Audits RoPA entries against CNIL, ICO, and BfDI supervisory templates, scoring completeness, identifying gaps, and tracking remediation for GDPR readiness.
npx claudepluginhub mukul975/privacy-data-protection-skills --plugin privacy-skills-completeThis skill uses the workspace's default tool permissions.
Supervisory authorities across the EEA publish RoPA templates and guidance that extend beyond the bare minimum Art. 30(1) requirements. While Art. 30(1) mandates seven fields, supervisory authorities such as CNIL, ICO, and BfDI expect additional information in practice. This skill provides a methodology for auditing RoPA entries against these expanded expectations, calculating completeness scor...
Conducts multi-round deep research on GitHub repos via API and web searches, generating markdown reports with executive summaries, timelines, metrics, and Mermaid diagrams.
Dynamically discovers and combines enabled skills into cohesive, unexpected delightful experiences like interactive HTML or themed artifacts. Activates on 'surprise me', inspiration, or boredom cues.
Generates images from structured JSON prompts via Python script execution. Supports reference images and aspect ratios for characters, scenes, products, visuals.
Supervisory authorities across the EEA publish RoPA templates and guidance that extend beyond the bare minimum Art. 30(1) requirements. While Art. 30(1) mandates seven fields, supervisory authorities such as CNIL, ICO, and BfDI expect additional information in practice. This skill provides a methodology for auditing RoPA entries against these expanded expectations, calculating completeness scores, identifying gaps, and tracking remediation to achieve supervisory authority readiness.
The CNIL publishes the most structured RoPA template in the EU, available in both PDF and machine-readable (CSV/JSON) format. The CNIL template requires the Art. 30 mandatory fields plus additional recommended fields:
| Field | Art. 30 Mandatory | CNIL Required | CNIL Recommended |
|---|---|---|---|
| Controller identity and contact | Yes (a) | Yes | — |
| Joint controller details | Yes (a) | Yes | — |
| DPO contact | Yes (a) | Yes | — |
| Processing activity name | — | Yes | — |
| Purposes of processing | Yes (b) | Yes | — |
| Lawful basis (Art. 6) | — | — | Yes |
| Data subject categories | Yes (c) | Yes | — |
| Personal data categories | Yes (c) | Yes | — |
| Special category indication (Art. 9) | — | — | Yes |
| Recipient categories | Yes (d) | Yes | — |
| Processor details with DPA reference | — | — | Yes |
| International transfers | Yes (e) | Yes | — |
| Transfer safeguard mechanism | — | Yes | — |
| Retention periods | Yes (f) | Yes | — |
| Security measures | Yes (g) | Yes | — |
| DPIA conducted (yes/no) | — | — | Yes |
| DPIA reference | — | — | Yes |
| Last review date | — | — | Yes |
The ICO template aligns with UK GDPR Art. 30 and includes guidance notes for each field:
| Field | Art. 30 Mandatory | ICO Required | ICO Recommended |
|---|---|---|---|
| Controller name and contact | Yes (a) | Yes | — |
| DPO contact | Yes (a) | Yes | — |
| Purposes of processing | Yes (b) | Yes | — |
| Lawful basis | — | Yes | — |
| Legitimate interest description (if applicable) | — | — | Yes |
| Data subject categories | Yes (c) | Yes | — |
| Personal data categories | Yes (c) | Yes | — |
| Special category data and Art. 9 condition | — | Yes | — |
| Recipients | Yes (d) | Yes | — |
| International transfers with safeguards | Yes (e) | Yes | — |
| Retention periods | Yes (f) | Yes | — |
| Technical and organisational measures | Yes (g) | Yes | — |
| Link to privacy notice | — | — | Yes |
| DPIA reference | — | — | Yes |
The German Federal Commissioner for Data Protection (BfDI) publishes guidance (Hinweise zum Verzeichnis von Verarbeitungstaetigkeiten) with sector-specific requirements:
| Field | Art. 30 Mandatory | BfDI Required | BfDI Recommended |
|---|---|---|---|
| Controller identity (Verantwortlicher) | Yes (a) | Yes | — |
| DPO (Datenschutzbeauftragte/r) | Yes (a) | Yes | — |
| Purpose (Zweck der Verarbeitung) | Yes (b) | Yes | — |
| Lawful basis (Rechtsgrundlage) | — | Yes | — |
| Data subject categories (Kategorien betroffener Personen) | Yes (c) | Yes | — |
| Personal data categories (Kategorien personenbezogener Daten) | Yes (c) | Yes | — |
| Recipients (Empfaenger) | Yes (d) | Yes | — |
| Transfers to third countries (Uebermittlungen in Drittlaender) | Yes (e) | Yes | — |
| Transfer safeguard with reference | — | Yes | — |
| Retention periods (Loeschfristen) | Yes (f) | Yes | — |
| Technical measures (Technische Massnahmen) | Yes (g) | Yes | — |
| Organisational measures (Organisatorische Massnahmen) | — | Yes | — |
| Responsible department (Verantwortliche Fachabteilung) | — | — | Yes |
| IT systems used | — | — | Yes |
Each RoPA entry is scored against a three-tier assessment:
| Field | Present (1/0) | Quality Score (0-3) |
|---|---|---|
| Art. 30(1)(a) Controller identity | [1/0] | 0 = Missing, 1 = Partial, 2 = Complete, 3 = Excellent |
| Art. 30(1)(b) Purposes | [1/0] | 0-3 |
| Art. 30(1)(c) Data subject categories | [1/0] | 0-3 |
| Art. 30(1)(c) Personal data categories | [1/0] | 0-3 |
| Art. 30(1)(d) Recipients | [1/0] | 0-3 |
| Art. 30(1)(e) International transfers | [1/0] | 0-3 |
| Art. 30(1)(f) Retention periods | [1/0] | 0-3 |
| Art. 30(1)(g) Security measures | [1/0] | 0-3 |
Quality scoring criteria:
Score additional fields required or recommended by the target SA. Each SA template adds 3-6 fields beyond Art. 30 minimums.
| Metric | Scoring |
|---|---|
| Purpose specificity | 0-3 (penalise vague terms per EDPB guidance) |
| Retention concreteness | 0-3 (penalise "as long as necessary" type terms) |
| Transfer mechanism documentation | 0-3 (must identify specific mechanism, not just "safeguards in place") |
| Review currency | 0-3 (reviewed within 12m = 3, 12-18m = 2, 18-24m = 1, >24m = 0) |
| DPA cross-reference | 0-3 (all processors have DPA refs = 3) |
Tier 1 Score = (fields present / 8) * (avg quality / 3) * 100
Tier 2 Score = (SA fields present / SA total fields) * (avg quality / 3) * 100
Tier 3 Score = (sum of quality metrics / max possible) * 100
Overall = (Tier 1 * 0.40) + (Tier 2 * 0.35) + (Tier 3 * 0.25)
Readiness thresholds:
| Score | Rating | Interpretation |
|---|---|---|
| 95-100% | Excellent | Supervisory authority ready — no immediate action |
| 85-94% | Good | Minor improvements recommended before SA interaction |
| 70-84% | Acceptable | Material gaps exist — remediation plan required |
| 50-69% | Poor | Significant non-compliance risk — urgent remediation |
| Below 50% | Critical | RoPA fundamentally deficient — rebuild required |
Select the primary supervisory authority template based on:
For each RoPA entry, compare every field against the selected SA template and classify:
| Classification | Definition | Remediation Priority |
|---|---|---|
| Compliant | Field meets or exceeds SA expectations | None |
| Gap — Missing | Required field is absent | High |
| Gap — Incomplete | Field is present but does not meet SA expectations | Medium |
| Gap — Stale | Field content is outdated | Medium |
| Gap — Vague | Field content uses imprecise language | Medium |
| Enhancement | SA-recommended field not present | Low |
Compile all identified gaps into a structured register:
| Gap ID | Record ID | Processing Activity | Field | Classification | SA Template | Description | Severity | Remediation Owner | Target Date | Status |
|---|---|---|---|---|---|---|---|---|---|---|
| GAP-001 | RPA-023 | Customer analytics | Art. 30(1)(f) | Missing | CNIL | Retention period field is empty | Critical | Stefan Richter | [Date] | Open |
| GAP-002 | RPA-034 | Website analytics | Art. 30(1)(b) | Vague | CNIL | Purpose too broad ("analytics") | Major | Julia Richter | [Date] | Open |
| Severity | Total | Open | In Progress | Remediated | Verified |
|---|---|---|---|---|---|
| Critical | 3 | 0 | 1 | 1 | 1 |
| Major | 11 | 2 | 4 | 3 | 2 |
| Minor | 9 | 3 | 2 | 3 | 1 |
| Enhancement | 8 | 5 | 1 | 2 | 0 |
| Total | 31 | 10 | 8 | 9 | 4 |
| Audit Type | Frequency | Scope |
|---|---|---|
| Full completeness audit | Annually | All RoPA entries against selected SA template |
| Targeted audit (post-change) | As needed | Entries affected by organisational or regulatory change |
| Pre-investigation readiness check | On demand | Full RoPA in preparation for SA investigation or inquiry |
| Automated completeness scan | Monthly | All entries — field presence and vague term detection only |