Guides GDPR compliance audits with 50+ control points across Articles 5, 24, 25, 28, 30, 32, 35, 37 covering principles, accountability, security, governance.
npx claudepluginhub mukul975/privacy-data-protection-skills --plugin gdpr-compliance-skillsThis skill uses the workspace's default tool permissions.
A data protection audit systematically evaluates an organisation's compliance with GDPR requirements across governance, processing activities, data subject rights, security measures, and third-party arrangements. This skill provides a structured audit framework with 50+ control points mapped to specific GDPR articles, enabling auditors to produce a comprehensive compliance assessment with prior...
Acquire memory dumps from live systems/VMs and analyze with Volatility 3 for processes, networks, DLLs, injections in incident response or malware hunts.
Provides x86-64/ARM disassembly patterns, calling conventions, control flow recognition for static analysis of executables and compiled binaries.
Identifies anti-debugging checks like IsDebuggerPresent, NtQueryInformationProcess in Windows binaries; suggests bypasses via patches/hooks/scripts for malware analysis, CTFs, authorized RE.
A data protection audit systematically evaluates an organisation's compliance with GDPR requirements across governance, processing activities, data subject rights, security measures, and third-party arrangements. This skill provides a structured audit framework with 50+ control points mapped to specific GDPR articles, enabling auditors to produce a comprehensive compliance assessment with prioritised remediation recommendations.
The audit is organised into eight domains aligned to core GDPR chapters and articles:
| # | Control Point | GDPR Ref | Evidence Required |
|---|---|---|---|
| 1.1 | Processing purposes are specified, explicit, and documented for each activity | Art. 5(1)(a)-(b) | RoPA with specific purpose statements |
| 1.2 | A valid lawful basis is identified and documented for each processing activity | Art. 5(1)(a), 6 | Lawful basis register/assessment records |
| 1.3 | Personal data collected is adequate, relevant, and limited to what is necessary | Art. 5(1)(c) | Data minimisation reviews, field-level justification |
| 1.4 | Personal data is accurate and kept up to date with rectification procedures | Art. 5(1)(d) | Data quality processes, rectification logs |
| 1.5 | Retention periods are defined for all data categories with deletion/anonymisation procedures | Art. 5(1)(e) | Retention schedule, deletion logs |
| 1.6 | Appropriate security measures protect personal data against unauthorised access, loss, or destruction | Art. 5(1)(f) | Security controls documentation, pen test reports |
| 1.7 | The controller can demonstrate compliance with all principles (accountability) | Art. 5(2) | Compiled evidence portfolio |
| # | Control Point | GDPR Ref | Evidence Required |
|---|---|---|---|
| 2.1 | A data protection policy is approved by senior management and communicated to all staff | Art. 24(2) | Signed policy, distribution records |
| 2.2 | Data protection roles and responsibilities are formally assigned across the organisation | Art. 24(1) | RACI matrix, job descriptions |
| 2.3 | Regular data protection training is provided to all staff processing personal data | Art. 39(1)(b) | Training records, attendance logs, completion certificates |
| 2.4 | A data protection governance structure exists with board-level reporting | Art. 24, 38(3) | Governance charter, board meeting minutes |
| 2.5 | Documented procedures exist for all GDPR obligations (breach notification, DSAR, DPIA) | Art. 24(1) | Procedure documents with version control |
| 2.6 | Internal audits of data protection compliance are conducted at defined intervals | Art. 24(1) | Audit schedule, previous audit reports |
| 2.7 | A data protection risk register is maintained and reviewed | Art. 24(1) | Risk register with risk scores and treatment plans |
| # | Control Point | GDPR Ref | Evidence Required |
|---|---|---|---|
| 3.1 | Privacy requirements are integrated into the systems development lifecycle | Art. 25(1) | SDLC documentation with privacy checkpoints |
| 3.2 | Privacy impact is assessed before deploying new systems or changing existing processing | Art. 25(1) | DPIA screening records, change management logs |
| 3.3 | Default settings ensure only necessary personal data is processed | Art. 25(2) | Configuration reviews, default settings documentation |
| 3.4 | Data minimisation is applied at the design stage of systems and processes | Art. 25(1) | Design documents showing minimisation decisions |
| 3.5 | Pseudonymisation and encryption are considered in system design | Art. 25(1), 32(1)(a) | Architecture documents, encryption standards |
| 3.6 | User interfaces facilitate data subject rights (access, deletion, portability) | Art. 25(1)-(2) | UI/UX specifications, data export functionality |
| # | Control Point | GDPR Ref | Evidence Required |
|---|---|---|---|
| 4.1 | All processors are identified and recorded in a vendor register | Art. 28(1) | Vendor register with processor classifications |
| 4.2 | Written data processing agreements are in place with all processors containing Art. 28(3) mandatory clauses | Art. 28(3) | DPA register, sample DPA review |
| 4.3 | Processor due diligence is conducted before engagement and periodically thereafter | Art. 28(1) | Due diligence questionnaires, assessment reports |
| 4.4 | Sub-processor authorisation and notification procedures are documented | Art. 28(2)-(4) | Sub-processor clauses, notification records |
| 4.5 | Processor compliance is monitored through audits, certifications, or self-assessments | Art. 28(3)(h) | Audit rights exercised, SOC 2/ISO 27001 certificates |
| 4.6 | Processors return or delete personal data upon contract termination | Art. 28(3)(g) | Data return/deletion confirmations |
| 4.7 | Processor breach notification obligations are contractually defined and tested | Art. 28(3)(f), 33 | DPA breach clauses, incident response test results |
| # | Control Point | GDPR Ref | Evidence Required |
|---|---|---|---|
| 5.1 | A comprehensive RoPA is maintained for all controller processing activities | Art. 30(1) | Complete RoPA with all Art. 30(1)(a)-(g) fields |
| 5.2 | Processor records are maintained for all processing on behalf of controllers | Art. 30(2) | Processor RoPA with Art. 30(2)(a)-(d) fields |
| 5.3 | RoPA is kept up to date with a defined review and update process | Art. 30(1)-(2) | Last review dates, update procedure |
| 5.4 | RoPA can be made available to the supervisory authority on request | Art. 30(4) | Export capability, access procedure |
| 5.5 | RoPA is maintained in writing (including electronic form) | Art. 30(3) | Electronic RoPA system or documented spreadsheet |
| # | Control Point | GDPR Ref | Evidence Required |
|---|---|---|---|
| 6.1 | Risk assessments are conducted to determine appropriate security measures | Art. 32(1)-(2) | Risk assessment reports for processing activities |
| 6.2 | Pseudonymisation and encryption of personal data are implemented where appropriate | Art. 32(1)(a) | Encryption at rest and in transit documentation |
| 6.3 | Ongoing confidentiality, integrity, availability, and resilience of systems is ensured | Art. 32(1)(b) | ISO 27001 controls, access management, BCP/DR plans |
| 6.4 | Ability to restore access to personal data in a timely manner after an incident | Art. 32(1)(c) | Backup procedures, restoration testing records |
| 6.5 | Regular testing and evaluation of security measures is performed | Art. 32(1)(d) | Penetration test reports, vulnerability scans, audit results |
| 6.6 | Access to personal data is restricted on a need-to-know basis | Art. 32(1)(b) | Access control matrices, user access reviews |
| 6.7 | Physical security controls protect premises where personal data is processed | Art. 32(1)(b) | Physical security policy, access logs |
| 6.8 | Personal data breach detection and response procedures are in place | Art. 33-34 | Incident response plan, breach register |
| # | Control Point | GDPR Ref | Evidence Required |
|---|---|---|---|
| 7.1 | Criteria for mandatory DPIA are defined and communicated to the organisation | Art. 35(1),(3) | DPIA threshold criteria, DPA blacklist consideration |
| 7.2 | DPIAs are conducted before processing that is likely to result in high risk | Art. 35(1) | DPIA register with completion dates |
| 7.3 | DPIAs contain all Art. 35(7) mandatory elements (description, necessity, risks, measures) | Art. 35(7) | Sample DPIA review for completeness |
| 7.4 | The DPO is consulted during the DPIA process | Art. 35(2) | DPO consultation records, sign-off |
| 7.5 | Data subject views are sought where appropriate | Art. 35(9) | Consultation records or documented rationale for not consulting |
| 7.6 | DPIA outcomes are implemented and monitored | Art. 35(11) | Remediation tracking, follow-up reviews |
| 7.7 | Prior consultation with the supervisory authority is initiated when residual risk remains high | Art. 36 | Prior consultation records (if applicable) |
| # | Control Point | GDPR Ref | Evidence Required |
|---|---|---|---|
| 8.1 | A DPO is appointed where required (public authority, large-scale monitoring, special categories) | Art. 37(1) | DPO appointment letter, published contact details |
| 8.2 | The DPO has sufficient resources, independence, and access to senior management | Art. 38(1)-(3) | Budget allocation, reporting line documentation |
| 8.3 | The DPO does not receive instructions regarding the exercise of their tasks | Art. 38(3) | Independence clause in employment/service contract |
| 8.4 | The DPO's contact details are published and communicated to the supervisory authority | Art. 37(7) | Website publication, DPA notification records |
| 8.5 | The DPO is involved in all data protection matters in a timely manner | Art. 38(1) | Meeting invitations, consultation records |
| 8.6 | The DPO monitors compliance, provides advice, and cooperates with the supervisory authority | Art. 39(1) | DPO activity reports, advisory records |