Stats
Actions
Tags
Help us improve
Share bugs, ideas, or general feedback.
Implements NIST Privacy Framework COMMUNICATE function for CM.AW awareness raising and CM.PO policies. Provides transparency mechanisms, stakeholder engagement, privacy notices, and workflows.
npx claudepluginhub mukul975/privacy-data-protection-skills --plugin privacy-skills-completeHow this skill is triggered — by the user, by Claude, or both
Slash command
/privacy-skills-complete:nist-pf-communicateThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
The COMMUNICATE function develops and implements appropriate activities to enable organizations and individuals to have a reliable understanding and engage in a dialogue about how data are processed and associated privacy risks. This function is essential for building trust and ensuring transparency with data subjects, regulators, and business partners.
Implements NIST Privacy Framework COMMUNICATE function for CM.AW awareness raising and CM.PO policies. Provides transparency mechanisms, stakeholder engagement, privacy notices, and workflows.
Implements NIST Privacy Framework GOVERN function: GV.AT awareness/training, GV.MT monitoring/review, GV.PO policy development, GV.RR roles/responsibilities. Provides templates and frameworks for privacy governance.
Guides NIST Privacy Framework IDENTIFY function implementation covering ID.BE, ID.DA, ID.IM, ID.RA subcategories with GDPR mappings for privacy compliance.
Share bugs, ideas, or general feedback.
The COMMUNICATE function develops and implements appropriate activities to enable organizations and individuals to have a reliable understanding and engage in a dialogue about how data are processed and associated privacy risks. This function is essential for building trust and ensuring transparency with data subjects, regulators, and business partners.
Raising awareness of data processing practices and privacy risks among stakeholders.
| Subcategory | Description | Implementation Guidance |
|---|---|---|
| CM.AW-P1 | Mechanisms (e.g., notices, internal policies) for communicating data processing purposes, practices, and associated privacy risks are established and in service | Publish layered privacy notices. Maintain internal data processing documentation. Establish communication channels for privacy inquiries. |
| CM.AW-P2 | Mechanisms for obtaining feedback from individuals about data processing and associated privacy risks are established and in service | Deploy feedback forms on privacy pages. Monitor privacy-related inquiries through support channels. Conduct periodic privacy perception surveys. |
| CM.AW-P3 | System/product/service design enables data processing visibility | Implement privacy dashboards for data subjects. Provide real-time data processing status. Enable granular consent visibility. |
| CM.AW-P4 | Records of data disclosures and sharing are maintained and can be accessed for review or transmission | Maintain disclosure registers. Enable data subjects to view sharing history. Automate disclosure logging. |
| CM.AW-P5 | Data corrections or deletions can be communicated to individuals or organizations that have received the data | Implement downstream notification workflows. Track data recipients for correction propagation. Automate deletion verification across partners. |
| CM.AW-P6 | Data provenance and lineage are maintained and can be accessed for review or transmission | Document data origins and transformation history. Provide lineage visualization. Enable audit trail access for authorized parties. |
| CM.AW-P7 | Impacted individuals and organizations are notified about a privacy breach or event | Develop breach notification templates. Establish notification timelines per jurisdiction. Maintain contact information for notification delivery. |
| CM.AW-P8 | Individuals are provided with mitigation mechanisms for observed privacy risks | Offer identity protection services post-breach. Provide self-service privacy controls. Communicate available remediation options. |
Policies governing how privacy-related information is communicated.
| Subcategory | Description | Implementation Guidance |
|---|---|---|
| CM.PO-P1 | Transparency policies, processes, and procedures for communicating data processing purposes, practices, associated privacy risks, and options for enabling data subjects' data processing preferences are established and in service | Develop layered transparency framework. Define communication standards for each audience. |
| CM.PO-P2 | Roles and responsibilities for communicating privacy-related information are established | Assign communications ownership. Define approval workflows for external privacy communications. |
Layer 1: Short Notice (Banner/Summary)
├── Who we are
├── What data we collect
├── Key purposes
├── Core rights
└── Link to full notice
Layer 2: Full Privacy Notice
├── Detailed purposes and legal bases
├── Data categories and sources
├── Recipients and transfers
├── Retention periods
├── Complete rights information
├── Contact information
└── Links to supplementary notices
Layer 3: Supplementary Notices
├── Cookie Policy
├── Children's Privacy Notice
├── Employee Privacy Notice
├── Specific Service Notices
└── Jurisdiction-Specific Addenda
Layer 4: Just-in-Time Notices
├── Collection-point notifications
├── Consent requests with context
├── Purpose-specific explanations
└── Processing change notifications
| Audience | Channel | Frequency | Content Type | Owner |
|---|---|---|---|---|
| Data subjects (general) | Website privacy center | Continuous | Notices, policies, FAQs | Privacy Team |
| Data subjects (customers) | Email, in-app notifications | Event-driven | Consent changes, updates | Marketing + Privacy |
| Data subjects (employees) | Intranet, HR portal | Semi-annual + event | Employee privacy info | HR + Privacy |
| Regulators | Formal correspondence | As required | Compliance reports, notifications | Legal + DPO |
| Business partners | Contract addenda, portal | Annual + event | Processing terms, audit rights | Legal + Procurement |
| Board/executives | Dashboards, presentations | Quarterly | Risk reports, KPIs | CPO |
| Internal teams | Confluence, training | Monthly | Guidelines, best practices | Privacy Champions |
| Element | GDPR Art. 13/14 | CCPA/CPRA | LGPD | PIPEDA |
|---|---|---|---|---|
| Controller identity | Required | Required | Required | Required |
| DPO contact | Required | N/A | Required (DPO equivalent) | N/A |
| Processing purposes | Required | Required | Required | Required |
| Legal basis | Required | N/A | Required | N/A |
| Data categories | Required | Required | Required | Required |
| Recipients | Required | Required | Required | Required |
| International transfers | Required | N/A | Required | Required |
| Retention periods | Required | Disclosed on request | Required | Required |
| Data subject rights | Required | Required | Required | Required |
| Right to complain | Required | N/A | Required | Required |
| Automated decision-making | Required | CPRA: Required | Required | N/A |
| Data source (indirect collection) | Required | Required | Required | Required |
| Sale/sharing opt-out | N/A | Required | N/A | N/A |
| Financial incentive terms | N/A | Required | N/A | N/A |
Inquiry Received
|
v
Classify Inquiry Type
├── General Privacy Question → FAQ/Knowledge Base → Respond within 5 business days
├── Data Subject Request → Route to DSR Workflow → Respond within regulatory deadline
├── Complaint → Escalate to DPO → Investigate → Respond within 15 business days
├── Breach Inquiry → Route to Incident Team → Coordinate response
└── Consent Change → Process immediately → Confirm within 24 hours
| Communication Type | Drafting | Review | Approval | Distribution |
|---|---|---|---|---|
| Privacy policy update | Privacy Team | Legal | CPO + General Counsel | Web team |
| Breach notification | Incident Lead | Legal + DPO | CEO + General Counsel | Communications |
| Regulatory response | DPO | Legal | General Counsel | DPO |
| Marketing consent request | Marketing | Privacy Team | CPO | Marketing |
| Internal policy update | Privacy Team | Stakeholders | CPO | Internal comms |
| NIST PF COMMUNICATE | ISO 27701 | GDPR Article | APEC CBPR |
|---|---|---|---|
| CM.AW-P1 | A.7.3.2 | Art. 12, 13, 14 | Principle 5 |
| CM.AW-P2 | A.7.3.8 | Art. 77 | Principle 9 |
| CM.AW-P3 | A.7.2.5 | Art. 12(1) | Principle 5 |
| CM.AW-P4 | A.7.5.3 | Art. 19 | Principle 7 |
| CM.AW-P7 | A.7.3.9 | Art. 34 | Principle 8 |
| CM.PO-P1 | A.7.3.2 | Art. 12 | Principle 5 |
| CM.PO-P2 | 5.3 | Art. 37-39 | Principle 9 |