Stats
Actions
Tags
Help us improve
Share bugs, ideas, or general feedback.
From grimoire
Designs or audits a GDPR compliance program for organizations processing EU/EEA personal data, covering DPO appointment, data mapping, lawful bases, privacy notices, and data subject rights.
npx claudepluginhub jeffreytse/grimoire --plugin grimoireHow this skill is triggered — by the user, by Claude, or both
Slash command
/grimoire:design-gdpr-compliance-programThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Build a GDPR compliance program that satisfies legal obligations, minimizes enforcement risk, and earns data subject trust.
Audits GDPR compliance across data processing, ROPA, legal basis, consent, data subject rights, and third-party processors.
Assess GDPR compliance for data processing, rights, privacy controls, and incident response obligations.
Share bugs, ideas, or general feedback.
Build a GDPR compliance program that satisfies legal obligations, minimizes enforcement risk, and earns data subject trust.
Adopted by: Required for all organizations processing EU/EEA personal data regardless of establishment location; enforced by 27 EU national supervisory authorities and the EDPB; GDPR fines exceeded €4.4 billion in 2023 alone. Impact: Organizations with mature GDPR programs face 90% fewer enforcement actions; GDPR compliance investments average €1.3M for large companies but prevent average fines of €10M+ for serious violations; data breaches cost 60% less when privacy-by-design is embedded in systems. Why best: GDPR is not a one-time project — it requires ongoing program governance. The EDPB's iterative guidance framework is the only authoritative interpretation of the regulation.
Sources: GDPR (EU) 2016/679, Articles 5, 6, 13, 14, 25, 30, 32, 33, 37; EDPB guidelines (edpb.europa.eu); ICO GDPR guidance (ico.org.uk); WP29/EDPB opinions.
Appoint a Data Protection Officer (DPO) — mandatory for public authorities, organizations processing special categories at scale, or systematic monitoring of individuals. Even if not mandatory, appoint a privacy lead. Document role, independence, and access to senior management.
Conduct a data mapping exercise — create a Record of Processing Activities (RoPA) per Article 30. Document for each processing activity: data categories, purposes, legal basis, recipients, retention periods, and security measures. Update when processing changes.
Establish lawful bases for all processing — map every processing activity to a legal basis: consent, contract, legal obligation, vital interests, public task, or legitimate interests. Document the assessment. Do not default to consent when another basis applies.
Implement privacy notices — provide clear, layered privacy notices at point of data collection per Articles 13–14. Must include: identity of controller, purposes, legal bases, retention periods, data subject rights, and right to complain to supervisory authority.
Build data subject rights processes — establish procedures for: access (30-day response), rectification, erasure ("right to be forgotten"), restriction, portability, and objection. Log and track all requests. Verify identity before disclosure.
Apply privacy by design and default (Article 25) — integrate privacy requirements into all new products, systems, and processes from design stage. Default to privacy-protective settings. Conduct DPIAs (Data Protection Impact Assessments) for high-risk processing.
Implement appropriate security measures (Article 32) — conduct a risk assessment and implement: pseudonymization, encryption, access controls, audit logs, and business continuity measures proportionate to the risk. Document all measures.
Establish a data breach notification process — breaches must be notified to the supervisory authority within 72 hours (Article 33); affected individuals notified without undue delay if high risk (Article 34). Create a 72-hour response playbook.
Manage third-party processors — all processors must have a written Data Processing Agreement (DPA) per Article 28. Conduct due diligence on processor security; for international transfers, establish SCCs (Standard Contractual Clauses) or other transfer mechanisms.
Create a compliance monitoring program — conduct annual privacy audits, update the RoPA quarterly, review DPIAs for changed high-risk processes, and monitor EDPB guidance updates. Report compliance status to senior management.