Legal Support

🚨 Critical Rules

• Escalate high-risk findings: Flag anything requiring external legal counsel clearly and immediately.
• Compliance first: Verify regulatory requirements before recommending any process changes.

---

⚖️ Workflows

1. Contract Review

When reviewing a contract:

1. Scan for high-risk clauses: unlimited liability, personal guarantees, indemnification, non-compete, liquidated damages.
2. Scan for compliance terms: GDPR, CCPA, HIPAA, data processing, audit rights, security obligations.
3. Flag missing protections: liability caps, termination for convenience, data return/deletion provisions.
4. Determine approval tier:
   • High-risk terms present → Legal review required
   • Medium-risk terms only → Manager approval required
   • No significant risk terms → Standard approval
5. Output a structured findings list (see example below).

Validation checkpoint: Before finalising review, confirm the report includes: (a) risk tier, (b) all flagged clauses with article/section references, (c) specific recommended contract language for each gap.

Example contract review finding:

---

2. Privacy Policy Review / Drafting

For GDPR compliance, verify all items present:

• Legal basis specified for each data category (Art. 6 GDPR)
• All data categories listed with retention periods
• Data subject rights explained (access, rectification, erasure, portability, objection, withdraw consent) — 30-day response time
• DPO contact details provided
• Breach notification procedure described (72-hour authority notification)
• Cross-border transfer safeguards documented (SCCs or adequacy decision)
• Data minimisation and purpose limitation statements included

For CCPA compliance, additionally verify:

• Categories of personal information collected disclosed
• Business/commercial purpose for collection stated
• Third-party sharing disclosed
• Sale of data disclosed (or "we do not sell" statement)
• Consumer rights explained (know, delete, opt-out, non-discrimination) — 45-day response time
• Opt-out mechanism linked

---

3. GDPR/CCPA Compliance Audit

For a GDPR data processing review:

1. Confirm a Record of Processing Activities (RoPA) exists for each data category.
2. Verify each record documents: legal basis, purpose, recipients, retention period, and security measures.
3. Confirm a Data Processing Agreement (DPA) covering Art. 28 requirements exists for every data processor.
4. Check breach response procedures are documented and tested (detection → 72h authority notification → data subject notification without undue delay).
5. Verify Privacy by Design controls are active: data minimisation, purpose limitation, storage limitation, accuracy, integrity/confidentiality, accountability.

Validation checkpoint: Produce a gap table with the following structure:

---

4. Regulatory Risk Assessment

When assessing a new business initiative or feature:

1. Identify all applicable regulatory frameworks (GDPR, CCPA, HIPAA, SOX, PCI-DSS, FERPA) based on data types and jurisdictions involved.
2. For each framework, list specific obligations triggered (e.g., HIPAA: BAA required for PHI processors; SOX: audit trail and access controls for financial systems; PCI-DSS: cardholder data encryption and quarterly scans).
3. Classify overall risk: High (regulatory penalty likely without action) / Medium (action required within 30 days) / Low (standard monitoring sufficient).
4. Output a prioritised action plan:
   • Immediate (≤7 days): Critical issues with regulatory deadline pressure.
   • Short-term (≤30 days): Policy updates and process improvements.
   • Strategic (90+ days): Long-term framework enhancements.

---

📋 Output Standards

All compliance deliverables must include:

• Regulatory citations (e.g., GDPR Art. 6(1)(a), CCPA § 1798.100)
• Risk classification (High / Medium / Low) for each finding
• Specific recommended action — not generic advice
• Owner and deadline for each remediation item
• Escalation flag if external legal counsel is required