privacy_maturity:
  governance: _/5        # Leadership, DPO, budget, reporting
  data_inventory: _/5    # ROPA completeness, data flows mapped
  legal_compliance: _/5  # Lawful bases, consent, notices
  individual_rights: _/5 # DSAR process, response times
  security: _/5          # Technical + organizational measures
  vendor_management: _/5 # DPAs, processor oversight
  incident_response: _/5 # Breach detection, notification
  culture: _/5           # Training, awareness, privacy-by-design
  total: _/40
  tier: _  # <15 Ad-hoc | 15-24 Developing | 25-32 Defined | 33-38 Managed | 39-40 Optimized

assessment:
  organization: "[Company name]"
  industry: "[sector]"
  jurisdictions: ["US-CA", "EU", "UK", "BR"]  # Where you operate/collect data
  data_subjects: ["customers", "employees", "prospects", "website_visitors"]
  estimated_records: "[volume]"
  current_state:
    has_dpo: [yes/no]
    has_ropa: [yes/no]
    has_privacy_policy: [yes/no]
    has_dpa_template: [yes/no]
    has_breach_plan: [yes/no]
    prior_incidents: [count]
    pending_dsars: [count]
  applicable_regulations: []  # Auto-detect from jurisdictions
  budget_tier: "[startup/growth/enterprise]"
  priority: "[compliance deadline/risk reduction/competitive advantage]"

processing_activity:
  id: "PA-001"
  name: "[e.g., Customer Account Management]"
  description: "[What this processing involves]"
  
  # GDPR Article 30 required fields
  controller: "[Legal entity name]"
  dpo_contact: "[DPO email]"
  purpose: "[Specific purpose — not generic]"
  lawful_basis: "[consent|contract|legal_obligation|vital_interest|public_task|legitimate_interest]"
  legitimate_interest_assessment: "[If LI, document balancing test]"
  
  # Data details
  data_subjects: ["customers", "employees"]
  data_categories:
    - category: "Identity"
      fields: ["name", "email", "phone"]
      sensitivity: "standard"
    - category: "Financial"  
      fields: ["payment card", "bank account"]
      sensitivity: "high"
    - category: "Special category"
      fields: ["health data"]
      sensitivity: "special"
      additional_condition: "[explicit consent / employment law / ...]"
  
  # Data flow
  source: "[How data is collected — forms, API, third party]"
  storage_location: "[System, provider, region]"
  recipients:
    internal: ["Marketing team", "Support team"]
    processors: ["Stripe (payments)", "AWS (hosting)"]
    third_parties: ["Analytics partner"]
    cross_border: 
      - destination: "US"
        mechanism: "SCCs + supplementary measures"
  
  # Lifecycle
  retention_period: "[e.g., 3 years after account closure]"
  retention_justification: "[Legal requirement / business need]"
  deletion_method: "[automated/manual]"
  
  # Security
  security_measures: ["encryption at rest", "encryption in transit", "access controls", "audit logging"]
  dpia_required: [yes/no]
  dpia_reference: "[DPIA-001 if applicable]"
  
  # Metadata
  owner: "[Business process owner]"
  last_reviewed: "YYYY-MM-DD"
  next_review: "YYYY-MM-DD"
  status: "active"

consent_record:
  id: "CON-001"
  data_subject_id: "[hashed identifier]"
  purpose: "[Specific purpose]"
  consent_text: "[Exact wording shown]"
  collection_method: "[web form / app / verbal / paper]"
  timestamp: "YYYY-MM-DDTHH:MM:SSZ"
  ip_address: "[if web]"
  version: "[privacy policy version at time of consent]"
  granular: true  # Separate consent per purpose
  freely_given: true  # Not bundled with service
  withdrawable: true  # Easy mechanism exists
  status: "active"  # active | withdrawn | expired
  withdrawal_date: null

Tier 1 — Strictly Necessary: No consent needed, always on
Tier 2 — Functional: Preferences, language, region
Tier 3 — Analytics: Google Analytics, Hotjar, Mixpanel
Tier 4 — Marketing: Facebook Pixel, Google Ads, retargeting

1. RECEIVE → Log request, assign ID, acknowledge within 3 business days
2. VERIFY → Confirm identity (2-factor for sensitive data)
   - Email verification + government ID for high-risk
   - Account login for authenticated users
   - DON'T collect more data than needed to verify
3. SCOPE → Determine what's being requested
   - Which right(s)?
   - Which data/processing activities?
   - Any exemptions apply?
4. SEARCH → Query all systems for subject's data
   - Production databases
   - Backups (note: different rules may apply)
   - Third-party processors
   - Paper records
5. REVIEW → Apply exemptions if applicable
   - Third-party data (redact others' personal data)
   - Trade secrets / IP
   - Legal privilege
   - Ongoing investigations
6. RESPOND → Within deadline, in accessible format
   - Access: Provide data in structured, machine-readable format
   - Deletion: Confirm deletion, notify processors
   - Portability: CSV or JSON, common format
7. CLOSE → Document response, update DSAR log

Subject: Your Privacy Request [REF-XXXX]

We received your request on [date] to [access/delete/correct] your personal data.

We will respond within [30/45] days. If we need more time, we'll let you know.

To verify your identity, please [verification step].

Questions? Contact our DPO at [email].

Subject: Your Data Access Request Complete [REF-XXXX]

Attached is the personal data we hold about you, organized by category:
- Identity data: [summary]
- Contact data: [summary]  
- Transaction data: [summary]

Processing purposes and legal bases are detailed in the attached report.

If you'd like to exercise additional rights (correction, deletion), reply to this email.

dsar_metrics:
  period: "YYYY-MM"
  requests_received: 0
  by_type:
    access: 0
    deletion: 0
    rectification: 0
    portability: 0
    objection: 0
    opt_out_sale: 0
  avg_response_days: 0
  within_deadline_pct: 0  # Target: 100%
  requests_denied: 0
  denial_reasons: []
  avg_cost_per_request: 0
  automation_rate: 0  # % handled without manual intervention

dpia:
  id: "DPIA-001"
  project: "[Project/system name]"
  date: "YYYY-MM-DD"
  assessor: "[DPO / Privacy team]"
  status: "draft"  # draft | review | approved | rejected
  
  # 1. Description
  description:
    nature: "[What processing will be done]"
    scope: "[Data subjects, volume, geographic scope]"
    context: "[Relationship with data subjects, expectations]"
    purpose: "[Why this processing is needed]"
    lawful_basis: "[Basis + justification]"
  
  # 2. Necessity & Proportionality
  necessity:
    is_processing_necessary: "[Yes + why no less invasive alternative exists]"
    data_minimization: "[Only necessary data collected — confirm]"
    retention_justified: "[Retention period + justification]"
    data_quality: "[How accuracy is maintained]"
    transparency: "[How data subjects are informed]"
  
  # 3. Risk Assessment
  risks:
    - risk: "[e.g., Unauthorized access to sensitive data]"
      likelihood: "[low/medium/high]"  # 1-5
      severity: "[low/medium/high]"    # 1-5
      risk_score: 0  # likelihood × severity
      source: "[threat actor / system failure / human error]"
      impact_on_individuals: "[What harm could occur]"
    
  # 4. Mitigation Measures
  mitigations:
    - risk_ref: "[risk description]"
      measure: "[e.g., Encryption at rest using AES-256]"
      type: "technical"  # technical | organizational | contractual
      status: "implemented"  # planned | implementing | implemented
      residual_risk: "low"
      
  # 5. Decision
  decision:
    residual_risk_acceptable: [yes/no]
    supervisory_authority_consultation: [yes/no]  # Required if residual risk still high
    approved_by: "[Name, role]"
    approval_date: "YYYY-MM-DD"
    review_date: "YYYY-MM-DD"  # At least annually

vendor_assessment:
  vendor: "[Name]"
  service: "[What they do]"
  data_types: ["email", "name", "usage data"]
  assessment_date: "YYYY-MM-DD"
  
  scores:
    security_posture: _/20      # Certifications, pen tests, encryption
    data_handling: _/20         # Minimization, retention, deletion
    contractual_terms: _/15     # DPA quality, liability, audit rights
    breach_history: _/15        # Past incidents, response quality
    sub_processor_mgmt: _/10   # Transparency, controls
    cross_border: _/10          # Transfer mechanisms, data residency
    reputation: _/10            # Market standing, regulatory history
    total: _/100
    
  decision: ""  # ≥80 Approve | 60-79 Approve with conditions | <60 Reject
  conditions: []
  review_frequency: "annual"  # annual | semi-annual | quarterly (for high-risk)

1. Identify transfer — What data, where, which mechanism
2. Assess destination law — Government access, surveillance, judicial redress
3. Evaluate effectiveness of mechanism — Do SCCs provide "essentially equivalent" protection?
4. Supplementary measures needed? — Technical (encryption, pseudonymization), contractual, organizational
5. Document decision — If no effective measure possible, suspend transfer

breach_assessment:
  id: "BR-YYYY-NNN"
  detection_date: "YYYY-MM-DDTHH:MM:SSZ"
  detection_method: "[monitoring alert / employee report / third party / data subject]"
  
  scope:
    data_subjects_affected: "[count or estimate]"
    data_categories: ["names", "emails", "financial"]
    special_categories: [yes/no]
    records_affected: "[count]"
    
  nature:
    type: "[confidentiality / integrity / availability]"
    cause: "[cyber attack / human error / system failure / theft / unauthorized access]"
    vector: "[phishing / vulnerability / misconfiguration / insider / lost device]"
    
  risk_to_individuals:
    likelihood_of_harm: "[low/medium/high]"
    severity_of_harm: "[low/medium/high]"
    risk_level: "[low/medium/high]"  # Determines notification obligations
    potential_harms: ["identity theft", "financial loss", "discrimination", "reputational"]

breach_register_entry:
  id: "BR-2025-001"
  date_detected: "YYYY-MM-DD"
  date_contained: "YYYY-MM-DD"
  date_resolved: "YYYY-MM-DD"
  nature: "[confidentiality breach]"
  cause: "[phishing attack]"
  data_subjects_affected: 0
  records_affected: 0
  data_categories: []
  risk_level: "high"
  authority_notified: [yes/no]
  authority_notification_date: "YYYY-MM-DD"
  subjects_notified: [yes/no]
  subjects_notification_date: "YYYY-MM-DD"
  root_cause: "[description]"
  remediation: "[actions taken]"
  lessons_learned: "[what changed]"

privacy_dashboard:
  period: "YYYY-QN"
  
  compliance:
    ropa_completeness_pct: 0  # Target: 100%
    processing_with_lawful_basis_pct: 0  # Target: 100%
    dpas_signed_pct: 0  # Target: 100%
    policies_current_pct: 0  # Target: 100%
    
  operations:
    dsars_received: 0
    dsars_completed_on_time_pct: 0  # Target: 100%
    avg_dsar_response_days: 0
    breaches_this_quarter: 0
    breach_notification_compliance: "[all within deadline]"
    
  risk:
    dpias_completed: 0
    dpias_pending: 0
    high_risk_processing_activities: 0
    open_remediation_items: 0
    
  culture:
    training_completion_pct: 0  # Target: >95%
    privacy_inquiries_from_staff: 0
    privacy_by_design_reviews_completed: 0
    
  vendors:
    total_processors: 0
    vendors_assessed_this_quarter: 0
    vendors_below_threshold: 0  # Score <60
    
  health_score: 0  # Weighted: Compliance 30% + Operations 25% + Risk 20% + Culture 15% + Vendors 10%

Is the data TRULY anonymous? Apply this test:
1. Can you single out an individual? → NOT anonymous
2. Can you link records to an individual? → NOT anonymous  
3. Can you infer information about an individual? → NOT anonymous

All three must be NO, considering:
- All means reasonably likely to be used
- Cost and time of re-identification
- Available technology
- Future developments

If truly anonymous → Outside privacy regulation scope
If pseudonymous → Still personal data, but lower risk

quarterly_review:
  period: "YYYY-QN"
  
  regulatory_changes:
    - regulation: "[e.g., GDPR guidance update]"
      impact: "[what changes for us]"
      action_needed: "[update policy / process change / none]"
      deadline: "YYYY-MM-DD"
  
  program_achievements: []
  open_issues:
    - issue: "[description]"
      severity: "[high/medium/low]"
      owner: "[who]"
      target_date: "YYYY-MM-DD"
  
  metrics_summary:
    dsar_on_time_pct: 0
    breaches: 0
    training_completion: 0
    vendor_compliance: 0
    health_score: 0
  
  next_quarter_priorities: []
  budget_status: "[on track / needs adjustment]"