Stats
Actions
Tags
Help us improve
Share bugs, ideas, or general feedback.
From global-privacy-regulations-skills
Guides privacy law gap analysis for market entry into new jurisdictions: assesses regulations, maps compliance gaps, estimates remediation efforts, and plans timelines.
npx claudepluginhub mukul975/privacy-data-protection-skills --plugin global-privacy-regulations-skillsHow this skill is triggered — by the user, by Claude, or both
Slash command
/global-privacy-regulations-skills:privacy-law-gap-analysisThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
When an organisation enters a new market, it must assess the target jurisdiction's privacy requirements against its existing compliance posture. A structured gap analysis identifies what additional controls, policies, and procedures are needed to achieve compliance before commencing operations. This skill provides a repeatable methodology for conducting such assessments, estimating remediation ...
Guides privacy law gap analysis for market entry into new jurisdictions: assesses regulations, maps compliance gaps, estimates remediation efforts, and plans timelines.
Diffs new or changed regulations against current privacy policy and practice to output a gap list and remediation plan with owners and dates.
Navigates GDPR and CCPA privacy regulations, reviews DPAs, and handles data subject requests. Useful for compliance assessments, vendor agreements, cross-border transfers, and DSAR responses.
Share bugs, ideas, or general feedback.
When an organisation enters a new market, it must assess the target jurisdiction's privacy requirements against its existing compliance posture. A structured gap analysis identifies what additional controls, policies, and procedures are needed to achieve compliance before commencing operations. This skill provides a repeatable methodology for conducting such assessments, estimating remediation effort, and planning implementation timelines.
| Assessment Element | Questions to Answer |
|---|---|
| Primary data protection law | What is the comprehensive data protection statute? When was it enacted and last amended? |
| Regulator | Which authority enforces the law? What is its enforcement track record? |
| Scope | Does the law have extraterritorial reach? What activities trigger applicability? |
| Registration/notification | Is regulatory registration or notification required before processing? |
| Local representative | Is a local representative or establishment required? |
| DPO requirement | Must a Data Protection Officer be appointed? What qualifications are needed? |
| Sector-specific rules | Are there additional sector-specific requirements (financial, health, telecom)? |
Extract detailed requirements across 12 compliance domains:
| Control Category | Inventory Items |
|---|---|
| Policies | Privacy policy, cookie policy, employee privacy notice, vendor privacy requirements |
| Procedures | DSR response, breach notification, DPIA, consent management, data deletion |
| Technical controls | Encryption, access control, logging, DLP, anonymisation/pseudonymisation |
| Organisational controls | DPO, privacy team, training programme, governance committee |
| Contractual controls | DPA templates, SCC templates, vendor agreements, intra-group agreements |
| Records | Processing register, consent records, transfer register, breach log |
For each target jurisdiction requirement, assess:
| Classification | Definition | Priority | Remediation Timeline |
|---|---|---|---|
| Critical | Legal requirement with no existing control; enforcement risk is high | P1 | Before market entry |
| Significant | Legal requirement partially met; enhancement needed to avoid enforcement risk | P2 | Within 90 days of market entry |
| Minor | Best practice or low-enforcement-risk requirement not fully met | P3 | Within 180 days of market entry |
| Enhancement | Existing control meets requirement but could be optimised | P4 | Next annual review cycle |
| Effort Category | Small | Medium | Large |
|---|---|---|---|
| Policy drafting/update | 1-2 weeks | 2-4 weeks | 4-8 weeks |
| Procedure development | 1-2 weeks | 2-6 weeks | 6-12 weeks |
| Technical implementation | 2-4 weeks | 4-8 weeks | 8-16 weeks |
| Training development and delivery | 1-2 weeks | 2-4 weeks | 4-8 weeks |
| Vendor/contract update | 2-4 weeks | 4-8 weeks | 8-16 weeks |
| Regulatory registration/filing | 1-4 weeks | 4-8 weeks | 8-24 weeks |
| Week | Activity | Deliverable |
|---|---|---|
| 1-2 | Regulatory landscape mapping | Jurisdiction assessment report |
| 3-4 | Requirement extraction | Detailed requirements document |
| 5-6 | Current control mapping | Control inventory and mapping |
| 7-8 | Gap analysis | Gap report with classifications |
| 9-10 | Remediation planning | Remediation plan with effort estimates |
| 11-14 | P1 critical gap remediation | Updated policies, procedures, technical controls |
| 15-18 | P2 significant gap remediation | Enhanced controls and procedures |
| 19-20 | Training and awareness | Staff training completion |
| 21-22 | Pre-launch compliance review | Compliance readiness assessment |
| 23-24 | Go-live with monitoring | Market entry with active compliance monitoring |
| Element | Detail |
|---|---|
| Law | Decree 13/2023/ND-CP on Personal Data Protection (effective 1 July 2023) |
| Regulator | Ministry of Public Security (MPS) — Department of Cybersecurity and Hi-tech Crime Prevention |
| Scope | All personal data processing in Vietnam; extraterritorial for activities targeting Vietnamese individuals |
| DPO requirement | Required for certain processors (large-scale sensitive data processing) |
| Cross-border transfer | Mandatory impact assessment dossier; file with MPS before first transfer |
| Breach notification | 72 hours to MPS |
| Key unique requirements | Transfer impact assessment dossier filed with MPS; consent required as primary basis |
| Domain | Current Status | Gap Classification | Remediation |
|---|---|---|---|
| Lawful basis | GDPR-compliant consent framework | Partially met — Vietnam consent requirements differ | P2: Adapt consent forms for Vietnam-specific requirements |
| Individual rights | Global DSR portal | Partially met — Vietnamese language required | P2: Add Vietnamese language support |
| Cross-border transfer | EU SCCs in place | Not met — Vietnam requires MPS-filed impact dossier | P1: Prepare and file transfer impact assessment dossier |
| DPO | Global DPO structure | Partially met — local representative may be needed | P2: Assess and appoint local privacy contact |
| Breach notification | 72-hour global standard | Fully met | No gap |
| Privacy notice | Multi-language notices | Partially met — Vietnamese language needed | P2: Translate and localise privacy notice |
| Security | ISO 27001 certified | Fully met | No gap |
| Training | Annual global programme | Not met — Vietnam-specific content needed | P2: Develop Vietnam PDPD module |
| Week | Activity | Priority |
|---|---|---|
| 1-2 | Prepare transfer impact assessment dossier | P1 |
| 3-4 | File dossier with MPS | P1 |
| 5-6 | Adapt consent forms and privacy notice (Vietnamese) | P2 |
| 7-8 | Add Vietnamese to DSR portal | P2 |
| 9-10 | Appoint local privacy contact | P2 |
| 11-12 | Develop and deliver Vietnam training module | P2 |
| 13-14 | Pre-launch compliance review | Final check |
| Element | Detail |
|---|---|
| Gap analysis owner | Chief Privacy Officer |
| Approval | Privacy Steering Committee sign-off on remediation plan |
| Tracking | Gap remediation tracked in GRC platform |
| Review | Post-entry review at 90 days to verify all gaps remediated |
| Reuse | Gap analysis template stored for future market entries |