Stats
Actions
Tags
Help us improve
Share bugs, ideas, or general feedback.
Audits RoPA entries against CNIL, ICO, and BfDI supervisory templates, scoring completeness, identifying gaps, and tracking remediation for GDPR readiness.
npx claudepluginhub mukul975/privacy-data-protection-skills --plugin privacy-skills-completeHow this skill is triggered — by the user, by Claude, or both
Slash command
/privacy-skills-complete:ropa-completeness-auditThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Supervisory authorities across the EEA publish RoPA templates and guidance that extend beyond the bare minimum Art. 30(1) requirements. While Art. 30(1) mandates seven fields, supervisory authorities such as CNIL, ICO, and BfDI expect additional information in practice. This skill provides a methodology for auditing RoPA entries against these expanded expectations, calculating completeness scor...
Audits RoPA entries against CNIL, ICO, and BfDI supervisory templates, scoring completeness, identifying gaps, and tracking remediation for GDPR readiness.
Audits Records of Processing Activities (RoPA) against GDPR Article 30 requirements for controllers and processors. Verifies completeness of fields like purposes, data categories, recipients, transfers, retention, and security measures.
Guides GDPR compliance audits with 50+ control points across Articles 5, 24, 25, 28, 30, 32, 35, 37 covering principles, accountability, security, governance.
Share bugs, ideas, or general feedback.
Supervisory authorities across the EEA publish RoPA templates and guidance that extend beyond the bare minimum Art. 30(1) requirements. While Art. 30(1) mandates seven fields, supervisory authorities such as CNIL, ICO, and BfDI expect additional information in practice. This skill provides a methodology for auditing RoPA entries against these expanded expectations, calculating completeness scores, identifying gaps, and tracking remediation to achieve supervisory authority readiness.
The CNIL publishes the most structured RoPA template in the EU, available in both PDF and machine-readable (CSV/JSON) format. The CNIL template requires the Art. 30 mandatory fields plus additional recommended fields:
| Field | Art. 30 Mandatory | CNIL Required | CNIL Recommended |
|---|---|---|---|
| Controller identity and contact | Yes (a) | Yes | — |
| Joint controller details | Yes (a) | Yes | — |
| DPO contact | Yes (a) | Yes | — |
| Processing activity name | — | Yes | — |
| Purposes of processing | Yes (b) | Yes | — |
| Lawful basis (Art. 6) | — | — | Yes |
| Data subject categories | Yes (c) | Yes | — |
| Personal data categories | Yes (c) | Yes | — |
| Special category indication (Art. 9) | — | — | Yes |
| Recipient categories | Yes (d) | Yes | — |
| Processor details with DPA reference | — | — | Yes |
| International transfers | Yes (e) | Yes | — |
| Transfer safeguard mechanism | — | Yes | — |
| Retention periods | Yes (f) | Yes | — |
| Security measures | Yes (g) | Yes | — |
| DPIA conducted (yes/no) | — | — | Yes |
| DPIA reference | — | — | Yes |
| Last review date | — | — | Yes |
The ICO template aligns with UK GDPR Art. 30 and includes guidance notes for each field:
| Field | Art. 30 Mandatory | ICO Required | ICO Recommended |
|---|---|---|---|
| Controller name and contact | Yes (a) | Yes | — |
| DPO contact | Yes (a) | Yes | — |
| Purposes of processing | Yes (b) | Yes | — |
| Lawful basis | — | Yes | — |
| Legitimate interest description (if applicable) | — | — | Yes |
| Data subject categories | Yes (c) | Yes | — |
| Personal data categories | Yes (c) | Yes | — |
| Special category data and Art. 9 condition | — | Yes | — |
| Recipients | Yes (d) | Yes | — |
| International transfers with safeguards | Yes (e) | Yes | — |
| Retention periods | Yes (f) | Yes | — |
| Technical and organisational measures | Yes (g) | Yes | — |
| Link to privacy notice | — | — | Yes |
| DPIA reference | — | — | Yes |
The German Federal Commissioner for Data Protection (BfDI) publishes guidance (Hinweise zum Verzeichnis von Verarbeitungstaetigkeiten) with sector-specific requirements:
| Field | Art. 30 Mandatory | BfDI Required | BfDI Recommended |
|---|---|---|---|
| Controller identity (Verantwortlicher) | Yes (a) | Yes | — |
| DPO (Datenschutzbeauftragte/r) | Yes (a) | Yes | — |
| Purpose (Zweck der Verarbeitung) | Yes (b) | Yes | — |
| Lawful basis (Rechtsgrundlage) | — | Yes | — |
| Data subject categories (Kategorien betroffener Personen) | Yes (c) | Yes | — |
| Personal data categories (Kategorien personenbezogener Daten) | Yes (c) | Yes | — |
| Recipients (Empfaenger) | Yes (d) | Yes | — |
| Transfers to third countries (Uebermittlungen in Drittlaender) | Yes (e) | Yes | — |
| Transfer safeguard with reference | — | Yes | — |
| Retention periods (Loeschfristen) | Yes (f) | Yes | — |
| Technical measures (Technische Massnahmen) | Yes (g) | Yes | — |
| Organisational measures (Organisatorische Massnahmen) | — | Yes | — |
| Responsible department (Verantwortliche Fachabteilung) | — | — | Yes |
| IT systems used | — | — | Yes |
Each RoPA entry is scored against a three-tier assessment:
| Field | Present (1/0) | Quality Score (0-3) |
|---|---|---|
| Art. 30(1)(a) Controller identity | [1/0] | 0 = Missing, 1 = Partial, 2 = Complete, 3 = Excellent |
| Art. 30(1)(b) Purposes | [1/0] | 0-3 |
| Art. 30(1)(c) Data subject categories | [1/0] | 0-3 |
| Art. 30(1)(c) Personal data categories | [1/0] | 0-3 |
| Art. 30(1)(d) Recipients | [1/0] | 0-3 |
| Art. 30(1)(e) International transfers | [1/0] | 0-3 |
| Art. 30(1)(f) Retention periods | [1/0] | 0-3 |
| Art. 30(1)(g) Security measures | [1/0] | 0-3 |
Quality scoring criteria:
Score additional fields required or recommended by the target SA. Each SA template adds 3-6 fields beyond Art. 30 minimums.
| Metric | Scoring |
|---|---|
| Purpose specificity | 0-3 (penalise vague terms per EDPB guidance) |
| Retention concreteness | 0-3 (penalise "as long as necessary" type terms) |
| Transfer mechanism documentation | 0-3 (must identify specific mechanism, not just "safeguards in place") |
| Review currency | 0-3 (reviewed within 12m = 3, 12-18m = 2, 18-24m = 1, >24m = 0) |
| DPA cross-reference | 0-3 (all processors have DPA refs = 3) |
Tier 1 Score = (fields present / 8) * (avg quality / 3) * 100
Tier 2 Score = (SA fields present / SA total fields) * (avg quality / 3) * 100
Tier 3 Score = (sum of quality metrics / max possible) * 100
Overall = (Tier 1 * 0.40) + (Tier 2 * 0.35) + (Tier 3 * 0.25)
Readiness thresholds:
| Score | Rating | Interpretation |
|---|---|---|
| 95-100% | Excellent | Supervisory authority ready — no immediate action |
| 85-94% | Good | Minor improvements recommended before SA interaction |
| 70-84% | Acceptable | Material gaps exist — remediation plan required |
| 50-69% | Poor | Significant non-compliance risk — urgent remediation |
| Below 50% | Critical | RoPA fundamentally deficient — rebuild required |
Select the primary supervisory authority template based on:
For each RoPA entry, compare every field against the selected SA template and classify:
| Classification | Definition | Remediation Priority |
|---|---|---|
| Compliant | Field meets or exceeds SA expectations | None |
| Gap — Missing | Required field is absent | High |
| Gap — Incomplete | Field is present but does not meet SA expectations | Medium |
| Gap — Stale | Field content is outdated | Medium |
| Gap — Vague | Field content uses imprecise language | Medium |
| Enhancement | SA-recommended field not present | Low |
Compile all identified gaps into a structured register:
| Gap ID | Record ID | Processing Activity | Field | Classification | SA Template | Description | Severity | Remediation Owner | Target Date | Status |
|---|---|---|---|---|---|---|---|---|---|---|
| GAP-001 | RPA-023 | Customer analytics | Art. 30(1)(f) | Missing | CNIL | Retention period field is empty | Critical | Stefan Richter | [Date] | Open |
| GAP-002 | RPA-034 | Website analytics | Art. 30(1)(b) | Vague | CNIL | Purpose too broad ("analytics") | Major | Julia Richter | [Date] | Open |
| Severity | Total | Open | In Progress | Remediated | Verified |
|---|---|---|---|---|---|
| Critical | 3 | 0 | 1 | 1 | 1 |
| Major | 11 | 2 | 4 | 3 | 2 |
| Minor | 9 | 3 | 2 | 3 | 1 |
| Enhancement | 8 | 5 | 1 | 2 | 0 |
| Total | 31 | 10 | 8 | 9 | 4 |
| Audit Type | Frequency | Scope |
|---|---|---|
| Full completeness audit | Annually | All RoPA entries against selected SA template |
| Targeted audit (post-change) | As needed | Entries affected by organisational or regulatory change |
| Pre-investigation readiness check | On demand | Full RoPA in preparation for SA investigation or inquiry |
| Automated completeness scan | Monthly | All entries — field presence and vague term detection only |