GDPR Privacy Toolkit
Data mapping templates, DPIA frameworks, consent management patterns, and data subject request handling procedures.
📄 Product Preview
Try the interactive reader and demo tools below, or get the full product with all content unlocked.
📖 Interactive Reader (Free Preview) ⚙ Try Demo Tools 📦 Download Free Sample📁 File Structure 25 files
📖 Documentation Preview README excerpt
GDPR Privacy Toolkit
A practical, fill-in-ready toolkit for building a credible GDPR program: the
regulation explained for builders, data-mapping and RoPA registers, a
DPIA framework with a worked example, DSAR procedures, breach-notification
templates, a retention schedule, consent records, and lawful-basis guidance.
Written for product, engineering, and security people who have to operate
privacy — not just read about it. Everything is anonymized and uses the fictional
Acme Corp (example.com).
Not legal advice. The GDPR has national variations and evolving case law.
This toolkit helps you build and document a program; involve qualified counsel
or a DPO for decisions specific to your situation.
Who this is for
- Founders and engineers whose product touches EU/EEA users and need a real
privacy program (not a copy-pasted policy).
- Security/platform engineers asked to "make us GDPR compliant."
- Anyone preparing for the privacy expectations of enterprise buyers, SOC 2
Privacy criteria, or a DPA negotiation.
What's inside
gdpr-privacy-toolkit/
├── README.md # You are here
├── LICENSE
├── docs/
│ ├── gdpr-overview.md # Principles, roles, scope, rights, penalties
│ ├── lawful-basis-guide.md # The 6 bases, consent & LIA done right, Art. 9
│ ├── dpia-framework.md # When a DPIA is required + the 7-step method
│ ├── dsar-procedure.md # Handling all 8 rights, timelines, verification
│ ├── breach-notification-guide.md # The 72-hour rule, Art. 33 & 34 decisions
│ └── data-retention-guide.md # Storage limitation in practice
├── templates/
│ ├── ropa-controller.csv # Records of Processing — Art. 30(1)
│ ├── ropa-processor.csv # Records of Processing — Art. 30(2)
│ ├── data-mapping.csv # Data-element-level flow map
│ ├── dsar-log.csv # Data-subject request tracker
│ ├── breach-register.csv # Mandatory breach log (Art. 33(5))
│ ├── retention-schedule.csv # Retention periods + disposal
│ ├── consent-record.csv # Demonstrable-consent log
│ ├── dpia-template.md # Blank DPIA form
│ └── breach-notification-letter.md # Authority + individual notice drafts
└── examples/
└── worked-dpia-example.md # A completed DPIA for an AI feature
How to use this toolkit
Privacy compliance is about accountability — being able to demonstrate what
you do and why. Work in this order:
1. Get the model. Read docs/gdpr-overview.md. Decide where you're a
controller vs a processor (it changes everything).
2. Map your data. Fill templates/data-mapping.csv, then build your
... continues with setup instructions, usage examples, and more.
📄 Content Sample examples/worked-dpia-example.md
Worked Example: DPIA for an AI Churn-Prediction Feature
This is a completed DPIA, filled in for a realistic feature so you can see
what "good" looks like before doing your own. The company is the fictional
Acme Corp (example.com); the feature is a machine-learning model that
predicts which customers are likely to cancel ("churn") so the success team can
intervene. This processing involves profiling, so a DPIA is required.
Compare this against the blank templates/dpia-template.md. Notice that the
value isn't the form — it's the measures that emerged from working through it
(Part 5), which materially changed the design.
| Field | Value |
|---|---|
| DPIA title | Churn-prediction model for customer success |
| DPIA reference | DPIA-2026-004 |
| Owner | Priya Nair, Product Manager |
| DPO / reviewer | Dana Lee, Privacy Lead |
| Date started | 2026-05-02 |
| Date completed | 2026-05-20 |
| Status | Approved (proceed with measures) |
| Version | 1.0 |
Part 0 — Screening
| Screening question | Yes/No | Notes |
|---|---|---|
| Special category or criminal-offence data? | No | Only account/usage data. |
| Large-scale processing? | Yes | All ~40,000 active customer accounts. |
| Profiling or automated decision-making? | Yes | Model scores likelihood to churn. |
| Systematic monitoring / tracking? | Partial | Ongoing scoring from product usage. |
| New or novel technology? | Yes | First ML model used on customer data. |
| Children or vulnerable groups? | No | B2B accounts; business users. |
| Could it prevent access to a service/right? | No | Used internally to offer help, not to deny service. |
| Combining datasets? | Yes | Combines product usage, billing, and support data. |
Screening outcome: DPIA required — four strong triggers (large-scale,
profiling, novel technology, dataset combination).
Part 1 — Describe the processing
1.1 What is the project?
A churn-prediction model that produces a weekly 0–100 "churn-risk score" per
customer account. Scores above a threshold create a task for the customer
... and much more in the full download.