Exposure Register

Exposure Register

The exposure register is a GDPR-oriented record of confirmed personal-data exposures (Article 30/33), with a 72-hour notification countdown. Logic lives in src/lib/register.ts; deadlines are computed in src/lib/gdpr.ts.

Entries

Each entry (ExposureRegisterEntry) documents one exposure:

Field	Meaning
title	Short description of the exposure
detectedAt	When the exposure was detected (starts the 72h clock)
status	ASSESSING, NOTIFIED, or NOT_REQUIRED
affectedCount	Number of affected employees
dataCategories	GDPR data categories involved
assessment	Free-text assessment notes
notifiedAt	When the supervisory authority was notified, if applicable

72-hour workflow

The deadline and countdown are computed, never stored, so they stay correct as time passes and can never drift from detectedAt:

• notificationDeadline = detectedAt + 72h.
• hoursRemaining counts down to that deadline.
• An entry is overdue only while still ASSESSING and past the deadline. Once NOTIFIED or NOT_REQUIRED, the clock is no longer pending.

Data categories are mapped to human labels via GDPR_CATEGORY_LABELS.

Evidence pack

evidenceCsv produces a flat field/value CSV for a single entry, suitable for an Article 33 notification dossier (title, detected-at, status, affected count, GDPR categories, deadline, notified-at, assessment). Cells are CSV-escaped.

Endpoints

Endpoint	Method	Auth	Description
/api/register	GET	any user	List register entries
/api/register	POST	ADMIN	Create an entry
/api/register/[id]	PATCH	ADMIN	Update status / assessment
/api/register/[id]/evidence	GET	any user	Download the evidence CSV

See Database Schema for the model and Roles and Permissions for who can edit entries.