A Day in the Life: Privacy Personas

Personas: PIA (Privacy Impact Assessor), CRM (Consent Records Manager), DEO (De-identification Operator)

---

Morning: Impact Assessment

PIA conducts a Privacy Impact Assessment for a new feature that collects user preferences. PIA maps every data flow: what personal data is collected, where it is stored, who can access it, how long it is retained, and through what channels it can be deleted. PIA evaluates each data flow against applicable regulations (GDPR, CCPA, HIPAA) and identifies privacy risks.

PIA produces a PIA report with a risk matrix: each risk is scored on likelihood and impact, and mapped to a specific legal basis. High-risk processing activities trigger a Data Protection Impact Assessment (DPIA) requirement. PIA recommends technical and organizational measures to mitigate each identified risk.

Midday: Consent Management

CRM reviews the consent records for the new feature. Every data processing activity must be linked to a valid legal basis: explicit consent, contractual necessity, legal obligation, or legitimate interest. CRM maps each activity to its basis and verifies that consent records capture the required elements: what was consented to, when, by whom, and through what mechanism.

CRM also manages consent lifecycle events: consent grants, withdrawals, modifications, and expirations. When a user withdraws consent, CRM ensures that all downstream processing activities are updated within the required timeframe.

Afternoon: De-identification

DEO implements de-identification strategies for data that needs to be shared or analyzed without exposing personal information. DEO selects appropriate techniques based on the data type and use case: k-anonymity for tabular data, differential privacy for aggregate statistics, tokenization for identifiers, and redaction for free-text fields.

DEO validates the de-identification by running re-identification risk assessments. If the residual risk exceeds the threshold, DEO applies additional privacy-enhancing techniques until the risk is acceptable. DEO documents the de-identification methodology, parameters, and risk assessment results.

Tools Used

• Privacy taxonomy from privacy.yaml
• ConstitutionRegistry for privacy rules
• EventBus for consent lifecycle events
• De-identification libraries and risk assessment tools

Key Outputs

• Privacy Impact Assessment reports (PIA)
• Consent records with lifecycle tracking (CRM)
• De-identified datasets with risk assessments (DEO)
• Data flow maps with legal basis annotations (PIA)