Integrates Records of Processing Activities (RoPA) with OneTrust, TrustArc, Collibra, DataGrail via APIs for synchronization, data mapping, and automation. Useful for privacy platform setups and GDPR compliance.
npx claudepluginhub mukul975/privacy-data-protection-skills --plugin privacy-skills-completeThis skill uses the workspace's default tool permissions.
Manual RoPA maintenance using spreadsheets is error-prone, does not scale, and lacks the auditability required for accountability under GDPR Art. 5(2). Privacy management platforms such as OneTrust, TrustArc, Collibra, and DataGrail provide purpose-built RoPA capabilities with workflow automation, audit trails, and regulatory reporting. This skill covers the integration architecture, API-based ...
Conducts multi-round deep research on GitHub repos via API and web searches, generating markdown reports with executive summaries, timelines, metrics, and Mermaid diagrams.
Dynamically discovers and combines enabled skills into cohesive, unexpected delightful experiences like interactive HTML or themed artifacts. Activates on 'surprise me', inspiration, or boredom cues.
Generates images from structured JSON prompts via Python script execution. Supports reference images and aspect ratios for characters, scenes, products, visuals.
Manual RoPA maintenance using spreadsheets is error-prone, does not scale, and lacks the auditability required for accountability under GDPR Art. 5(2). Privacy management platforms such as OneTrust, TrustArc, Collibra, and DataGrail provide purpose-built RoPA capabilities with workflow automation, audit trails, and regulatory reporting. This skill covers the integration architecture, API-based synchronisation, and data mapping strategies for connecting enterprise IT systems with RoPA management platforms.
| Capability | OneTrust | TrustArc | Collibra | DataGrail |
|---|---|---|---|---|
| Art. 30(1) controller records | Full support with all 7 fields | Full support | Full support via data catalog | Partial — focuses on data mapping |
| Art. 30(2) processor records | Full support | Full support | Supported via custom asset types | Limited |
| Automated discovery | Data discovery module scans systems | Privacy intelligence scans | Data catalog integrations | Real-time data mapping |
| API availability | REST API with OAuth 2.0 | REST API with API key | REST API with OAuth 2.0 | REST API with API key |
| Workflow automation | Built-in approval workflows | Assessment-based workflows | Governance workflows | Request-driven workflows |
| Supervisory authority templates | CNIL, ICO, BfDI, AEPD templates | Multiple SA templates | Custom templates | Limited templates |
| Data mapping integration | Connectors for 500+ systems | Integration hub | Native data catalog connectors | 1,800+ SaaS connectors |
| Export formats | JSON, CSV, PDF, XLSX | PDF, CSV, XLSX | JSON, CSV | JSON, CSV |
| Version control | Built-in versioning and audit trail | Change log | Full lineage and version history | Basic version tracking |
| DPIA linkage | Native linkage to DPIA module | Linked assessments | Cross-reference via catalog | Limited |
OneTrust's Data Mapping module forms the foundation of its RoPA capability. Processing activities are represented as "Processing Activity" records that map directly to Art. 30(1) fields.
Integration points:
Base URL: https://helix-biotech.my.onetrust.com/api/
Authentication: OAuth 2.0 client credentials flow.
import requests
ONETRUST_BASE_URL = "https://helix-biotech.my.onetrust.com/api"
CLIENT_ID = "helix-ropa-integration"
CLIENT_SECRET_ENV = "ONETRUST_CLIENT_SECRET" # Stored in vault
def get_access_token(client_id: str, client_secret: str) -> str:
"""Obtain OAuth 2.0 access token from OneTrust."""
response = requests.post(
f"{ONETRUST_BASE_URL}/auth/oauth/token",
data={
"grant_type": "client_credentials",
"client_id": client_id,
"client_secret": client_secret,
},
headers={"Content-Type": "application/x-www-form-urlencoded"},
)
response.raise_for_status()
return response.json()["access_token"]
Fetching processing activities:
def get_processing_activities(token: str, page: int = 0, size: int = 50) -> dict:
"""Retrieve processing activities from OneTrust Data Mapping."""
response = requests.get(
f"{ONETRUST_BASE_URL}/datasubject/v3/processingactivities",
headers={"Authorization": f"Bearer {token}"},
params={"page": page, "size": size},
)
response.raise_for_status()
return response.json()
Creating a processing activity:
def create_processing_activity(token: str, activity: dict) -> dict:
"""Create a new processing activity record in OneTrust."""
payload = {
"name": activity["processing_activity"],
"description": activity.get("description", ""),
"organizationId": activity["organization_id"],
"purposes": [
{"name": p, "legalBasis": activity.get("lawful_basis", "")}
for p in activity.get("purposes", [])
],
"dataSubjectCategories": [
{"name": c} for c in activity.get("data_subject_categories", [])
],
"dataElementCategories": [
{"name": c} for c in activity.get("personal_data_categories", [])
],
"retentionPeriod": activity.get("retention_periods", ""),
"securityMeasures": activity.get("security_measures", ""),
}
response = requests.post(
f"{ONETRUST_BASE_URL}/datasubject/v3/processingactivities",
headers={
"Authorization": f"Bearer {token}",
"Content-Type": "application/json",
},
json=payload,
)
response.raise_for_status()
return response.json()
| Art. 30(1) Field | OneTrust Field | OneTrust Module |
|---|---|---|
| Controller identity (a) | Organization > Legal Entity | Organization Management |
| Purposes (b) | Processing Activity > Purposes | Data Mapping |
| Data subject categories (c) | Processing Activity > Data Subjects | Data Mapping |
| Personal data categories (c) | Processing Activity > Data Elements | Data Mapping |
| Recipient categories (d) | Processing Activity > Third Parties / Vendors | Data Mapping + Vendorpedia |
| International transfers (e) | Processing Activity > Transfers > Cross Border | Data Mapping |
| Retention periods (f) | Processing Activity > Retention | Data Mapping |
| Security measures (g) | Processing Activity > Security Measures | Data Mapping |
TrustArc (formerly TRUSTe) manages RoPA through its Privacy Operations Manager (PrivacyOps) module. Processing activities are documented through structured assessments that map to Art. 30 fields.
Key integration approach:
Authentication: API key-based.
TRUSTARC_BASE_URL = "https://api.trustarc.com/v1"
def get_processing_records(api_key: str, organization_id: str) -> dict:
"""Retrieve RoPA records from TrustArc PrivacyOps."""
response = requests.get(
f"{TRUSTARC_BASE_URL}/organizations/{organization_id}/processing-records",
headers={
"Authorization": f"Bearer {api_key}",
"Accept": "application/json",
},
)
response.raise_for_status()
return response.json()
def create_assessment(api_key: str, organization_id: str, assessment: dict) -> dict:
"""Create a new processing activity assessment in TrustArc."""
payload = {
"name": assessment["name"],
"type": "PROCESSING_ACTIVITY",
"templateId": assessment.get("template_id", "art30-controller"),
"assignee": assessment.get("owner_email"),
"responses": {
"purposes": assessment.get("purposes", []),
"dataSubjects": assessment.get("data_subject_categories", []),
"dataCategories": assessment.get("personal_data_categories", []),
"recipients": assessment.get("recipient_categories", []),
"transfers": assessment.get("international_transfers", []),
"retention": assessment.get("retention_periods", ""),
"securityMeasures": assessment.get("security_measures", ""),
},
}
response = requests.post(
f"{TRUSTARC_BASE_URL}/organizations/{organization_id}/assessments",
headers={
"Authorization": f"Bearer {api_key}",
"Content-Type": "application/json",
},
json=payload,
)
response.raise_for_status()
return response.json()
Collibra is a data intelligence platform with a governance-centric approach to RoPA. Processing activities are modelled as assets within the Collibra Data Catalog, with relationships linking them to data sets, systems, business terms, and governance policies.
Key advantages for RoPA:
COLLIBRA_BASE_URL = "https://helix-biotech.collibra.com/rest/2.0"
def get_processing_activities(token: str) -> dict:
"""Retrieve processing activity assets from Collibra."""
response = requests.get(
f"{COLLIBRA_BASE_URL}/assets",
headers={"Authorization": f"Bearer {token}"},
params={
"typeId": "processing-activity-type-id",
"limit": 100,
"offset": 0,
},
)
response.raise_for_status()
return response.json()
def create_processing_activity_asset(token: str, activity: dict) -> dict:
"""Create a processing activity asset in Collibra."""
payload = {
"name": activity["name"],
"typeId": "processing-activity-type-id",
"domainId": activity["domain_id"],
"statusId": "draft-status-id",
}
response = requests.post(
f"{COLLIBRA_BASE_URL}/assets",
headers={
"Authorization": f"Bearer {token}",
"Content-Type": "application/json",
},
json=payload,
)
response.raise_for_status()
asset_id = response.json()["id"]
# Add attributes for each Art. 30(1) field
attributes = [
{"typeId": "purpose-attr-id", "value": "; ".join(activity.get("purposes", []))},
{"typeId": "retention-attr-id", "value": activity.get("retention_periods", "")},
{"typeId": "security-measures-attr-id", "value": activity.get("security_measures", "")},
]
for attr in attributes:
attr["assetId"] = asset_id
requests.post(
f"{COLLIBRA_BASE_URL}/attributes",
headers={
"Authorization": f"Bearer {token}",
"Content-Type": "application/json",
},
json=attr,
)
return {"asset_id": asset_id, "name": activity["name"]}
| Art. 30(1) Field | Collibra Asset/Relation Type | Collibra Domain |
|---|---|---|
| Controller identity (a) | Business Asset > Organisation | Governance |
| Purposes (b) | Attribute on Processing Activity asset | Privacy |
| Data subject categories (c) | Related asset: Data Subject Category | Privacy |
| Personal data categories (c) | Related asset: Data Category (from Business Glossary) | Data Catalog |
| Recipient categories (d) | Relation: "shares data with" > Organisation/System | Privacy |
| International transfers (e) | Relation: "transfers to" > Geography asset | Privacy |
| Retention periods (f) | Attribute on Processing Activity asset | Privacy |
| Security measures (g) | Related asset: Security Control | IT Governance |
DataGrail focuses on real-time data mapping by connecting directly to an organisation's SaaS applications, databases, and internal systems through its integration library (1,800+ connectors). This automated discovery approach populates RoPA fields from live system metadata.
Key integration approach:
DATAGRAIL_BASE_URL = "https://api.datagrail.io/v1"
def get_data_map(api_key: str) -> dict:
"""Retrieve the live data map from DataGrail."""
response = requests.get(
f"{DATAGRAIL_BASE_URL}/data-map",
headers={
"Authorization": f"Bearer {api_key}",
"Accept": "application/json",
},
)
response.raise_for_status()
return response.json()
def get_system_inventory(api_key: str) -> dict:
"""Retrieve connected system inventory."""
response = requests.get(
f"{DATAGRAIL_BASE_URL}/systems",
headers={
"Authorization": f"Bearer {api_key}",
"Accept": "application/json",
},
)
response.raise_for_status()
return response.json()
Many organisations begin with spreadsheet-based RoPA and need to migrate to a platform. The migration process:
When multiple privacy tools are in use (e.g., Collibra for data governance and OneTrust for privacy operations), synchronise RoPA data:
| Phase | Duration | Activities | Deliverables |
|---|---|---|---|
| 1. Platform selection | 4 weeks | RFP process, vendor demos, security assessment, DPA negotiation | Selected platform, executed DPA |
| 2. Configuration | 6 weeks | Custom field setup, template creation, workflow configuration, SA template import | Configured platform |
| 3. Integration | 4 weeks | API integration with AD, ServiceNow, Vendorpedia. SSO configuration. | Working integrations |
| 4. Data migration | 3 weeks | Import existing spreadsheet RoPA, validate, establish relationships | Migrated records |
| 5. UAT and training | 2 weeks | User acceptance testing, training for DPO office and processing owners | Trained users |
| 6. Go-live | 1 week | Cut over from spreadsheet, decommission old process | Production RoPA system |
| 7. Optimisation | Ongoing | Automated discovery, advanced reporting, cross-platform sync | Mature RoPA management |