Guides privacy law gap analysis for market entry into new jurisdictions: assesses regulations, maps compliance gaps, estimates remediation efforts, and plans timelines.
npx claudepluginhub mukul975/privacy-data-protection-skills --plugin privacy-skills-completeThis skill uses the workspace's default tool permissions.
When an organisation enters a new market, it must assess the target jurisdiction's privacy requirements against its existing compliance posture. A structured gap analysis identifies what additional controls, policies, and procedures are needed to achieve compliance before commencing operations. This skill provides a repeatable methodology for conducting such assessments, estimating remediation ...
Conducts multi-round deep research on GitHub repos via API and web searches, generating markdown reports with executive summaries, timelines, metrics, and Mermaid diagrams.
Dynamically discovers and combines enabled skills into cohesive, unexpected delightful experiences like interactive HTML or themed artifacts. Activates on 'surprise me', inspiration, or boredom cues.
Generates images from structured JSON prompts via Python script execution. Supports reference images and aspect ratios for characters, scenes, products, visuals.
When an organisation enters a new market, it must assess the target jurisdiction's privacy requirements against its existing compliance posture. A structured gap analysis identifies what additional controls, policies, and procedures are needed to achieve compliance before commencing operations. This skill provides a repeatable methodology for conducting such assessments, estimating remediation effort, and planning implementation timelines.
| Assessment Element | Questions to Answer |
|---|---|
| Primary data protection law | What is the comprehensive data protection statute? When was it enacted and last amended? |
| Regulator | Which authority enforces the law? What is its enforcement track record? |
| Scope | Does the law have extraterritorial reach? What activities trigger applicability? |
| Registration/notification | Is regulatory registration or notification required before processing? |
| Local representative | Is a local representative or establishment required? |
| DPO requirement | Must a Data Protection Officer be appointed? What qualifications are needed? |
| Sector-specific rules | Are there additional sector-specific requirements (financial, health, telecom)? |
Extract detailed requirements across 12 compliance domains:
| Control Category | Inventory Items |
|---|---|
| Policies | Privacy policy, cookie policy, employee privacy notice, vendor privacy requirements |
| Procedures | DSR response, breach notification, DPIA, consent management, data deletion |
| Technical controls | Encryption, access control, logging, DLP, anonymisation/pseudonymisation |
| Organisational controls | DPO, privacy team, training programme, governance committee |
| Contractual controls | DPA templates, SCC templates, vendor agreements, intra-group agreements |
| Records | Processing register, consent records, transfer register, breach log |
For each target jurisdiction requirement, assess:
| Classification | Definition | Priority | Remediation Timeline |
|---|---|---|---|
| Critical | Legal requirement with no existing control; enforcement risk is high | P1 | Before market entry |
| Significant | Legal requirement partially met; enhancement needed to avoid enforcement risk | P2 | Within 90 days of market entry |
| Minor | Best practice or low-enforcement-risk requirement not fully met | P3 | Within 180 days of market entry |
| Enhancement | Existing control meets requirement but could be optimised | P4 | Next annual review cycle |
| Effort Category | Small | Medium | Large |
|---|---|---|---|
| Policy drafting/update | 1-2 weeks | 2-4 weeks | 4-8 weeks |
| Procedure development | 1-2 weeks | 2-6 weeks | 6-12 weeks |
| Technical implementation | 2-4 weeks | 4-8 weeks | 8-16 weeks |
| Training development and delivery | 1-2 weeks | 2-4 weeks | 4-8 weeks |
| Vendor/contract update | 2-4 weeks | 4-8 weeks | 8-16 weeks |
| Regulatory registration/filing | 1-4 weeks | 4-8 weeks | 8-24 weeks |
| Week | Activity | Deliverable |
|---|---|---|
| 1-2 | Regulatory landscape mapping | Jurisdiction assessment report |
| 3-4 | Requirement extraction | Detailed requirements document |
| 5-6 | Current control mapping | Control inventory and mapping |
| 7-8 | Gap analysis | Gap report with classifications |
| 9-10 | Remediation planning | Remediation plan with effort estimates |
| 11-14 | P1 critical gap remediation | Updated policies, procedures, technical controls |
| 15-18 | P2 significant gap remediation | Enhanced controls and procedures |
| 19-20 | Training and awareness | Staff training completion |
| 21-22 | Pre-launch compliance review | Compliance readiness assessment |
| 23-24 | Go-live with monitoring | Market entry with active compliance monitoring |
| Element | Detail |
|---|---|
| Law | Decree 13/2023/ND-CP on Personal Data Protection (effective 1 July 2023) |
| Regulator | Ministry of Public Security (MPS) — Department of Cybersecurity and Hi-tech Crime Prevention |
| Scope | All personal data processing in Vietnam; extraterritorial for activities targeting Vietnamese individuals |
| DPO requirement | Required for certain processors (large-scale sensitive data processing) |
| Cross-border transfer | Mandatory impact assessment dossier; file with MPS before first transfer |
| Breach notification | 72 hours to MPS |
| Key unique requirements | Transfer impact assessment dossier filed with MPS; consent required as primary basis |
| Domain | Current Status | Gap Classification | Remediation |
|---|---|---|---|
| Lawful basis | GDPR-compliant consent framework | Partially met — Vietnam consent requirements differ | P2: Adapt consent forms for Vietnam-specific requirements |
| Individual rights | Global DSR portal | Partially met — Vietnamese language required | P2: Add Vietnamese language support |
| Cross-border transfer | EU SCCs in place | Not met — Vietnam requires MPS-filed impact dossier | P1: Prepare and file transfer impact assessment dossier |
| DPO | Global DPO structure | Partially met — local representative may be needed | P2: Assess and appoint local privacy contact |
| Breach notification | 72-hour global standard | Fully met | No gap |
| Privacy notice | Multi-language notices | Partially met — Vietnamese language needed | P2: Translate and localise privacy notice |
| Security | ISO 27001 certified | Fully met | No gap |
| Training | Annual global programme | Not met — Vietnam-specific content needed | P2: Develop Vietnam PDPD module |
| Week | Activity | Priority |
|---|---|---|
| 1-2 | Prepare transfer impact assessment dossier | P1 |
| 3-4 | File dossier with MPS | P1 |
| 5-6 | Adapt consent forms and privacy notice (Vietnamese) | P2 |
| 7-8 | Add Vietnamese to DSR portal | P2 |
| 9-10 | Appoint local privacy contact | P2 |
| 11-12 | Develop and deliver Vietnam training module | P2 |
| 13-14 | Pre-launch compliance review | Final check |
| Element | Detail |
|---|---|
| Gap analysis owner | Chief Privacy Officer |
| Approval | Privacy Steering Committee sign-off on remediation plan |
| Tracking | Gap remediation tracked in GRC platform |
| Review | Post-entry review at 90 days to verify all gaps remediated |
| Reuse | Gap analysis template stored for future market entries |