/compliance-check -- Compliance Review

If you see unfamiliar placeholders or need to check which tools are connected, see CONNECTORS.md.

Run a compliance check on a proposed action, product feature, marketing campaign, or business initiative.

Important: This command assists with legal workflows but does not provide legal advice. Compliance assessments should be reviewed by qualified legal professionals. Regulatory requirements change frequently; always verify current requirements with authoritative sources.

Usage

/compliance-check $ARGUMENTS

What I Need From You

Describe what you're planning to do. Examples:

Output

## Compliance Check: [Initiative]

### Summary
[Quick assessment: Proceed / Proceed with conditions / Requires further review]

### Applicable Regulations and Policies
| Regulation/Policy | Relevance | Key Requirements |
|-------------------|-----------|-----------------|
| [GDPR / CCPA / HIPAA / etc.] | [How it applies] | [What you need to do] |

### Requirements
| # | Requirement | Status | Action Needed |
|---|-------------|--------|---------------|
| 1 | [Requirement] | [Met / Not Met / Unknown] | [What to do] |

### Risk Areas
| Risk | Severity | Mitigation |
|------|----------|------------|
| [Risk] | [High/Med/Low] | [How to address] |

### Recommended Actions
1. [Most important action]
2. [Second priority]
3. [Third priority]

### Approvals Needed
| Approver | Why | Status |
|----------|-----|--------|
| [Person/Team] | [Reason] | [Pending] |

### Further Review Recommended
[Areas where outside counsel or specialist review is advised]

Privacy Regulation Overview

GDPR (General Data Protection Regulation)

Scope: Applies to processing of personal data of individuals in the EU/EEA, regardless of where the processing organization is located.

Key Obligations for In-House Legal Teams:

Common In-House Legal Touchpoints:

CCPA / CPRA (California Consumer Privacy Act / California Privacy Rights Act)

Scope: Applies to businesses that collect personal information of California residents and meet revenue, data volume, or data sale thresholds.

Key Obligations:

Response Timelines:

Other Key Regulations to Monitor

Regulation Jurisdiction Key Differentiators
LGPD (Brazil) Brazil Similar to GDPR; requires DPO appointment; National Data Protection Authority (ANPD) enforcement
POPIA (South Africa) South Africa Information Regulator oversight; required registration of processing
PIPEDA (Canada) Canada (federal) Consent-based framework; OPC oversight; being modernized
PDPA (Singapore) Singapore Do Not Call registry; mandatory breach notification; PDPC enforcement
Privacy Act (Australia) Australia Australian Privacy Principles (APPs); notifiable data breaches scheme
PIPL (China) China Strict cross-border transfer rules; data localization requirements; CAC oversight
UK GDPR United Kingdom Post-Brexit UK version; ICO oversight; similar to EU GDPR with UK-specific adequacy

DPA Review Checklist

When reviewing a Data Processing Agreement or Data Processing Addendum, verify the following:

Required Elements (GDPR Article 28)

Processor Obligations

International Transfers

Practical Considerations

Common DPA Issues

Issue Risk Standard Position
Blanket sub-processor authorization without notification Loss of control over processing chain Require notification with right to object
Breach notification timeline > 72 hours May prevent timely regulatory notification Require notification within 24-48 hours
No audit rights (or audit rights only via third-party reports) Cannot verify compliance Accept SOC 2 Type II + right to audit upon cause
Data deletion timeline not specified Data retained indefinitely Require deletion within 30-90 days of termination
No data processing locations specified Data could be processed anywhere Require disclosure of processing locations
Outdated SCCs Invalid transfer mechanism Require current EU SCCs (2021 version)

Data Subject Request Handling

Request Intake

When a data subject request is received:

  1. Identify the request type:

  2. Identify applicable regulation(s):

  3. Verify identity:

  4. Log the request:

Response Timelines

Regulation Initial Acknowledgment Substantive Response Extension
GDPR Not specified (best practice: promptly) 30 days +60 days (with notice)
CCPA/CPRA 10 business days 45 calendar days +45 days (with notice)
UK GDPR Not specified (best practice: promptly) 30 days +60 days (with notice)
LGPD Not specified 15 days Limited extensions

Exemptions and Exceptions

Before fulfilling a request, check whether any exemptions apply:

Common exemptions across regulations:

Organization-specific considerations:

Response Process

  1. Gather all personal data of the requester across systems
  2. Apply any exemptions and document the basis
  3. Prepare response: fulfill the request or explain why (in whole or part) it cannot be fulfilled
  4. If denying (in whole or part): cite the specific legal basis for denial
  5. Inform the requester of their right to lodge a complaint with the supervisory authority
  6. Document the response and retain records of the request and response

Regulatory Monitoring Basics

What to Monitor

Maintain awareness of developments in:

Monitoring Approach

  1. Subscribe to regulatory authority communications (newsletters, RSS feeds, official announcements)
  2. Track relevant legal publications for analysis of new developments
  3. Review industry association updates for sector-specific guidance
  4. Maintain a regulatory calendar of known upcoming deadlines, effective dates, and compliance milestones
  5. Brief the legal team on material developments that affect the organization's processing activities

Escalation Criteria

Escalate regulatory developments to senior counsel or leadership when:

Tips

  1. Be specific — "We want to email all our users" is better than "marketing campaign."
  2. Include the geography — Compliance requirements vary by jurisdiction.
  3. Mention the data — What personal data is involved? This drives most compliance requirements.