Essential definitions and timelines behind the “Must-Do” column of your Governance Ladder.
By Dr. SK, CIPT, PMP
Keep this sheet open during audits or intake reviews. It’s the minimum vocabulary of a functioning governance program.
Core Term / Element | Definition (for Implementor) | Critical Deadline / Requirement |
⏱ DSAR (Data Subject Rights) | The mechanism allowing individuals to request access, correction, or deletion of their data. | 45 Days (CCPA/CPRA) or 30 Days (GDPR) to fulfill the request. Extensions are possible but must be notified. |
📜 RoPA (Record of Processing Activities) | An internal document listing what data you collect, why (purpose), and where it goes. | Must be available upon request by a supervisory authority. Continuous maintenance is mandatory. |
🚧 DPIA (Data Protection Impact Assessment) | A formal risk analysis required before deploying new projects that use personal data in a high-risk way (e.g., automated decision-making, large-scale processing). | Must be completed before commencing processing. Failure is a clear compliance failure. |
⚠️ Incident Reporting | Notifying regulators and/or affected data subjects of a data breach. | 72 Hours (GDPR, generally for regulator notification). US state laws require notification at the "most expedient time possible" (often interpreted as 30-45 days for consumers). |
⚖️ Lawful Basis | The legal justification for processing personal data (e.g., consent, contractual necessity, legitimate interest). | Must be documented before collection and must be auditable. |
🤝 Vendor Management (Third Parties) | Contractual requirement that all third-party service providers (processors) meet the same security and privacy standards. | Must be in place before data transfer begins. Standard Contractual Clauses (SCCs) are essential. |
© Privacy Atelier | CC BY-NC 4.0 | Examples are composites.