Implements NIST Privacy Framework COMMUNICATE function for CM.AW awareness raising and CM.PO policies. Provides transparency mechanisms, stakeholder engagement, privacy notices, and workflows.
npx claudepluginhub mukul975/privacy-data-protection-skills --plugin privacy-skills-completeThis skill uses the workspace's default tool permissions.
The COMMUNICATE function develops and implements appropriate activities to enable organizations and individuals to have a reliable understanding and engage in a dialogue about how data are processed and associated privacy risks. This function is essential for building trust and ensuring transparency with data subjects, regulators, and business partners.
Conducts multi-round deep research on GitHub repos via API and web searches, generating markdown reports with executive summaries, timelines, metrics, and Mermaid diagrams.
Dynamically discovers and combines enabled skills into cohesive, unexpected delightful experiences like interactive HTML or themed artifacts. Activates on 'surprise me', inspiration, or boredom cues.
Generates images from structured JSON prompts via Python script execution. Supports reference images and aspect ratios for characters, scenes, products, visuals.
The COMMUNICATE function develops and implements appropriate activities to enable organizations and individuals to have a reliable understanding and engage in a dialogue about how data are processed and associated privacy risks. This function is essential for building trust and ensuring transparency with data subjects, regulators, and business partners.
Raising awareness of data processing practices and privacy risks among stakeholders.
| Subcategory | Description | Implementation Guidance |
|---|---|---|
| CM.AW-P1 | Mechanisms (e.g., notices, internal policies) for communicating data processing purposes, practices, and associated privacy risks are established and in service | Publish layered privacy notices. Maintain internal data processing documentation. Establish communication channels for privacy inquiries. |
| CM.AW-P2 | Mechanisms for obtaining feedback from individuals about data processing and associated privacy risks are established and in service | Deploy feedback forms on privacy pages. Monitor privacy-related inquiries through support channels. Conduct periodic privacy perception surveys. |
| CM.AW-P3 | System/product/service design enables data processing visibility | Implement privacy dashboards for data subjects. Provide real-time data processing status. Enable granular consent visibility. |
| CM.AW-P4 | Records of data disclosures and sharing are maintained and can be accessed for review or transmission | Maintain disclosure registers. Enable data subjects to view sharing history. Automate disclosure logging. |
| CM.AW-P5 | Data corrections or deletions can be communicated to individuals or organizations that have received the data | Implement downstream notification workflows. Track data recipients for correction propagation. Automate deletion verification across partners. |
| CM.AW-P6 | Data provenance and lineage are maintained and can be accessed for review or transmission | Document data origins and transformation history. Provide lineage visualization. Enable audit trail access for authorized parties. |
| CM.AW-P7 | Impacted individuals and organizations are notified about a privacy breach or event | Develop breach notification templates. Establish notification timelines per jurisdiction. Maintain contact information for notification delivery. |
| CM.AW-P8 | Individuals are provided with mitigation mechanisms for observed privacy risks | Offer identity protection services post-breach. Provide self-service privacy controls. Communicate available remediation options. |
Policies governing how privacy-related information is communicated.
| Subcategory | Description | Implementation Guidance |
|---|---|---|
| CM.PO-P1 | Transparency policies, processes, and procedures for communicating data processing purposes, practices, associated privacy risks, and options for enabling data subjects' data processing preferences are established and in service | Develop layered transparency framework. Define communication standards for each audience. |
| CM.PO-P2 | Roles and responsibilities for communicating privacy-related information are established | Assign communications ownership. Define approval workflows for external privacy communications. |
Layer 1: Short Notice (Banner/Summary)
├── Who we are
├── What data we collect
├── Key purposes
├── Core rights
└── Link to full notice
Layer 2: Full Privacy Notice
├── Detailed purposes and legal bases
├── Data categories and sources
├── Recipients and transfers
├── Retention periods
├── Complete rights information
├── Contact information
└── Links to supplementary notices
Layer 3: Supplementary Notices
├── Cookie Policy
├── Children's Privacy Notice
├── Employee Privacy Notice
├── Specific Service Notices
└── Jurisdiction-Specific Addenda
Layer 4: Just-in-Time Notices
├── Collection-point notifications
├── Consent requests with context
├── Purpose-specific explanations
└── Processing change notifications
| Audience | Channel | Frequency | Content Type | Owner |
|---|---|---|---|---|
| Data subjects (general) | Website privacy center | Continuous | Notices, policies, FAQs | Privacy Team |
| Data subjects (customers) | Email, in-app notifications | Event-driven | Consent changes, updates | Marketing + Privacy |
| Data subjects (employees) | Intranet, HR portal | Semi-annual + event | Employee privacy info | HR + Privacy |
| Regulators | Formal correspondence | As required | Compliance reports, notifications | Legal + DPO |
| Business partners | Contract addenda, portal | Annual + event | Processing terms, audit rights | Legal + Procurement |
| Board/executives | Dashboards, presentations | Quarterly | Risk reports, KPIs | CPO |
| Internal teams | Confluence, training | Monthly | Guidelines, best practices | Privacy Champions |
| Element | GDPR Art. 13/14 | CCPA/CPRA | LGPD | PIPEDA |
|---|---|---|---|---|
| Controller identity | Required | Required | Required | Required |
| DPO contact | Required | N/A | Required (DPO equivalent) | N/A |
| Processing purposes | Required | Required | Required | Required |
| Legal basis | Required | N/A | Required | N/A |
| Data categories | Required | Required | Required | Required |
| Recipients | Required | Required | Required | Required |
| International transfers | Required | N/A | Required | Required |
| Retention periods | Required | Disclosed on request | Required | Required |
| Data subject rights | Required | Required | Required | Required |
| Right to complain | Required | N/A | Required | Required |
| Automated decision-making | Required | CPRA: Required | Required | N/A |
| Data source (indirect collection) | Required | Required | Required | Required |
| Sale/sharing opt-out | N/A | Required | N/A | N/A |
| Financial incentive terms | N/A | Required | N/A | N/A |
Inquiry Received
|
v
Classify Inquiry Type
├── General Privacy Question → FAQ/Knowledge Base → Respond within 5 business days
├── Data Subject Request → Route to DSR Workflow → Respond within regulatory deadline
├── Complaint → Escalate to DPO → Investigate → Respond within 15 business days
├── Breach Inquiry → Route to Incident Team → Coordinate response
└── Consent Change → Process immediately → Confirm within 24 hours
| Communication Type | Drafting | Review | Approval | Distribution |
|---|---|---|---|---|
| Privacy policy update | Privacy Team | Legal | CPO + General Counsel | Web team |
| Breach notification | Incident Lead | Legal + DPO | CEO + General Counsel | Communications |
| Regulatory response | DPO | Legal | General Counsel | DPO |
| Marketing consent request | Marketing | Privacy Team | CPO | Marketing |
| Internal policy update | Privacy Team | Stakeholders | CPO | Internal comms |
| NIST PF COMMUNICATE | ISO 27701 | GDPR Article | APEC CBPR |
|---|---|---|---|
| CM.AW-P1 | A.7.3.2 | Art. 12, 13, 14 | Principle 5 |
| CM.AW-P2 | A.7.3.8 | Art. 77 | Principle 9 |
| CM.AW-P3 | A.7.2.5 | Art. 12(1) | Principle 5 |
| CM.AW-P4 | A.7.5.3 | Art. 19 | Principle 7 |
| CM.AW-P7 | A.7.3.9 | Art. 34 | Principle 8 |
| CM.PO-P1 | A.7.3.2 | Art. 12 | Principle 5 |
| CM.PO-P2 | 5.3 | Art. 37-39 | Principle 9 |