Section 37 · Operations & Incident Management
GDPR & Privacy Compliance
User rights, consent management, and privacy documentation for regulatory compliance
This guide walks you through auditing a project's GDPR and privacy compliance - user rights, consent management, and required documentation.
The Goal: Privacy by Design
User data should be handled with intentionality. Rights are exercisable, consent is meaningful, and data flows are documented and controlled.
- Exercisable — Users can delete, export, and manage their data through clear mechanisms
- Enforceable — No tracking before consent; withdrawal as easy as granting
- Documented — Privacy policy current, ROPA maintained, all processors known and contracted
- Complete — Deletion and export cover all services, not just the main database
Before You Start
- Identify target markets (EU users trigger GDPR, California triggers CCPA, etc.)
- Understand data collected (what personal data, how sensitive)
- Check for existing privacy documentation (privacy policy, ROPA, DPAs)
- Review user-facing flows (signup, consent banners, account settings)
Right to Be Forgotten
Users have the right to request deletion of their personal data. A mechanism must exist (self-service or documented request process) and internal handling procedures must be documented.
“Could a user delete their data right now, today?”
Deletion requests must be logged for compliance inquiries. Track who requested, when, what was deleted, and who processed it.
“Prove you deleted a user's data. Where's the log?”
GDPR requires response within one month. Define and communicate timelines, track requests against deadlines.
“Deletion request arrives today — when is it done?”
User data exists in many places (database, analytics, CRM, payment processor, etc.). Deletion must cover all services. Maintain a data map of where user data lives.
“User deleted — still in your CRM? Your analytics?”
Consent Management
No tracking before consent. Configure GTM consent mode (or equivalent), ensure backend respects consent flags, verify no scripts fire pre-consent.
“What fires before a user clicks accept on your banner?”
Store consent decisions server-side (not just cookies). Record who consented, when, to what categories, and which policy version. Enable retrieval for audits.
“Can you prove a specific user consented in 2023?”
Withdrawal must be as easy as giving consent. Provide persistent access to consent settings (footer link, settings page). Verify withdrawal stops tracking.
“Withdrawing consent — easier or harder than giving it?”
Privacy Documentation
Privacy policy must exist, be current (updated within 12 months or after changes), and include GDPR-required disclosures (controller, purposes, legal basis, rights, etc.).
“When was your privacy policy last updated?”
GDPR Article 30 requires Record of Processing Activities (ROPA). Document all processing activities with purposes, data categories, recipients, retention periods, and security measures.
“List every place you process user data. All of them.”
Maintain list of all third parties processing user data. Have DPAs with each processor. Disclose processors in privacy policy. Vet new vendors for GDPR compliance.
“Which vendors touch your users' data — and are they GDPR-compliant?”