{ "$defs": { "DpiaStatus": { "description": "DPIA lifecycle.", "oneOf": [ { "enum": [ "draft", "review", "approved", "withdrawn", "closed" ], "type": "string" }, { "const": "dpo_reviewed", "description": "DPO consulted + sign-off.", "type": "string" }, { "const": "authority_consultation_pending", "description": "Awaiting Art. 36 prior consultation.", "type": "string" }, { "const": "authority_consulted", "description": "Supervisory authority responded.", "type": "string" }, { "const": "under_revision", "description": "Re-assessment scheduled / in progress.", "type": "string" } ] }, "DpiaTrigger": { "description": "DPIA trigger (EDPB 9-criteria + custom).", "oneOf": [ { "const": "evaluation_or_scoring", "description": "Evaluation / scoring (profiling).", "type": "string" }, { "const": "automated_decision_making", "description": "Automated decision-making with significant effect (Art. 22).", "type": "string" }, { "const": "systematic_monitoring", "description": "Systematic monitoring / public-area surveillance.", "type": "string" }, { "const": "sensitive_data", "description": "Special-category data (Art. 9) or criminal data (Art. 10).", "type": "string" }, { "const": "large_scale", "description": "Large-scale processing.", "type": "string" }, { "const": "dataset_matching", "description": "Data matching / combining of datasets.", "type": "string" }, { "const": "vulnerable_subjects", "description": "Data on vulnerable data subjects.", "type": "string" }, { "const": "novel_technology", "description": "Innovative use of new technology / organisational solutions.", "type": "string" }, { "const": "prevents_rights_exercise", "description": "Processing that prevents data subjects from exercising right /\nusing a service / contract.", "type": "string" }, { "const": "other", "description": "Other (must include narrative).", "type": "string" } ] }, "IdentifiedRisk": { "description": "One identified risk + mitigations.", "properties": { "control_refs": { "description": "PathRefs to controls / policies implementing mitigations.", "items": { "$ref": "#/$defs/PathRef" }, "type": "array" }, "description": { "type": "string" }, "impact": { "$ref": "#/$defs/RiskSeverity", "description": "Impact on data subjects (qualitative)." }, "inherent_risk": { "$ref": "#/$defs/RiskSeverity", "description": "Inherent risk (pre-mitigation)." }, "likelihood": { "$ref": "#/$defs/RiskSeverity", "description": "Likelihood (qualitative)." }, "mitigations": { "description": "Mitigation descriptions.", "items": { "type": "string" }, "type": "array" }, "residual_risk": { "$ref": "#/$defs/RiskSeverity", "description": "Residual risk (post-mitigation)." } }, "required": [ "description", "likelihood", "impact", "inherent_risk", "residual_risk", "mitigations" ], "type": "object" }, "IsoDate": { "description": "ISO 8601 date (YYYY-MM-DD).", "format": "date", "type": "string" }, "PathRef": { "description": "Path-based cross-reference relative to .corpospec/ root.\nPattern: `^[a-z0-9_-]+(/[a-z0-9_.-]+)+$`", "pattern": "^[a-z0-9_-]+(/[a-z0-9_.-]+)+$", "type": "string" }, "RiskSeverity": { "description": "Risk severity.", "enum": [ "negligible", "low", "medium", "high", "very_high" ], "type": "string" } }, "$id": "https://corpospec.com/schemas/v0.16.0/gdpr-dpia.schema.json", "$schema": "https://json-schema.org/draft/2020-12/schema", "additionalProperties": false, "description": "DPIA record.", "properties": { "art36_required": { "description": "Whether Art. 36 prior consultation was required.", "type": "boolean" }, "authority_response_date": { "anyOf": [ { "$ref": "#/$defs/IsoDate" }, { "type": "null" } ] }, "authority_response_ref": { "anyOf": [ { "$ref": "#/$defs/PathRef" }, { "type": "null" } ], "description": "Supervisory authority response (if Art. 36 invoked)." }, "created_at": { "$ref": "#/$defs/IsoDate" }, "dpo_signoff": { "anyOf": [ { "$ref": "#/$defs/PathRef" }, { "type": "null" } ], "description": "DPO sign-off (PathRef into DPO record)." }, "dpo_signoff_date": { "anyOf": [ { "$ref": "#/$defs/IsoDate" }, { "type": "null" } ] }, "entity": { "$ref": "#/$defs/PathRef" }, "id": { "$ref": "#/$defs/PathRef" }, "identified_risks": { "description": "Risks to data subjects (Art. 35(7)(c)).", "items": { "$ref": "#/$defs/IdentifiedRisk" }, "type": "array" }, "last_reviewed": { "$ref": "#/$defs/IsoDate" }, "necessity_proportionality": { "description": "Necessity + proportionality assessment (Art. 35(7)(b)).", "type": "string" }, "next_review_due": { "$ref": "#/$defs/IsoDate" }, "processing_description": { "description": "Systematic description of processing (Art. 35(7)(a)).", "type": "string" }, "processing_record": { "$ref": "#/$defs/PathRef", "description": "PathRef into the underlying processing record (Art. 30)." }, "stakeholder_consultation": { "description": "Stakeholder consultation outcome (data subjects, DPO, third\nparties).", "type": [ "string", "null" ] }, "status": { "$ref": "#/$defs/DpiaStatus" }, "triggers": { "items": { "$ref": "#/$defs/DpiaTrigger" }, "type": "array" } }, "required": [ "id", "entity", "processing_record", "triggers", "processing_description", "necessity_proportionality", "identified_risks", "status", "art36_required", "created_at", "last_reviewed", "next_review_due" ], "title": "GdprDpia", "type": "object", "x-corpospec-pillar": "privacy" }