- What personal data does this system process, and under what lawful basis?
- Is the data minimised to what is necessary for the declared purpose? Which fields would we drop if forced?
- Where does the data live (regions, accounts, third parties), and is the RoPA updated?
- Does this trigger a DPIA? If yes, who owns it and what is the timeline?
- Does any data leave the EEA? Under which transfer mechanism, with what supplementary measures?
- What is the retention, and what enforces it (a TTL, a scheduled job, a vendor configuration)?
- What is the canonical subject ID, and is it propagated through every store and log this system writes?
- What happens on DSAR / erasure? Can we enumerate and act on every record in 30 days?
- What is the default for the user, and is it the privacy-preserving option?
- Which sub-processors are introduced, and are they covered by a DPA?
- Does the privacy notice still match what this change makes the system do (new field, purpose, recipient)?