From privacy-audit-skills
Guides continuous privacy compliance monitoring implementation via automated control tests, evidence collection, real-time dashboards, alert remediation, and compliance-as-code. For GRC platform config.
npx claudepluginhub mukul975/privacy-data-protection-skills --plugin privacy-audit-skillsThis skill uses the workspace's default tool permissions.
Continuous compliance monitoring replaces the traditional point-in-time audit model with an ongoing, automated approach to verifying that privacy controls are operating effectively. Rather than discovering compliance gaps during annual audits, continuous monitoring provides real-time visibility into control performance, enabling immediate remediation before gaps become regulatory violations or ...
Guides Next.js Cache Components and Partial Prerendering (PPR) with cacheComponents enabled. Implements 'use cache', cacheLife(), cacheTag(), revalidateTag(), static/dynamic optimization, and cache debugging.
Guides building MCP servers enabling LLMs to interact with external services via tools. Covers best practices, TypeScript/Node (MCP SDK), Python (FastMCP).
Generates original PNG/PDF visual art via design philosophy manifestos for posters, graphics, and static designs on user request.
Continuous compliance monitoring replaces the traditional point-in-time audit model with an ongoing, automated approach to verifying that privacy controls are operating effectively. Rather than discovering compliance gaps during annual audits, continuous monitoring provides real-time visibility into control performance, enabling immediate remediation before gaps become regulatory violations or data breaches.
The shift from periodic to continuous monitoring is driven by several factors: the increasing frequency of regulatory changes (GDPR enforcement guidance, new US state privacy laws, sector-specific regulations), the growing complexity of data ecosystems (cloud, SaaS, APIs, third-party integrations), and supervisory authority expectations for demonstrable accountability under Art. 5(2) GDPR.
Sentinel Compliance Group implemented continuous privacy compliance monitoring in 2023, reducing time-to-detect compliance deviations from an average of 94 days (quarterly audit cycle) to 2.3 days (automated monitoring with alert-based triage).
┌─────────────────────────────────────────────────────┐
│ LAYER 3: REPORTING │
│ Executive Dashboards │ Regulatory Reports │ Alerts │
├─────────────────────────────────────────────────────┤
│ LAYER 2: ANALYSIS │
│ Control Scoring │ Trend Analysis │ Risk Correlation │
├─────────────────────────────────────────────────────┤
│ LAYER 1: DATA COLLECTION │
│ Automated Tests │ Evidence Harvest │ External Feeds │
└─────────────────────────────────────────────────────┘
Automated Control Tests execute pre-defined checks against systems, configurations, and data:
| Test Category | Data Source | Test Examples | Frequency |
|---|---|---|---|
| Configuration Compliance | Cloud APIs (AWS, Azure, GCP) | Encryption at rest enabled, access logging active, data residency verified | Daily |
| Access Control | IAM systems (Okta, Azure AD) | Privileged access reviews current, terminated users deprovisioned, RBAC aligned with data classification | Daily |
| Data Lifecycle | Database metadata, storage systems | Retention periods enforced, deletion jobs executing, backup encryption verified | Daily |
| Consent Records | CMP platforms (OneTrust, Cookiebot) | Consent records complete, withdrawal honored, opt-out signals processed | Real-time |
| DSAR Processing | DSAR management system | Open DSARs within SLA, response quality checks, identity verification completed | Daily |
| Vendor Compliance | Vendor management platform | DPAs current, certifications valid, sub-processor lists updated | Weekly |
| Training Compliance | LMS (Learning Management System) | Training completion rates, overdue assignments, content currency | Weekly |
| Policy Currency | Document management system | Policy review dates, approval status, version control | Weekly |
| Breach Readiness | Incident response tools | Response plan current, tabletop exercise conducted, contact lists updated | Monthly |
| Transfer Safeguards | Contract management, TIA register | SCCs executed, TIAs current, adequacy decisions monitored | Weekly |
Evidence Harvesting automatically collects and timestamps compliance artifacts:
| Evidence Type | Collection Method | Storage | Retention |
|---|---|---|---|
| System screenshots | Automated screenshot capture via API | Evidence repository with hash verification | 3 years |
| Configuration exports | API calls to target systems | Versioned configuration store | 3 years |
| Log extracts | SIEM/log aggregator queries | Immutable audit log archive | Per regulatory requirement |
| Consent records | CMP database export | Dedicated consent evidence store | Duration of processing + 5 years |
| DSAR records | Workflow system export | DSAR archive with access controls | 3 years after request closure |
| Training records | LMS completion export | HR evidence repository | Employment duration + 2 years |
| Contract documents | Contract management system | Legal document repository | Contract duration + 6 years |
External Feeds ingest regulatory and threat intelligence:
| Feed Type | Source | Purpose |
|---|---|---|
| Regulatory changes | OneTrust DataGuidance, IAPP, Official Journals | Detect new laws, guidance, and enforcement actions |
| Enforcement actions | Supervisory authority RSS feeds, GDPRhub | Learn from peer enforcement and adjust controls |
| Vendor risk intelligence | BitSight, SecurityScorecard | Monitor vendor security posture changes |
| Threat intelligence | CISA, ENISA, sector ISACs | Correlate privacy risks with emerging threats |
Control Scoring Engine:
Each control is scored based on automated test results:
| Score | Status | Definition |
|---|---|---|
| 100 | Effective | All automated tests pass; evidence is current and complete |
| 75-99 | Mostly Effective | Minor deviations detected; evidence gaps exist but are non-material |
| 50-74 | Partially Effective | Material deviations detected; some evidence missing or outdated |
| 25-49 | Largely Ineffective | Multiple failures; significant evidence gaps; control is not reliably operating |
| 0-24 | Ineffective | Control is not operating; no evidence of implementation |
Aggregation Logic:
Trend Analysis:
Risk Correlation:
Real-Time Dashboards:
| Dashboard | Audience | Content | Refresh Rate |
|---|---|---|---|
| Privacy Operations | Privacy team | Control-level scores, open deviations, DSAR metrics, vendor status | Real-time |
| Executive Privacy | CPO, CISO, CLO | Domain-level scores, trend analysis, top risks, regulatory exposure | Daily |
| Board Privacy | Board/Audit Committee | Overall compliance score, year-over-year trend, peer benchmarking, material incidents | Quarterly |
| Regulatory | DPO, Legal | Regulation-specific scores, gap details, enforcement tracker | Weekly |
| Vendor | Procurement, Third-Party Risk | Vendor compliance scores, DPA status, certification expiry | Weekly |
For each privacy control, define:
control_id: PCC-DSAR-001
control_name: DSAR Response Timeliness
regulation_mapping:
- GDPR Art. 12(3)
- CCPA Section 1798.130(a)(2)
- LGPD Art. 18
domain: Data Subject Rights
test_definition:
test_type: data_query
data_source: dsar_management_system
query: |
SELECT request_id, received_date, response_date,
DATEDIFF(day, received_date, COALESCE(response_date, GETDATE())) as days_elapsed,
jurisdiction, status
FROM dsar_requests
WHERE status IN ('open', 'in_progress', 'completed')
AND received_date >= DATEADD(day, -90, GETDATE())
pass_criteria:
- field: days_elapsed
condition: less_than_or_equal
value: 30
filter: "jurisdiction = 'GDPR' AND status != 'completed'"
- field: days_elapsed
condition: less_than_or_equal
value: 45
filter: "jurisdiction = 'CCPA' AND status != 'completed'"
- field: days_elapsed
condition: less_than_or_equal
value: 30
filter: "status = 'completed'"
threshold: 0.95 # 95% of completed requests must meet deadline
frequency: daily
alert_threshold: 0.90 # Alert if pass rate drops below 90%
alert_recipients:
- privacy-operations@sentinelcompliance.com
- dpo@sentinelcompliance.com
evidence_collection:
- type: query_result
description: Full DSAR status report with elapsed days
- type: screenshot
description: DSAR dashboard showing current queue status
control_id: PCC-ENC-001
control_name: Database Encryption at Rest
test_type: api_check
data_source: aws_rds_api
check:
api_call: describe_db_instances
assertion: StorageEncrypted == true
scope: all_instances
frequency: daily
remediation_automation:
enabled: true
action: create_jira_ticket
priority: high
assignee: database-team
control_id: PCC-DPA-001
control_name: DPA Currency
test_type: data_query
data_source: contract_management_system
query: |
SELECT vendor_name, dpa_expiry_date,
DATEDIFF(day, GETDATE(), dpa_expiry_date) as days_until_expiry
FROM vendor_contracts
WHERE contract_type = 'DPA' AND status = 'active'
pass_criteria:
- field: days_until_expiry
condition: greater_than
value: 0
description: No expired DPAs
alert_rules:
- condition: days_until_expiry <= 30
severity: warning
message: "DPA for {vendor_name} expires in {days_until_expiry} days"
- condition: days_until_expiry <= 0
severity: critical
message: "DPA for {vendor_name} has expired"
frequency: daily
control_id: PCC-TRN-001
control_name: Privacy Training Completion
test_type: api_check
data_source: lms_api
check:
api_call: get_course_completion
course_id: PRIV-001-ANNUAL
assertion: completion_rate >= 0.95
scope: all_active_employees
frequency: weekly
alert_threshold: 0.90
escalation:
- level: 1
condition: completion_rate < 0.95
action: notify_manager
- level: 2
condition: completion_rate < 0.90
action: notify_cpo
- level: 3
condition: completion_rate < 0.80
action: notify_audit_committee
| Severity | Criteria | Response SLA | Notification |
|---|---|---|---|
| Critical | Control failure affecting high-sensitivity data OR regulatory deadline at risk OR active data exposure | 4 hours | CPO, CISO, DPO, Privacy Ops lead — immediate notification via PagerDuty/Slack |
| High | Control failure affecting personal data OR compliance score below threshold OR vendor DPA expired | 24 hours | Privacy Ops team, control owner — email + Slack notification |
| Medium | Control degradation (score decrease >10 points) OR evidence gap detected OR training overdue | 72 hours | Control owner — email notification |
| Low | Minor deviation OR informational alert OR upcoming deadline | 1 week | Control owner — daily digest |
Alert Triggered
↓
Auto-Triage (severity classification, deduplication, correlation)
↓
Alert Assigned to Control Owner
↓
Control Owner Acknowledges (within SLA)
↓
Root Cause Analysis
↓
Remediation Plan Documented
↓
Remediation Executed
↓
Automated Re-Test
↓
Pass? → Alert Closed → Evidence Archived
↓
Fail? → Escalate → Revised Remediation Plan
For specific control failures, automated remediation can be configured:
| Control Failure | Auto-Remediation Action | Human Approval Required |
|---|---|---|
| Terminated user still has access | Disable account via IAM API | No (immediate) |
| Encryption disabled on new resource | Enable encryption via cloud API | No (immediate) |
| Expired DPA detected | Generate renewal notification to vendor manager | Yes (notification only) |
| Training overdue > 30 days | Send automated reminder to employee and manager | No (notification) |
| Consent record missing timestamp | Flag record for manual review | Yes (review required) |
| DSAR approaching SLA deadline | Escalate to privacy operations lead | No (escalation only) |
External Regulatory Feed
↓
Change Detection (new law, amendment, guidance, enforcement action)
↓
Relevance Assessment (automated keyword matching + manual review)
↓
Impact Analysis (which controls, processes, and systems are affected)
↓
Gap Assessment (current compliance vs. new requirement)
↓
Remediation Planning (control updates, policy changes, system modifications)
↓
Implementation and Testing
↓
Control Framework Updated
↓
Monitoring Rules Adjusted
| Category | Response Timeline | Example |
|---|---|---|
| New regulation enacted | Assessment within 30 days; implementation by effective date | New US state privacy law with 12-month implementation window |
| Existing regulation amended | Assessment within 14 days; implementation per amendment effective date | GDPR delegated act modifying adequacy decision |
| Supervisory authority guidance | Assessment within 30 days; implementation within 90 days | EDPB guidelines on consent for cookie walls |
| Enforcement action (peer) | Lessons-learned review within 14 days; control gap check within 30 days | DPA fine for inadequate DSAR response process |
| Court decision | Legal review within 14 days; impact assessment within 30 days | CJEU judgment invalidating transfer mechanism |
When regulatory changes require control updates:
Embed privacy compliance checks into infrastructure-as-code (IaC) pipelines:
# Example: Terraform compliance policy for data residency
policy "data_residency_eu" {
description = "Ensure EU personal data is stored in EU regions only"
enforcement_level = "mandatory"
rule "storage_location" {
condition = resource.aws_s3_bucket.region in ["eu-west-1", "eu-central-1", "eu-north-1"]
message = "S3 buckets containing EU personal data must be in EU regions"
}
rule "encryption_required" {
condition = resource.aws_s3_bucket.server_side_encryption_configuration != null
message = "S3 buckets containing personal data must have encryption enabled"
}
rule "versioning_enabled" {
condition = resource.aws_s3_bucket.versioning[0].enabled == true
message = "S3 buckets containing personal data must have versioning enabled for audit trail"
}
rule "public_access_blocked" {
condition = resource.aws_s3_bucket_public_access_block.block_public_acls == true
message = "S3 buckets containing personal data must block public access"
}
}
Integrate privacy checks into CI/CD pipelines:
| Pipeline Stage | Privacy Check | Blocking? |
|---|---|---|
| Code Review | PII detection in code comments, logs, and test data | Yes |
| Static Analysis | Privacy annotation verification (data classification, retention, purpose) | Yes |
| Build | Dependency check for privacy-impacting libraries | Warning |
| Integration Test | Consent enforcement verification, DSAR endpoint testing | Yes |
| Pre-Deploy | Data residency verification, encryption verification | Yes |
| Post-Deploy | Privacy header verification, cookie consent verification | Monitoring |
Overall Compliance Score (large numeric display):
Compliance by Regulation (horizontal bar chart):
GDPR: ████████████████████░ 96%
CCPA/CPRA: ███████████████████░░ 93%
LGPD: ██████████████████░░░ 91%
PIPA: ████████████████████░ 97%
UK GDPR: ███████████████████░░ 94%
Open Deviations by Severity (donut chart):
Control Health Heatmap (10x grid, one cell per domain):
Top 5 Deviations Requiring Attention (table):
| ID | Control | Score | Days Open | Owner |
|---|---|---|---|---|
| DEV-2025-089 | Vendor DPA Renewal (Vendor X) | 0 | 12 | Procurement |
| DEV-2025-091 | DSAR Response SLA (LGPD) | 67 | 5 | Privacy Ops |
| DEV-2025-088 | Training Completion (Engineering) | 88 | 21 | L&D |
| DEV-2025-092 | Cookie Consent Banner (FR site) | 72 | 3 | Marketing |
| DEV-2025-087 | Retention Job Failure (Archive DB) | 50 | 8 | Data Engineering |