose", status: "not-implemented" },
156
+ { id: "PRIV-CNS-01-C3", description: "Consent records include timestamp, method, and policy version", status: "not-implemented" },
157
+ ],
158
+ },
159
+ {
160
+ id: "PRIV-CNS-02",
161
+ name: "Consent Withdrawal",
162
+ description: "Provide mechanisms for individuals to withdraw consent as easily as it was given.",
163
+ category: "consent-management",
164
+ framework: "PRIVACY-CORE",
165
+ status: "not-implemented",
166
+ severity: "high",
167
+ implementation_guidance: "Implement a user-facing consent withdrawal mechanism accessible from account settings, privacy preferences, or a dedicated page. Process withdrawal requests within defined timeframes. Stop processing upon withdrawal. Notify third parties of withdrawn consent.",
168
+ checks: [
169
+ { id: "PRIV-CNS-02-C1", description: "Consent withdrawal mechanism available to users", status: "not-implemented" },
170
+ { id: "PRIV-CNS-02-C2", description: "Withdrawal processed within defined SLA", status: "not-implemented" },
171
+ { id: "PRIV-CNS-02-C3", description: "Third parties notified of withdrawn consent", status: "not-implemented" },
172
+ ],
173
+ },
174
+ {
175
+ id: "PRIV-CNS-03",
176
+ name: "Legal Basis Documentation",
177
+ description: "Document the legal basis for each personal data processing activity.",
178
+ category: "consent-management",
179
+ framework: "PRIVACY-CORE",
180
+ status: "not-implemented",
181
+ severity: "high",
182
+ implementation_guidance: "For each processing activity, identify and document the legal basis (consent, contract, legal obligation, vital interests, public task, or legitimate interests). Conduct legitimate interest assessments where applicable. Maintain documentation alongside the ROPA.",
183
+ checks: [
184
+ { id: "PRIV-CNS-03-C1", description: "Legal basis documented for each processing activity", status: "not-implemented" },
185
+ { id: "PRIV-CNS-03-C2", description: "Legitimate interest assessments conducted where applicable", status: "not-implemented" },
186
+ ],
187
+ },
188
+ {
189
+ id: "PRIV-CNS-04",
190
+ name: "Purpose Limitation",
191
+ description: "Ensure personal data is processed only for specified, explicit, and legitimate purposes.",
192
+ category: "consent-management",
193
+ framework: "PRIVACY-CORE",
194
+ status: "not-implemented",
195
+ severity: "high",
196
+ implementation_guidance: "Define and document specific processing purposes for each data collection. Implement technical controls preventing data use beyond stated purposes. Conduct compatibility assessments before reusing data for new purposes. Communicate purposes to data subjects at collection.",
197
+ checks: [
198
+ { id: "PRIV-CNS-04-C1", description: "Processing purposes documented per data collection", status: "not-implemented" },
199
+ { id: "PRIV-CNS-04-C2", description: "Compatibility assessment before data reuse", status: "not-implemented" },
200
+ ],
201
+ },
202
+ // ============================================================
203
+ // PRIV-DSR — DATA SUBJECT RIGHTS
204
+ // ============================================================
205
+ {
206
+ id: "PRIV-DSR-01",
207
+ name: "Right of Access",
208
+ description: "Provide individuals with the ability to access their personal data upon request.",
209
+ category: "data-subject-rights",
210
+ framework: "PRIVACY-CORE",
211
+ status: "not-implemented",
212
+ severity: "critical",
213
+ implementation_guidance: "Implement a DSAR (Data Subject Access Request) process allowing individuals to request a copy of their personal data. Verify identity before disclosure. Provide data in a structured, commonly used, machine-readable format. Respond within statutory timeframes (typically 30 days). Document all requests and responses.",
214
+ checks: [
215
+ { id: "PRIV-DSR-01-C1", description: "DSAR process implemented and documented", status: "not-implemented" },
216
+ { id: "PRIV-DSR-01-C2", description: "Identity verification before disclosure", status: "not-implemented" },
217
+ { id: "PRIV-DSR-01-C3", description: "Responses provided within statutory timeframes", status: "not-implemented" },
218
+ ],
219
+ },
220
+ {
221
+ id: "PRIV-DSR-02",
222
+ name: "Right to Rectification",
223
+ description: "Allow individuals to correct inaccurate or incomplete personal data.",
224
+ category: "data-subject-rights",
225
+ framework: "PRIVACY-CORE",
226
+ status: "not-implemented",
227
+ severity: "high",
228
+ implementation_guidance: "Provide a mechanism for individuals to request correction of inaccurate personal data. Implement a verification process for rectification requests. Update data across all systems within defined timeframes. Notify third parties of corrections where data was shared.",
229
+ checks: [
230
+ { id: "PRIV-DSR-02-C1", description: "Rectification request mechanism available", status: "not-implemented" },
231
+ { id: "PRIV-DSR-02-C2", description: "Corrections propagated across all systems", status: "not-implemented" },
232
+ { id: "PRIV-DSR-02-C3", description: "Third parties notified of corrections", status: "not-implemented" },
233
+ ],
234
+ },
235
+ {
236
+ id: "PRIV-DSR-03",
237
+ name: "Right to Erasure",
238
+ description: "Allow individuals to request deletion of their personal data (right to be forgotten).",
239
+ category: "data-subject-rights",
240
+ framework: "PRIVACY-CORE",
241
+ status: "not-implemented",
242
+ severity: "critical",
243
+ implementation_guidance: "Implement a deletion request process with defined criteria for when erasure applies. Verify identity and assess legal obligations before deletion. Delete data from all systems including backups (or flag for deletion on next backup cycle). Notify third parties of erasure. Document the erasure action.",
244
+ checks: [
245
+ { id: "PRIV-DSR-03-C1", description: "Erasure request process implemented", status: "not-implemented" },
246
+ { id: "PRIV-DSR-03-C2", description: "Data deleted from all systems including backups", status: "not-implemented" },
247
+ { id: "PRIV-DSR-03-C3", description: "Third parties notified of erasure", status: "not-implemented" },
248
+ ],
249
+ },
250
+ {
251
+ id: "PRIV-DSR-04",
252
+ name: "Right to Data Portability",
253
+ description: "Provide individuals with their personal data in a structured, machine-readable format for transfer.",
254
+ category: "data-subject-rights",
255
+ framework: "PRIVACY-CORE",
256
+ status: "not-implemented",
257
+ severity: "medium",
258
+ implementation_guidance: "Implement an export mechanism providing personal data in JSON, CSV, or XML format. Ensure the export includes all personal data provided by the individual and data generated from their activity. Provide a direct transfer option to another controller where technically feasible.",
259
+ checks: [
260
+ { id: "PRIV-DSR-04-C1", description: "Data export in machine-readable format available", status: "not-implemented" },
261
+ { id: "PRIV-DSR-04-C2", description: "Direct transfer to another controller supported", status: "not-implemented" },
262
+ ],
263
+ },
264
+ {
265
+ id: "PRIV-DSR-05",
266
+ name: "Right to Object",
267
+ description: "Allow individuals to object to processing of their personal data for specific purposes.",
268
+ category: "data-subject-rights",
269
+ framework: "PRIVACY-CORE",
270
+ status: "not-implemented",
271
+ severity: "high",
272
+ implementation_guidance: "Provide a mechanism for individuals to object to processing (especially direct marketing, profiling, and research). Stop processing upon valid objection unless compelling legitimate grounds exist. Inform individuals of their right to object at the point of collection and in privacy notices.",
273
+ checks: [
274
+ { id: "PRIV-DSR-05-C1", description: "Objection mechanism available to individuals", status: "not-implemented" },
275
+ { id: "PRIV-DSR-05-C2", description: "Processing stopped upon valid objection", status: "not-implemented" },
276
+ { id: "PRIV-DSR-05-C3", description: "Right to object communicated in privacy notices", status: "not-implemented" },
277
+ ],
278
+ },
279
+ {
280
+ id: "PRIV-DSR-06",
281
+ name: "Automated Decision Review",
282
+ description: "Protect individuals from solely automated decisions with legal or significant effects, including profiling.",
283
+ category: "data-subject-rights",
284
+ framework: "PRIVACY-CORE",
285
+ status: "not-implemented",
286
+ severity: "high",
287
+ implementation_guidance: "Identify all automated decision-making systems and profiling activities. Implement safeguards: human intervention, ability to contest decisions, and explanation of logic. Obtain explicit consent for automated decisions where required. Document the algorithms and criteria used.",
288
+ checks: [
289
+ { id: "PRIV-DSR-06-C1", description: "Automated decision systems identified and documented", status: "not-implemented" },
290
+ { id: "PRIV-DSR-06-C2", description: "Human intervention capability available", status: "not-implemented" },
291
+ { id: "PRIV-DSR-06-C3", description: "Decision explanation provided to individuals", status: "not-implemented" },
292
+ ],
293
+ },
294
+ // ============================================================
295
+ // PRIV-SEC — SECURITY CONTROLS
296
+ // ============================================================
297
+ {
298
+ id: "PRIV-SEC-01",
299
+ name: "Access Management",
300
+ description: "Implement role-based access controls for systems processing personal data.",
301
+ category: "security-controls",
302
+ framework: "PRIVACY-CORE",
303
+ status: "not-implemented",
304
+ severity: "critical",
305
+ implementation_guidance: "Implement RBAC for all systems processing personal data. Apply least privilege principle. Conduct quarterly access reviews. Implement just-in-time access for privileged operations. Log and monitor all access to personal data.",
306
+ checks: [
307
+ { id: "PRIV-SEC-01-C1", description: "RBAC implemented for all personal data systems", status: "not-implemented" },
308
+ { id: "PRIV-SEC-01-C2", description: "Quarterly access reviews conducted", status: "not-implemented" },
309
+ { id: "PRIV-SEC-01-C3", description: "All personal data access logged", status: "not-implemented" },
310
+ ],
311
+ },
312
+ {
313
+ id: "PRIV-SEC-02",
314
+ name: "Encryption",
315
+ description: "Encrypt personal data at rest and in transit using industry-standard algorithms.",
316
+ category: "security-controls",
317
+ framework: "PRIVACY-CORE",
318
+ status: "not-implemented",
319
+ severity: "critical",
320
+ implementation_guidance: "Implement AES-256-GCM encryption at rest for all personal data. Enforce TLS 1.2+ for all data in transit. Implement field-level encryption for highly sensitive data (PII, health data, financial data). Manage encryption keys using a KMS or HSM. Rotate keys periodically.",
321
+ checks: [
322
+ { id: "PRIV-SEC-02-C1", description: "AES-256 encryption at rest for personal data", status: "not-implemented" },
323
+ { id: "PRIV-SEC-02-C2", description: "TLS 1.2+ for all data in transit", status: "not-implemented" },
324
+ { id: "PRIV-SEC-02-C3", description: "Field-level encryption for sensitive PII", status: "not-implemented" },
325
+ { id: "PRIV-SEC-02-C4", description: "Key management via KMS/HSM", status: "not-implemented" },
326
+ ],
327
+ },
328
+ {
329
+ id: "PRIV-SEC-03",
330
+ name: "Pseudonymisation and Anonymisation",
331
+ description: "Implement pseudonymisation and anonymisation techniques to reduce privacy risk.",
332
+ category: "security-controls",
333
+ framework: "PRIVACY-CORE",
334
+ status: "not-implemented",
335
+ severity: "high",
336
+ implementation_guidance: "Implement pseudonymisation for data used in analytics, testing, and research. Store mapping keys separately from pseudonymised data. Implement anonymisation techniques (k-anonymity, differential privacy) for published datasets. Verify anonymisation effectiveness before publishing.",
337
+ checks: [
338
+ { id: "PRIV-SEC-03-C1", description: "Pseudonymisation implemented for analytics/testing", status: "not-implemented" },
339
+ { id: "PRIV-SEC-03-C2", description: "Mapping keys stored separately", status: "not-implemented" },
340
+ { id: "PRIV-SEC-03-C3", description: "Anonymisation verified before data publication", status: "not-implemented" },
341
+ ],
342
+ },
343
+ {
344
+ id: "PRIV-SEC-04",
345
+ name: "Secure Development",
346
+ description: "Integrate privacy and security controls into the software development lifecycle.",
347
+ category: "security-controls",
348
+ framework: "PRIVACY-CORE",
349
+ status: "not-implemented",
350
+ severity: "high",
351
+ implementation_guidance: "Implement privacy by design principles in the SDLC. Conduct privacy impact assessments for new features. Integrate SAST/DAST into CI/CD pipelines. Perform security code reviews. Train developers on secure coding practices.",
352
+ checks: [
353
+ { id: "PRIV-SEC-04-C1", description: "Privacy by design integrated into SDLC", status: "not-implemented" },
354
+ { id: "PRIV-SEC-04-C2", description: "SAST/DAST in CI/CD pipelines", status: "not-implemented" },
355
+ { id: "PRIV-SEC-04-C3", description: "Security code reviews conducted", status: "not-implemented" },
356
+ ],
357
+ },
358
+ // ============================================================
359
+ // PRIV-INC — INCIDENT & BREACH MANAGEMENT
360
+ // ============================================================
361
+ {
362
+ id: "PRIV-INC-01",
363
+ name: "Incident Response Plan",
364
+ description: "Develop and maintain a privacy incident response plan with defined roles and procedures.",
365
+ category: "incident-management",
366
+ framework: "PRIVACY-CORE",
367
+ status: "not-implemented",
368
+ severity: "critical",
369
+ implementation_guidance: "Create a privacy incident response plan covering: detection, classification, containment, eradication, notification, and recovery. Define roles and responsibilities (IR team, legal, communications, DPO). Test the plan annually via tabletop exercises. Update based on lessons learned.",
370
+ checks: [
371
+ { id: "PRIV-INC-01-C1", description: "Privacy incident response plan documented", status: "not-implemented" },
372
+ { id: "PRIV-INC-01-C2", description: "Roles and responsibilities defined", status: "not-implemented" },
373
+ { id: "PRIV-INC-01-C3", description: "Plan tested annually", status: "not-implemented" },
374
+ ],
375
+ },
376
+ {
377
+ id: "PRIV-INC-02",
378
+ name: "Breach Classification",
379
+ description: "Establish criteria for classifying privacy breach severity and determining notification obligations.",
380
+ category: "incident-management",
381
+ framework: "PRIVACY-CORE",
382
+ status: "not-implemented",
383
+ severity: "high",
384
+ implementation_guidance: "Define breach severity levels based on data types, volume, sensitivity, and risk to individuals. Create a decision matrix for regulatory notification thresholds. Document assessment procedures. Train incident responders on classification criteria.",
385
+ checks: [
386
+ { id: "PRIV-INC-02-C1", description: "Breach classification criteria documented", status: "not-implemented" },
387
+ { id: "PRIV-INC-02-C2", description: "Notification decision matrix defined", status: "not-implemented" },
388
+ ],
389
+ },
390
+ {
391
+ id: "PRIV-INC-03",
392
+ name: "Regulatory Notification",
393
+ description: "Implement procedures for notifying regulators of qualifying privacy breaches within statutory timeframes.",
394
+ category: "incident-management",
395
+ framework: "PRIVACY-CORE",
396
+ status: "not-implemented",
397
+ severity: "critical",
398
+ implementation_guidance: "Define regulatory notification procedures for all applicable jurisdictions. Map notification timeframes per jurisdiction (e.g., GDPR 72 hours, various state laws 30-90 days). Prepare notification templates. Maintain regulator contact information. Test notification workflows.",
399
+ checks: [
400
+ { id: "PRIV-INC-03-C1", description: "Notification procedures documented per jurisdiction", status: "not-implemented" },
401
+ { id: "PRIV-INC-03-C2", description: "Notification templates prepared", status: "not-implemented" },
402
+ { id: "PRIV-INC-03-C3", description: "Regulator contact information maintained", status: "not-implemented" },
403
+ ],
404
+ },
405
+ {
406
+ id: "PRIV-INC-04",
407
+ name: "Data Subject Notification",
408
+ description: "Implement procedures for notifying affected individuals of qualifying privacy breaches.",
409
+ category: "incident-management",
410
+ framework: "PRIVACY-CORE",
411
+ status: "not-implemented",
412
+ severity: "high",
413
+ implementation_guidance: "Define criteria for when individual notification is required (high risk to rights and freedoms). Prepare notification templates in relevant languages. Define communication channels (email, mail, in-app, public notice). Coordinate timing with regulatory notifications.",
414
+ checks: [
415
+ { id: "PRIV-INC-04-C1", description: "Individual notification criteria defined", status: "not-implemented" },
416
+ { id: "PRIV-INC-04-C2", description: "Multi-language notification templates prepared", status: "not-implemented" },
417
+ { id: "PRIV-INC-04-C3", description: "Communication channels defined", status: "not-implemented" },
418
+ ],
419
+ },
420
+ // ============================================================
421
+ // PRIV-VEN — THIRD-PARTY MANAGEMENT
422
+ // ============================================================
423
+ {
424
+ id: "PRIV-VEN-01",
425
+ name: "Vendor Due Diligence",
426
+ description: "Conduct privacy and security due diligence before engaging vendors processing personal data.",
427
+ category: "vendor-management",
428
+ framework: "PRIVACY-CORE",
429
+ status: "not-implemented",
430
+ severity: "high",
431
+ implementation_guidance: "Establish a vendor assessment process evaluating privacy practices, security controls, certifications (ISO 27001, SOC 2), and compliance history. Classify vendors by risk level. Require completion of security questionnaires. Document assessment results and risk decisions.",
432
+ checks: [
433
+ { id: "PRIV-VEN-01-C1", description: "Vendor assessment process documented and enforced", status: "not-implemented" },
434
+ { id: "PRIV-VEN-01-C2", description: "Vendors classified by risk level", status: "not-implemented" },
435
+ { id: "PRIV-VEN-01-C3", description: "Security questionnaires completed for high-risk vendors", status: "not-implemented" },
436
+ ],
437
+ },
438
+ {
439
+ id: "PRIV-VEN-02",
440
+ name: "Processor Agreements",
441
+ description: "Execute data processing agreements (DPAs) with all vendors acting as data processors.",
442
+ category: "vendor-management",
443
+ framework: "PRIVACY-CORE",
444
+ status: "not-implemented",
445
+ severity: "critical",
446
+ implementation_guidance: "Execute DPAs with all processors before data sharing. Ensure DPAs define: processing scope, security obligations, sub-processor controls, breach notification timelines, data return/deletion, and audit rights. Review and renew DPAs at least annually or upon material changes.",
447
+ checks: [
448
+ { id: "PRIV-VEN-02-C1", description: "DPAs executed with all processors", status: "not-implemented" },
449
+ { id: "PRIV-VEN-02-C2", description: "DPAs include all legally required clauses", status: "not-implemented" },
450
+ { id: "PRIV-VEN-02-C3", description: "DPAs reviewed and renewed annually", status: "not-implemented" },
451
+ ],
452
+ },
453
+ {
454
+ id: "PRIV-VEN-03",
455
+ name: "Ongoing Monitoring",
456
+ description: "Monitor vendor compliance with privacy and security requirements throughout the relationship.",
457
+ category: "vendor-management",
458
+ framework: "PRIVACY-CORE",
459
+ status: "not-implemented",
460
+ severity: "medium",
461
+ implementation_guidance: "Conduct periodic reviews of vendor security posture. Require annual SOC 2 or equivalent reports. Track vendor breach notifications. Monitor for changes in vendor security certifications. Reassess vendors upon scope changes or incidents.",
462
+ checks: [
463
+ { id: "PRIV-VEN-03-C1", description: "Annual vendor security reviews conducted", status: "not-implemented" },
464
+ { id: "PRIV-VEN-03-C2", description: "Vendor breach notifications tracked", status: "not-implemented" },
465
+ ],
466
+ },
467
+ // ============================================================
468
+ // PRIV-XBT — CROSS-BORDER TRANSFERS
469
+ // ============================================================
470
+ {
471
+ id: "PRIV-XBT-01",
472
+ name: "Transfer Assessment",
473
+ description: "Identify and document all cross-border personal data transfers.",
474
+ category: "cross-border-transfers",
475
+ framework: "PRIVACY-CORE",
476
+ status: "not-implemented",
477
+ severity: "critical",
478
+ implementation_guidance: "Map all international personal data transfers including: source/destination countries, data categories, transfer mechanisms, recipients, and purpose. Maintain a transfer register. Update when new transfers are established. Identify transfers to non-adequate countries.",
479
+ checks: [
480
+ { id: "PRIV-XBT-01-C1", description: "Cross-border transfer register maintained", status: "not-implemented" },
481
+ { id: "PRIV-XBT-01-C2", description: "All transfers mapped with countries and mechanisms", status: "not-implemented" },
482
+ ],
483
+ },
484
+ {
485
+ id: "PRIV-XBT-02",
486
+ name: "Adequacy Assessment",
487
+ description: "Determine whether destination countries have adequate data protection levels.",
488
+ category: "cross-border-transfers",
489
+ framework: "PRIVACY-CORE",
490
+ status: "not-implemented",
491
+ severity: "high",
492
+ implementation_guidance: "Maintain a list of countries recognized as providing adequate data protection (EU adequacy decisions, UK adequacy regulations, etc.). Verify adequacy status before transferring data. For non-adequate countries, implement appropriate safeguards (SCCs, BCRs, or derogations).",
493
+ checks: [
494
+ { id: "PRIV-XBT-02-C1", description: "Adequacy status tracked per destination country", status: "not-implemented" },
495
+ { id: "PRIV-XBT-02-C2", description: "Safeguards implemented for non-adequate transfers", status: "not-implemented" },
496
+ ],
497
+ },
498
+ {
499
+ id: "PRIV-XBT-03",
500
+ name: "Standard Contractual Clauses",
501
+ description: "Execute Standard Contractual Clauses (SCCs) or equivalent safeguards for non-adequate transfers.",
502
+ category: "cross-border-transfers",
503
+ framework: "PRIVACY-CORE",
504
+ status: "not-implemented",
505
+ severity: "high",
506
+ implementation_guidance: "Execute the latest version of SCCs (EU SCCs, UK IDTA, or equivalent) for all transfers to non-adequate countries. Conduct Transfer Impact Assessments (TIAs) before relying on SCCs. Implement supplementary measures where TIAs identify risks. Maintain executed SCC records.",
507
+ checks: [
508
+ { id: "PRIV-XBT-03-C1", description: "SCCs executed for all non-adequate transfers", status: "not-implemented" },
509
+ { id: "PRIV-XBT-03-C2", description: "Transfer Impact Assessments conducted", status: "not-implemented" },
510
+ { id: "PRIV-XBT-03-C3", description: "Supplementary measures implemented where needed", status: "not-implemented" },
511
+ ],
512
+ },
513
+ {
514
+ id: "PRIV-XBT-04",
515
+ name: "Data Localization Requirements",
516
+ description: "Identify and comply with data localization mandates applicable to the organization.",
517
+ category: "cross-border-transfers",
518
+ framework: "PRIVACY-CORE",
519
+ status: "not-implemented",
520
+ severity: "high",
521
+ implementation_guidance: "Identify countries with data localization requirements (e.g., China PIPL, Russia, India DPDPA for certain data). Implement technical controls ensuring affected data remains within required jurisdictions. Monitor regulatory changes affecting localization obligations. Document compliance measures.",
522
+ checks: [
523
+ { id: "PRIV-XBT-04-C1", description: "Data localization requirements identified per jurisdiction", status: "not-implemented" },
524
+ { id: "PRIV-XBT-04-C2", description: "Technical controls enforce localization", status: "not-implemented" },
525
+ ],
526
+ },
527
+ // ============================================================
528
+ // PRIV-RET — RETENTION & DISPOSAL
529
+ // ============================================================
530
+ {
531
+ id: "PRIV-RET-01",
532
+ name: "Retention Schedule",
533
+ description: "Define and enforce data retention periods for each category of personal data.",
534
+ category: "data-retention",
535
+ framework: "PRIVACY-CORE",
536
+ status: "not-implemented",
537
+ severity: "critical",
538
+ implementation_guidance: "Create a retention schedule defining how long each data category is retained based on legal requirements, business needs, and contractual obligations. Implement automated retention enforcement (TTL, scheduled deletion). Review and update the schedule at least annually. Document retention decisions.",
539
+ checks: [
540
+ { id: "PRIV-RET-01-C1", description: "Retention schedule documented per data category", status: "not-implemented" },
541
+ { id: "PRIV-RET-01-C2", description: "Automated retention enforcement implemented", status: "not-implemented" },
542
+ { id: "PRIV-RET-01-C3", description: "Retention schedule reviewed annually", status: "not-implemented" },
543
+ ],
544
+ },
545
+ {
546
+ id: "PRIV-RET-02",
547
+ name: "Secure Disposal",
548
+ description: "Implement secure disposal procedures for personal data that has exceeded retention.",
549
+ category: "data-retention",
550
+ framework: "PRIVACY-CORE",
551
+ status: "not-implemented",
552
+ severity: "high",
553
+ implementation_guidance: "Define secure disposal methods for digital data (cryptographic erase, overwriting, secure deletion) and physical media (shredding, degaussing, incineration). Document disposal actions including date, method, data category, and personnel. Verify disposal effectiveness periodically.",
554
+ checks: [
555
+ { id: "PRIV-RET-02-C1", description: "Secure disposal procedures documented", status: "not-implemented" },
556
+ { id: "PRIV-RET-02-C2", description: "Disposal actions logged and verified", status: "not-implemented" },
557
+ ],
558
+ },
559
+ {
560
+ id: "PRIV-RET-03",
561
+ name: "Data Minimization",
562
+ description: "Collect and retain only the minimum personal data necessary for stated purposes.",
563
+ category: "data-retention",
564
+ framework: "PRIVACY-CORE",
565
+ status: "not-implemented",
566
+ severity: "medium",
567
+ implementation_guidance: "Implement data minimization principles: collect only data necessary for the stated purpose, implement field-level controls in forms, conduct periodic data minimization reviews, and anonymize or delete data no longer needed.",
568
+ checks: [
569
+ { id: "PRIV-RET-03-C1", description: "Data minimization principles applied to collection forms", status: "not-implemented" },
570
+ { id: "PRIV-RET-03-C2", description: "Periodic minimization reviews conducted", status: "not-implemented" },
571
+ ],
572
+ },
573
+ // ============================================================
574
+ // PRIV-TRN — TRAINING & AWARENESS
575
+ // ============================================================
576
+ {
577
+ id: "PRIV-TRN-01",
578
+ name: "Employee Privacy Training",
579
+ description: "Provide privacy awareness training to all employees upon hire and at least annually.",
580
+ category: "privacy-training",
581
+ framework: "PRIVACY-CORE",
582
+ status: "not-implemented",
583
+ severity: "high",
584
+ implementation_guidance: "Provide privacy training covering: data handling procedures, individual rights, breach reporting, data minimization, secure communication, and applicable privacy laws. Track completion. Require annual refresher training. Update content to reflect regulatory changes.",
585
+ checks: [
586
+ { id: "PRIV-TRN-01-C1", description: "Privacy training provided on hire", status: "not-implemented" },
587
+ { id: "PRIV-TRN-01-C2", description: "Annual refresher training completed by all staff", status: "not-implemented" },
588
+ { id: "PRIV-TRN-01-C3", description: "Training completion tracked", status: "not-implemented" },
589
+ ],
590
+ },
591
+ {
592
+ id: "PRIV-TRN-02",
593
+ name: "Specialized Role Training",
594
+ description: "Provide role-specific privacy training to personnel with specialized privacy responsibilities.",
595
+ category: "privacy-training",
596
+ framework: "PRIVACY-CORE",
597
+ status: "not-implemented",
598
+ severity: "medium",
599
+ implementation_guidance: "Identify roles requiring specialized training (developers, system admins, customer support, HR, legal). Develop role-specific training modules. Include hands-on exercises for data handling, DSAR processing, and breach response. Update training content annually.",
600
+ checks: [
601
+ { id: "PRIV-TRN-02-C1", description: "Specialized roles identified and documented", status: "not-implemented" },
602
+ { id: "PRIV-TRN-02-C2", description: "Role-specific training modules delivered", status: "not-implemented" },
603
+ ],
604
+ },
605
+ {
606
+ id: "PRIV-TRN-03",
607
+ name: "Privacy Awareness Program",
608
+ description: "Maintain ongoing privacy awareness activities beyond formal training.",
609
+ category: "privacy-training",
610
+ framework: "PRIVACY-CORE",
611
+ status: "not-implemented",
612
+ severity: "low",
613
+ implementation_guidance: "Conduct ongoing awareness activities: privacy newsletters, awareness campaigns (Data Privacy Day), phishing simulations, privacy tips in internal communications, and visible privacy policy reminders. Measure awareness through periodic assessments.",
614
+ checks: [
615
+ { id: "PRIV-TRN-03-C1", description: "Ongoing awareness activities conducted", status: "not-implemented" },
616
+ { id: "PRIV-TRN-03-C2", description: "Awareness measured through periodic assessments", status: "not-implemented" },
617
+ ],
618
+ },
619
+ ];
620
+ return {
621
+ id: "privacy-core",
622
+ name: "Privacy Core Framework (Global Baseline)",
623
+ description: "Universal privacy controls covering 10 core domains: Governance, Data Inventory, Consent Management, Data Subject Rights, Security Controls, Incident Management, Third-Party Management, Cross-Border Transfers, Retention & Disposal, and Training & Awareness. This is the foundational layer — install country packs on top for jurisdiction-specific requirements.",
624
+ version: "1.0.0",
625
+ project_types: [
626
+ "saas",
627
+ "ai-application",
628
+ "healthcare-system",
629
+ "generic-web-application",
630
+ "api-backend",
631
+ "mobile-application",
632
+ "government-system",
633
+ "mcp-server",
634
+ "blockchain",
635
+ "event-platform",
636
+ "photo-storage-platform",
637
+ "vulnerability-scanner",
638
+ "wallet",
639
+ ],
640
+ controls,
641
+ frameworks: ["PRIVACY-CORE"],
642
+ };
643
+ }