Stats
Actions
Tags
Help us improve
Share bugs, ideas, or general feedback.
From privacy-legal
Diffs new or changed regulations against current privacy policy and practice to output a gap list and remediation plan with owners and dates.
npx claudepluginhub anthropics/claude-for-legal --plugin privacy-legalHow this skill is triggered — by the user, by Claude, or both
Slash command
/privacy-legal:reg-gap-analysis [regulation name, or paste reg text/summary][regulation name, or paste reg text/summary]The summary Claude sees in its skill listing — used to decide when to auto-load this skill
1. Load `~/.claude/plugins/config/claude-for-legal/privacy-legal/CLAUDE.md` → privacy policy commitments, regulatory footprint, DSAR systems.
Diffs a new AI regulation or guidance against current governance posture to surface gaps, priorities, and a remediation plan with owners and deadlines. Use when a regulation changes or a compliance check is needed.
Diffs a regulatory change against an indexed policy library to identify gaps and required policy updates. Use when a regulation changes or for gap analysis.
Detects gaps between privacy policy and actual data practices. Sweeps saved PIAs and DPAs to find policy drift, or answers queries about proposed new practices.
Share bugs, ideas, or general feedback.
~/.claude/plugins/config/claude-for-legal/privacy-legal/CLAUDE.md → privacy policy commitments, regulatory footprint, DSAR systems./privacy-legal:reg-gap-analysis "Colorado Privacy Act"
/privacy-legal:reg-gap-analysis
[paste guidance / reg text]
A state passes a new privacy law. The ICO issues new guidance. The CPPA finalizes regulations. Something moves — and now you need to know what, if anything, you have to change.
This skill diffs the new requirement against what you currently do (per ~/.claude/plugins/config/claude-for-legal/privacy-legal/CLAUDE.md → Privacy policy commitments + the practices documented in PIAs) and produces a gap list with a remediation plan.
Read ~/.claude/plugins/config/claude-for-legal/privacy-legal/CLAUDE.md:
## Privacy policy commitments — what you've publicly promised## Regulatory footprint — what already applies## DSAR process → systems list — what you actually do operationallyIf the regulation doesn't apply to you (wrong jurisdiction, below threshold, different sector), the gap analysis is one line: "Doesn't apply. Here's why: [reason]. No action needed."
Before diffing, answer:
Read the regulation (or summary/guidance). List every substantive requirement as a discrete item:
| # | Requirement | Citation | Category |
|---|---|---|---|
| 1 | [requirement as stated] | [section] | [Notice / Rights / Security / Vendor / Other] |
Categories:
For each requirement:
### [Requirement #N]: [short name]
**Regulation says:** [requirement, quoted or paraphrased]
**We currently:** [what the config CLAUDE.md / privacy policy / practice shows]
**Gap:** [None | Partial | Full]
**If partial/full gap — what's missing:** [specific]
**Effort to close:** [Policy update only | Product change | Vendor renegotiation |
New process]
**Risk of non-compliance:** [regulatory penalty range, enforcement likelihood,
reputational]
Not every gap is equal. Sort by:
Prepend the work-product header from ~/.claude/plugins/config/claude-for-legal/privacy-legal/CLAUDE.md ## Outputs (it differs by user role — see ## Who's using this).
Research-connector pre-flight. Before emitting the remediation plan, check whether a legal research connector is reachable for this session — Lexis+, Westlaw, an EUR-Lex / regulator-site connector, or any firm-configured research MCP. Collect this into the reviewer note per CLAUDE.md
## Outputs: if no connector returns results in Step 2 or the Common regulation categories research step (or none is configured at run time), record it in the Sources: line of the reviewer note — e.g.,not connected — cites from training knowledge; the highest-fabrication items in privacy gap analyses are new state-law effective dates, enforcement-begins dates, and article/section pinpoints — spot-check those first. Per-citation[model knowledge — verify]tags remain inline. Do not emit a standalone banner above the output.
[WORK-PRODUCT HEADER — per plugin config ## Outputs]
## Remediation Plan: [Regulation name]
**Effective date:** [date]
**Enforcement begins:** [date]
### Must-do before enforcement
| Gap | Fix | Owner | Due | Status |
|---|---|---|---|---|
| [gap] | [specific fix] | [name] | [date] | [ ] |
### Should-do (lower risk, not blocking)
[same table]
### Already compliant
[list of requirements where gap = None — useful for the "we're mostly fine" message]
### Accepted gaps (risk-accepted, not fixing)
[if any — with documented rationale and who accepted the risk]
When scoping the delta, it helps to place the new regulation into a rough category and then research the specifics:
For each category relevant to the new regulation, research the currently operative requirements before drafting the gap analysis. Cite primary sources. Verify currency — new state laws come online each legislative session, and regulators issue interpretive guidance that shifts what "compliance" means for a given control. Flag uncertainty for attorney verification rather than assert a rule you haven't confirmed.
No silent supplement. If a research query to the configured legal research tool (Lexis+, Westlaw, regulator databases, or firm platform) returns few or no results for a regulation, guidance document, or enforcement action, report what was found and stop. Do NOT fill the gap from web search or model knowledge without asking. Say: "The search returned [N] results from [tool]. Coverage appears thin for [regime / topic]. Options: (1) broaden the search query, (2) try a different research tool, (3) search the web — results will be tagged
[web search — verify]and should be checked against the issuing authority before relying, or (4) flag as unverified and stop. Which would you like?" A lawyer decides whether to accept lower-confidence sources.Source attribution tiering. Tag every citation in the gap analysis with its source. For model-knowledge citations, use one of three tiers rather than a single blanket "verify" tag:
[settled]— stable, well-known statutory and regulatory references unlikely to have changed (e.g., GDPR Art. 33, CCPA § 1798.100, FTC Act § 5). Still verify before filing, but lower priority.[verify]— model-knowledge citations that are real but should be verified: specific implementing regulations, agency guidance, case holdings, thresholds, effective dates, newly enacted state statutes.[verify-pinpoint]— pinpoint citations (specific subsection letters, volume/page numbers, paragraph numbers, regulatory subpart references) carry the highest fabrication risk and should ALWAYS be verified against a primary source.Tool-retrieved citations keep their source tag (
[Lexis+],[Westlaw],[issuing authority site], or the MCP tool name); web-search citations remain[web search — verify]; user-supplied citations remain[user provided]. The tiering surfaces the real verification work — a reader who verifies everything verifies nothing. Never strip or collapse the tags.
From PIA generation: PIAs flag privacy policy inconsistencies → those feed here as known gaps.
To the regulatory-legal plugin (if installed): This skill is the manual version. The monitor plugin watches feeds and triggers this analysis automatically when something changes.
Save as a dated markdown doc. The remediation plan table becomes a tracker — update status as items close.
If the gap analysis concludes "no gaps, we're compliant," still write the doc — it's useful evidence later that you looked.
Close with a citation-verification note:
Citations in this output were generated by an AI model and have not been verified against a primary source. Before relying on any regulation, statute, guidance, or enforcement action, check it against a legal research tool (Lexis+, Westlaw, your firm's research platform, or the issuing authority's website) for accuracy and current status. AI-generated citations are sometimes fabricated or misquoted. Source tags on each citation (e.g.,
[Lexis+],[web search — verify]) show where it came from;verifytags carry higher fabrication risk and should be checked first.
End with the next-steps decision tree per CLAUDE.md ## Outputs. Customize the options to what this skill just produced — the five default branches (draft the X, escalate, get more facts, watch and wait, something else) are a starting point, not a lock-in. The tree is the output; the lawyer picks.