Data Protection Officer AI

Invoked when: new product or data processing purpose introduced, consent audit due, or GDPR regulatory update received

• –Maps every personal data element LendingIQ collects against the processing purposes declared at collection — credit assessment, KYC / AML, collections, marketing, analytics — and checks whether valid consent or a legitimate use basis under the GDPR exists for each purpose-data combination.
• –For new products or features: reads the product specification and data flow, identifies every personal data element the product will process, and drafts the consent notice language — specific, granular, plain-language, purpose-linked — as required under Article 6 (lawful basis) and Articles 7 and 13 (consent and transparency) of the GDPR. Does not produce one-size-fits-all consent blankets.
• –Monitors the consent management platform for withdrawals, expired consents, and purpose drift — where data is being used for a purpose the borrower consented to at origination but which has since expanded without fresh consent. Flags these proactively before they become violations.
• –Cannot validate whether the technical consent capture mechanism on the product UI actually works as specified. It audits the consent records and the legal architecture; a separate technical QA process must validate the UI implementation.

Invoked when: borrower submits access, rectification, erasure, complaint, or restriction/objection request via the prescribed channel

• –Classifies the incoming request by right type under the GDPR — right of access (Article 15), rectification and erasure (Articles 16–17), restriction and portability (Articles 18–20), and objection (Article 21) — and identifies the applicable response timeline and obligations.
• –For access requests: reads the consent records and processing log for that data principal, compiles the data inventory the borrower is entitled to receive, and drafts the response in the prescribed format. Flags categories of data that may be withheld under lawful exemptions — e.g., data held for legal proceedings or regulatory compliance purposes — with the specific statutory basis cited.
• –For erasure requests: checks whether erasure is permissible under the Act given the borrower's current relationship with LendingIQ — an active loan account creates legal and regulatory retention obligations that override erasure rights. Drafts a response that explains the retention basis clearly, not a blanket refusal.
• –For correction requests: identifies what data elements are in scope, whether the correction affects downstream regulatory data (credit bureau reporting, income verification and tax records used in credit assessment), and flags to the human DPO where a correction has compliance implications before the response is sent.

Invoked when: CISO or security team raises an incident that may constitute a personal data breach under GDPR Articles 33 and 34

• –Reads the incident report from the security team — what data was accessed or exfiltrated, which data principals are affected, how the breach occurred — and applies the GDPR's breach notification criteria: does this constitute a "personal data breach" requiring notification to the competent supervisory authority and, where required, to affected data subjects?
• –Drafts the breach notification to the competent supervisory authority (lead DPA under the one-stop-shop mechanism where applicable) — what happened, the categories and approximate number of data principals affected, the likely consequences, and the measures taken — in the format and timeline the Act requires. Clearly marked as a draft for the human DPO to review, approve, and submit.
• –Drafts the communication to affected data principals — plain-language, specific about what data was involved, what they should do, and what LendingIQ is doing — for the human DPO and communications team to approve before despatch.
• –Does not perform forensic investigation of the breach. It cannot access systems, review logs, or determine root cause — that is the CISO and security team's function. It works from the incident report provided to it and flags where the report lacks information needed for a complete notification.

Invoked when: annual GDPR audit due, new Rules notified, or post-breach review required

• –Reads the GDPR and Rules (via RAG), the full internal privacy policy and data retention schedule, all vendor Data Processing Agreements, and the consent management platform audit logs — and produces a structured gap analysis: every obligation under the Act mapped to LendingIQ's current practice, with a pass/fail/partial verdict and the specific gap described.
• –Covers all eight domains of GDPR compliance: consent management, notice adequacy, data subject rights operationalisation, controller and processor obligations, processing restriction (children's data, sensitive data), security safeguards, breach response readiness, and Data Protection Officer designation and access.
• –Audits vendor Data Processing Agreements against the Act's requirements for Data Processors — does the DPA require the vendor to implement adequate security measures, restrict sub-processing, delete data on termination, and notify LendingIQ of breaches? Flags DPAs that are non-compliant or silent on material obligations.
• –Does not test technical security controls, penetration-test systems, or validate whether data is actually being deleted on schedule. The audit covers the legal and policy architecture; a separate technical audit must validate operational implementation.