/compliance-check --
Compliance Review
If you see unfamiliar placeholders or need to check which tools are
connected, see CONNECTORS.md.
Run a compliance check on a proposed action, product feature,
marketing campaign, or business initiative.
Important: This command assists with legal workflows
but does not provide legal advice. Compliance assessments should be
reviewed by qualified legal professionals. Regulatory requirements
change frequently; always verify current requirements with authoritative
sources.
Usage
/compliance-check $ARGUMENTS
What I Need From You
Describe what you're planning to do. Examples:
- "We want to launch a referral program with cash rewards"
- "We're adding biometric authentication to our mobile app"
- "We need to process EU customer data in our US data center"
- "Marketing wants to use customer testimonials in ads"
Output
## Compliance Check: [Initiative]
### Summary
[Quick assessment: Proceed / Proceed with conditions / Requires further review]
### Applicable Regulations and Policies
| Regulation/Policy | Relevance | Key Requirements |
|-------------------|-----------|-----------------|
| [GDPR / CCPA / HIPAA / etc.] | [How it applies] | [What you need to do] |
### Requirements
| # | Requirement | Status | Action Needed |
|---|-------------|--------|---------------|
| 1 | [Requirement] | [Met / Not Met / Unknown] | [What to do] |
### Risk Areas
| Risk | Severity | Mitigation |
|------|----------|------------|
| [Risk] | [High/Med/Low] | [How to address] |
### Recommended Actions
1. [Most important action]
2. [Second priority]
3. [Third priority]
### Approvals Needed
| Approver | Why | Status |
|----------|-----|--------|
| [Person/Team] | [Reason] | [Pending] |
### Further Review Recommended
[Areas where outside counsel or specialist review is advised]
Privacy Regulation Overview
GDPR (General Data
Protection Regulation)
Scope: Applies to processing of personal data of
individuals in the EU/EEA, regardless of where the processing
organization is located.
Key Obligations for In-House Legal Teams:
- Lawful basis: Identify and document lawful basis
for each processing activity (consent, contract, legitimate interest,
legal obligation, vital interest, public task)
- Data subject rights: Respond to access,
rectification, erasure, portability, restriction, and objection requests
within 30 days (extendable by 60 days for complex requests)
- Data protection impact assessments (DPIAs):
Required for processing likely to result in high risk to
individuals
- Breach notification: Notify supervisory authority
within 72 hours of becoming aware of a personal data breach; notify
affected individuals without undue delay if high risk
- Records of processing: Maintain Article 30 records
of processing activities
- International transfers: Ensure appropriate
safeguards for transfers outside EEA (SCCs, adequacy decisions,
BCRs)
- DPO requirement: Appoint a Data Protection Officer
if required (public authority, large-scale processing of special
categories, large-scale systematic monitoring)
Common In-House Legal Touchpoints:
- Reviewing vendor DPAs for GDPR compliance
- Advising product teams on privacy by design requirements
- Responding to supervisory authority inquiries
- Managing cross-border data transfer mechanisms
- Reviewing consent mechanisms and privacy notices
CCPA
/ CPRA (California Consumer Privacy Act / California Privacy Rights
Act)
Scope: Applies to businesses that collect personal
information of California residents and meet revenue, data volume, or
data sale thresholds.
Key Obligations:
- Right to know: Consumers can request disclosure of
personal information collected, used, and shared
- Right to delete: Consumers can request deletion of
their personal information
- Right to opt-out: Consumers can opt out of the sale
or sharing of personal information
- Right to correct: Consumers can request correction
of inaccurate personal information (CPRA addition)
- Right to limit use of sensitive personal
information: Consumers can limit use of sensitive PI to
specific purposes (CPRA addition)
- Non-discrimination: Cannot discriminate against
consumers who exercise their rights
- Privacy notice: Must provide a privacy notice at or
before collection describing categories of PI collected and
purposes
- Service provider agreements: Contracts with service
providers must restrict use of PI to the specified business purpose
Response Timelines:
- Acknowledge receipt within 10 business days
- Respond substantively within 45 calendar days (extendable by 45 days
with notice)
Other Key Regulations to
Monitor
| Regulation |
Jurisdiction |
Key Differentiators |
| LGPD (Brazil) |
Brazil |
Similar to GDPR; requires DPO appointment; National Data Protection
Authority (ANPD) enforcement |
| POPIA (South Africa) |
South Africa |
Information Regulator oversight; required registration of
processing |
| PIPEDA (Canada) |
Canada (federal) |
Consent-based framework; OPC oversight; being modernized |
| PDPA (Singapore) |
Singapore |
Do Not Call registry; mandatory breach notification; PDPC
enforcement |
| Privacy Act (Australia) |
Australia |
Australian Privacy Principles (APPs); notifiable data breaches
scheme |
| PIPL (China) |
China |
Strict cross-border transfer rules; data localization requirements;
CAC oversight |
| UK GDPR |
United Kingdom |
Post-Brexit UK version; ICO oversight; similar to EU GDPR with
UK-specific adequacy |
DPA Review Checklist
When reviewing a Data Processing Agreement or Data Processing
Addendum, verify the following:
Required Elements (GDPR
Article 28)
Processor Obligations
International Transfers
Practical Considerations
Common DPA Issues
| Issue |
Risk |
Standard Position |
| Blanket sub-processor authorization without notification |
Loss of control over processing chain |
Require notification with right to object |
| Breach notification timeline > 72 hours |
May prevent timely regulatory notification |
Require notification within 24-48 hours |
| No audit rights (or audit rights only via third-party reports) |
Cannot verify compliance |
Accept SOC 2 Type II + right to audit upon cause |
| Data deletion timeline not specified |
Data retained indefinitely |
Require deletion within 30-90 days of termination |
| No data processing locations specified |
Data could be processed anywhere |
Require disclosure of processing locations |
| Outdated SCCs |
Invalid transfer mechanism |
Require current EU SCCs (2021 version) |
Data Subject Request
Handling
Request Intake
When a data subject request is received:
Identify the request type:
- Access (copy of personal data)
- Rectification (correction of inaccurate data)
- Erasure / deletion ("right to be forgotten")
- Restriction of processing
- Data portability (structured, machine-readable format)
- Objection to processing
- Opt-out of sale/sharing (CCPA/CPRA)
- Limit use of sensitive personal information (CPRA)
Identify applicable regulation(s):
- Where is the data subject located?
- Which laws apply based on your organization's presence and
activities?
- What are the specific requirements and timelines?
Verify identity:
- Confirm the requester is who they claim to be
- Use reasonable verification measures proportionate to the
sensitivity of the data
- Do not require excessive documentation
Log the request:
- Date received
- Request type
- Requester identity
- Applicable regulation
- Response deadline
- Assigned handler
Response Timelines
| Regulation |
Initial Acknowledgment |
Substantive Response |
Extension |
| GDPR |
Not specified (best practice: promptly) |
30 days |
+60 days (with notice) |
| CCPA/CPRA |
10 business days |
45 calendar days |
+45 days (with notice) |
| UK GDPR |
Not specified (best practice: promptly) |
30 days |
+60 days (with notice) |
| LGPD |
Not specified |
15 days |
Limited extensions |
Exemptions and Exceptions
Before fulfilling a request, check whether any exemptions apply:
Common exemptions across regulations:
- Legal claims defense or establishment
- Legal obligations requiring retention
- Public interest or official authority
- Freedom of expression and information (for erasure requests)
- Archiving in the public interest or scientific/historical
research
Organization-specific considerations:
- Litigation hold: Data subject to a legal hold cannot be deleted
- Regulatory retention: Financial records, employment records, and
other categories may have mandatory retention periods
- Third-party rights: Fulfilling the request might adversely affect
the rights of others
Response Process
- Gather all personal data of the requester across systems
- Apply any exemptions and document the basis
- Prepare response: fulfill the request or explain why (in whole or
part) it cannot be fulfilled
- If denying (in whole or part): cite the specific legal basis for
denial
- Inform the requester of their right to lodge a complaint with the
supervisory authority
- Document the response and retain records of the request and
response
Regulatory Monitoring Basics
What to Monitor
Maintain awareness of developments in:
- Regulatory guidance: New or updated guidance from
supervisory authorities (ICO, CNIL, FTC, state AGs, etc.)
- Enforcement actions: Fines, orders, and settlements
that signal regulatory priorities
- Legislative changes: New privacy laws, amendments
to existing laws, implementing regulations
- Industry standards: Updates to ISO 27001, SOC 2,
NIST frameworks, and sector-specific requirements
- Cross-border transfer developments: Adequacy
decisions, SCC updates, data localization requirements
Monitoring Approach
- Subscribe to regulatory authority communications
(newsletters, RSS feeds, official announcements)
- Track relevant legal publications for analysis of
new developments
- Review industry association updates for
sector-specific guidance
- Maintain a regulatory calendar of known upcoming
deadlines, effective dates, and compliance milestones
- Brief the legal team on material developments that
affect the organization's processing activities
Escalation Criteria
Escalate regulatory developments to senior counsel or leadership
when:
- A new regulation or guidance directly affects the organization's
core business activities
- An enforcement action in the organization's sector signals
heightened regulatory scrutiny
- A compliance deadline is approaching that requires organizational
changes
- A data transfer mechanism the organization relies on is challenged
or invalidated
- A regulatory authority initiates an inquiry or investigation
involving the organization
Tips
- Be specific — "We want to email all our users" is
better than "marketing campaign."
- Include the geography — Compliance requirements
vary by jurisdiction.
- Mention the data — What personal data is involved?
This drives most compliance requirements.