Links RoPA entries to DPIAs and lawful basis assessments with cross-references, dependency tracking, and cascade updates between registers for GDPR compliance.
npx claudepluginhub mukul975/privacy-data-protection-skills --plugin privacy-skills-completeThis skill uses the workspace's default tool permissions.
GDPR Article 35 requires a Data Protection Impact Assessment for processing likely to result in a high risk to data subjects' rights and freedoms. Article 30 requires records of all processing activities. These two obligations are interdependent: every DPIA should map to one or more RoPA entries, and every RoPA entry flagged as high-risk should reference a DPIA. This skill establishes the cross...
Conducts multi-round deep research on GitHub repos via API and web searches, generating markdown reports with executive summaries, timelines, metrics, and Mermaid diagrams.
Dynamically discovers and combines enabled skills into cohesive, unexpected delightful experiences like interactive HTML or themed artifacts. Activates on 'surprise me', inspiration, or boredom cues.
Generates images from structured JSON prompts via Python script execution. Supports reference images and aspect ratios for characters, scenes, products, visuals.
GDPR Article 35 requires a Data Protection Impact Assessment for processing likely to result in a high risk to data subjects' rights and freedoms. Article 30 requires records of all processing activities. These two obligations are interdependent: every DPIA should map to one or more RoPA entries, and every RoPA entry flagged as high-risk should reference a DPIA. This skill establishes the cross-reference system, dependency tracking mechanisms, and update cascade triggers that ensure consistency between RoPA, the DPIA register, and lawful basis assessments.
┌──────────────────────┐ ┌──────────────────────┐
│ RoPA Register │◄─────►│ DPIA Register │
│ │ │ │
│ RPA-001: Payroll │ │ DPIA-2024-PAY-001 │
│ RPA-002: Clinical │◄─────►│ DPIA-2024-ONC-04 │
│ RPA-003: Analytics │ │ (No DPIA required) │
│ ... │ │ ... │
└──────────┬───────────┘ └───────────┬───────────┘
│ │
│ ┌───────────────────┐ │
└──────►│ Lawful Basis │◄──┘
│ Register │
│ │
│ LIA-2025-GA4-001│
│ CON-2024-CT-04 │
│ ... │
└───────────────────┘
Adopt a consistent identifier format across all three registers:
| Register | ID Format | Example |
|---|---|---|
| RoPA | RPA-[NNN] | RPA-002 |
| DPIA | DPIA-[YYYY]-[CODE]-[NNN] | DPIA-2024-ONC-04 |
| Legitimate Interest Assessment | LIA-[YYYY]-[CODE]-[NNN] | LIA-2025-GA4-001 |
| Consent Record | CON-[YYYY]-[CODE]-[NNN] | CON-2024-CT-04 |
| Legal Obligation Assessment | LOA-[YYYY]-[CODE]-[NNN] | LOA-2024-TAX-001 |
| RoPA Entry | Processing Activity | DPIA Required | DPIA Reference | DPIA Status | Reason |
|---|---|---|---|---|---|
| RPA-001 | Employee payroll | No | — | — | Standard employment processing, no high-risk indicators |
| RPA-002 | Clinical trial data management | Yes | DPIA-2024-ONC-04 | Approved (2024-02-28) | Large-scale processing of health and genetic data (Art. 35(3)(b)) |
| RPA-003 | Website analytics | No | — | — | IP truncation and aggregation reduce risk below DPIA threshold |
| RPA-004 | Employee performance profiling | Yes | DPIA-2025-PERF-001 | Under review | Systematic evaluation of employees based on work performance (Art. 35(3)(a)) |
| RPA-005 | CCTV surveillance | Yes | DPIA-2024-CCTV-001 | Approved (2024-06-15) | Systematic monitoring of publicly accessible area (Art. 35(3)(c)) |
| RPA-006 | Genomic data analysis | Yes | DPIA-2025-GEN-002 | Draft | Large-scale processing of genetic data with automated profiling |
| RPA-007 | Customer CRM | No | — | — | Standard B2B customer management, no profiling |
| RPA-008 | Pharmacovigilance reporting | Yes | DPIA-2024-PV-001 | Approved (2024-04-10) | Systematic processing of health data for adverse event monitoring |
Each DPIA must reference the RoPA entry (or entries) it covers:
| DPIA Reference | DPIA Title | RoPA Entries Covered | Status |
|---|---|---|---|
| DPIA-2024-ONC-04 | Phase III Oncology Trial HBX-2025-ONC-04 | RPA-002 | Approved |
| DPIA-2025-PERF-001 | Employee Performance Analytics System | RPA-004 | Under review |
| DPIA-2024-CCTV-001 | Office CCTV Surveillance System | RPA-005 | Approved |
| DPIA-2025-GEN-002 | Personalised Medicine Genomic Analysis | RPA-006, RPA-009 | Draft |
| DPIA-2024-PV-001 | Pharmacovigilance Adverse Event Processing | RPA-008 | Approved |
When any of the following RoPA fields change, assess whether the existing DPIA remains valid or requires an update under Art. 35(11):
| RoPA Field Changed | DPIA Impact | Action Required |
|---|---|---|
| Purpose expanded or new purpose added | May increase risk profile | Re-assess DPIA necessity; update DPIA if risk changes |
| New category of data subjects (especially vulnerable groups) | Increases risk | Update DPIA risk assessment |
| New special category data processed | Increases risk substantially | Update or conduct new DPIA |
| New recipient or processor added | May change risk profile | Review DPIA data sharing risks section |
| New international transfer | Increases risk (Schrems II considerations) | Update DPIA transfer risk section |
| Retention period extended | May increase risk | Review DPIA proportionality assessment |
| Security measures reduced or changed | Directly affects risk mitigation | Update DPIA risk mitigation measures |
| Processing volume significantly increased | Scale change may trigger new DPIA threshold | Re-assess Art. 35(3)(b) large-scale criterion |
| DPIA Event | RoPA Impact | Action Required |
|---|---|---|
| New DPIA approved | RoPA entry must reference DPIA | Add DPIA reference to RoPA entry |
| DPIA identifies new risk mitigation measures | Security measures field may need update | Update Art. 30(1)(g) to reflect new measures |
| DPIA recommends purpose limitation | Purpose field may need narrowing | Update Art. 30(1)(b) to reflect restricted purpose |
| DPIA recommends reduced retention | Retention field must be updated | Update Art. 30(1)(f) with new retention period |
| DPIA recommends additional safeguards for transfers | Transfer field must be updated | Update Art. 30(1)(e) with new safeguards |
| DPIA prior consultation outcome (Art. 36) | May restrict or condition processing | Update all affected RoPA fields per SA conditions |
| DPIA rejected (processing deemed too risky) | Processing activity must not proceed | RoPA entry should not be created, or existing entry archived |
| Lawful Basis Event | RoPA Impact | DPIA Impact |
|---|---|---|
| Consent withdrawn (Art. 7(3)) | Processing must cease; RoPA entry archived or updated | DPIA risk assessment may change if consent was a mitigating factor |
| Legitimate interest challenged | LIA must be re-conducted; RoPA purpose may change | DPIA balancing test must be updated |
| New legal obligation identified | RoPA lawful basis field updated | DPIA may be less relevant if processing is legally mandated |
| Lawful basis changed (e.g., consent to legitimate interest) | RoPA purpose and lawful basis fields updated | DPIA risk profile may change; Art. 9 condition may be affected |
When a change occurs in any of the three registers, propagate checks to the linked registers:
RoPA Change Detected
│
├── Is this entry linked to a DPIA?
│ ├── Yes → Flag DPIA for review (Art. 35(11))
│ └── No → Does the change make the processing high-risk?
│ ├── Yes → Trigger DPIA necessity assessment
│ └── No → No DPIA action required
│
└── Does this change affect the lawful basis?
├── Yes → Flag lawful basis assessment for review
└── No → No lawful basis action required
DPIA Change Detected
│
├── Does the DPIA outcome change risk mitigation measures?
│ └── Yes → Update RoPA security measures field
│
├── Does the DPIA outcome change processing scope?
│ └── Yes → Update RoPA purpose, data categories, or recipients
│
└── Does the DPIA outcome affect lawful basis assessment?
└── Yes → Flag lawful basis for review
Lawful Basis Change Detected
│
├── Update RoPA lawful basis field
└── Review DPIA assumptions about lawful basis
Each RoPA entry should include the following linkage fields:
{
"record_id": "RPA-002",
"processing_activity": "Clinical trial participant data management",
"dpia_required": true,
"dpia_reference": "DPIA-2024-ONC-04",
"dpia_status": "Approved",
"dpia_approval_date": "2024-02-28",
"dpia_next_review_date": "2025-02-28",
"lawful_basis_reference": "CON-2024-CT-04",
"lawful_basis_type": "Art. 6(1)(a) consent + Art. 9(2)(a) explicit consent",
"lawful_basis_assessment_date": "2024-01-15",
"art9_condition": "Art. 9(2)(a) — explicit consent per ICH E6(R2) informed consent process",
"linked_lia": null,
"prior_consultation_required": false,
"prior_consultation_reference": null
}
Use this checklist to determine whether a RoPA entry requires a DPIA:
| Criterion | Art. 35 Reference | Applicable | Notes |
|---|---|---|---|
| Systematic and extensive profiling with significant effects | Art. 35(3)(a) | [ ] | E.g., employee performance scoring, credit scoring |
| Large-scale processing of special category or criminal data | Art. 35(3)(b) | [ ] | E.g., clinical trials, genetic analysis, health data |
| Systematic monitoring of publicly accessible area | Art. 35(3)(c) | [ ] | E.g., CCTV, public Wi-Fi tracking |
| On supervisory authority blacklist | Art. 35(4) | [ ] | Check CNIL/BfDI/ICO published blacklists |
| Evaluation or scoring | WP29 Guidelines | [ ] | Including profiling and predicting |
| Automated decision-making with legal/significant effects | WP29 Guidelines | [ ] | Art. 22 processing |
| Systematic monitoring | WP29 Guidelines | [ ] | Employee monitoring, network monitoring |
| Sensitive data or data of highly personal nature | WP29 Guidelines | [ ] | Location data, financial data, communications metadata |
| Large scale | WP29 Guidelines | [ ] | Number of data subjects, volume, geographic scope |
| Matching or combining datasets | WP29 Guidelines | [ ] | From different sources/controllers for different purposes |
| Vulnerable data subjects | WP29 Guidelines | [ ] | Children, employees, patients, elderly |
| Innovative use or applying new technology | WP29 Guidelines | [ ] | AI/ML, IoT, biometrics, blockchain |
| Transfer outside EEA | WP29 Guidelines | [ ] | Especially to countries without adequacy |
| Processing preventing data subjects from exercising a right | WP29 Guidelines | [ ] | Blocking access to a service or contract |
Rule of thumb (EDPB/WP29): If two or more of these criteria apply, a DPIA is likely required.