cdpse-d1-governance-privacy-documentation

Privacy Documentation

isaca-cdpse · framework · Gold standard

Drawn fromCDPSE Review Manual · ISACA peer-reviewed case sets·Reviewed May 5, 2026

How this was built ▾

Every cubelet runs through five agent passes before publishing. Each stage's output is recorded so we can trace how a claim got here.

01 · RESEARCHSource synthesisClaude Haiku
02 · WRITERSix-face draftingClaude Sonnet
03 · EDITORCoherence + clarity passClaude Sonnet
04 · QAQuality gate scoringClaude Opus
05 · PUBLISHERCatalog + graph commitClaude Haiku

This runcourse-factory-pipeline-v1

1

Face 1 of 6 · WHAT

What is Privacy Documentation

Privacy documentation is the systematic creation, maintenance, and governance of formal records that prove an organization handles personal data lawfully, purposefully, and accountably. Core artifacts include: Records of Processing Activities (RoPA) — a registry of every processing activity the organization performs; Data Protection Impact Assessments (DPIAs) — pre-implementation risk analyses for high-risk processing; Privacy Notices — public-facing disclosures to data subjects; Data Processing Agreements (DPAs) — contractual obligations imposed on third-party processors; and Data Inventories — catalogues of data sources, types, retention schedules, and flows. Together these artifacts form the evidentiary record that demonstrates compliance is intentional, not accidental — the accountability principle codified in GDPR Article 5(2).

Where it stops · what it isn't

—IS: Structured governance artifacts (RoPA, DPIA, DPA, Privacy Notice, Data Inventory) maintained as living records with version control and role-based ownership
—IS: Regulatory demonstrability evidence — documents designed to satisfy auditor and regulator scrutiny under GDPR Article 30, CCPA/CPRA, LGPD, HIPAA, and equivalent frameworks
—IS: A governance control mechanism spanning design (DPIA), implementation (RoPA), operation (updates), and audit (evidence package) phases
—IS NOT: Privacy policy drafting alone — a website privacy notice is one artifact within a documentation system, not the system itself
—IS NOT: Security documentation (SOC 2 reports, penetration test results, vulnerability scans) — those are complementary but distinct from privacy documentation
—IS NOT: A one-time compliance project — privacy documentation is a continuous lifecycle requiring designated owners, review cycles, and change management triggers
—IS NOT: Synonymous with data governance broadly — privacy documentation specifically concerns personal data processing and data subject rights obligations

Connected concepts in the graph

Every cubelet sits in a knowledge graph. Here's what this one connects to.

PART OF

Privacy Governance (CDPSE Domain 1)

REQUIRES

Data Inventory and MappingLegal Basis Determination

ENABLES

Regulatory Audit DefenseData Subject Rights ManagementBreach Notification and ResponsePrivacy-by-Design Implementation

RELATED TO

CONSTRAINS

New Product / Feature Launch (via DPIA gate)

Practice this judgment ↗

Adaptive, ~8 min

Sit in the practitioner's chair ↗

Live simulator

06 · APPLYSign up to enter the judgment simulator →

Watch your judgment grow on this concept

Create a free account to unlock all 6 faces, the judgment simulator, and a mastery score that updates with every attempt.