From records-of-processing-skills
Links RoPA entries to DPIAs and lawful basis assessments with cross-references, dependency tracking, and cascade updates between registers for GDPR compliance.
npx claudepluginhub mukul975/privacy-data-protection-skills --plugin records-of-processing-skillsThis skill uses the workspace's default tool permissions.
GDPR Article 35 requires a Data Protection Impact Assessment for processing likely to result in a high risk to data subjects' rights and freedoms. Article 30 requires records of all processing activities. These two obligations are interdependent: every DPIA should map to one or more RoPA entries, and every RoPA entry flagged as high-risk should reference a DPIA. This skill establishes the cross...
Creates isolated Git worktrees for feature branches with prioritized directory selection, gitignore safety checks, auto project setup for Node/Python/Rust/Go, and baseline verification.
Executes implementation plans in current session by dispatching fresh subagents per independent task, with two-stage reviews: spec compliance then code quality.
Dispatches parallel agents to independently tackle 2+ tasks like separate test failures or subsystems without shared state or dependencies.
GDPR Article 35 requires a Data Protection Impact Assessment for processing likely to result in a high risk to data subjects' rights and freedoms. Article 30 requires records of all processing activities. These two obligations are interdependent: every DPIA should map to one or more RoPA entries, and every RoPA entry flagged as high-risk should reference a DPIA. This skill establishes the cross-reference system, dependency tracking mechanisms, and update cascade triggers that ensure consistency between RoPA, the DPIA register, and lawful basis assessments.
┌──────────────────────┐ ┌──────────────────────┐
│ RoPA Register │◄─────►│ DPIA Register │
│ │ │ │
│ RPA-001: Payroll │ │ DPIA-2024-PAY-001 │
│ RPA-002: Clinical │◄─────►│ DPIA-2024-ONC-04 │
│ RPA-003: Analytics │ │ (No DPIA required) │
│ ... │ │ ... │
└──────────┬───────────┘ └───────────┬───────────┘
│ │
│ ┌───────────────────┐ │
└──────►│ Lawful Basis │◄──┘
│ Register │
│ │
│ LIA-2025-GA4-001│
│ CON-2024-CT-04 │
│ ... │
└───────────────────┘
Adopt a consistent identifier format across all three registers:
| Register | ID Format | Example |
|---|---|---|
| RoPA | RPA-[NNN] | RPA-002 |
| DPIA | DPIA-[YYYY]-[CODE]-[NNN] | DPIA-2024-ONC-04 |
| Legitimate Interest Assessment | LIA-[YYYY]-[CODE]-[NNN] | LIA-2025-GA4-001 |
| Consent Record | CON-[YYYY]-[CODE]-[NNN] | CON-2024-CT-04 |
| Legal Obligation Assessment | LOA-[YYYY]-[CODE]-[NNN] | LOA-2024-TAX-001 |
| RoPA Entry | Processing Activity | DPIA Required | DPIA Reference | DPIA Status | Reason |
|---|---|---|---|---|---|
| RPA-001 | Employee payroll | No | — | — | Standard employment processing, no high-risk indicators |
| RPA-002 | Clinical trial data management | Yes | DPIA-2024-ONC-04 | Approved (2024-02-28) | Large-scale processing of health and genetic data (Art. 35(3)(b)) |
| RPA-003 | Website analytics | No | — | — | IP truncation and aggregation reduce risk below DPIA threshold |
| RPA-004 | Employee performance profiling | Yes | DPIA-2025-PERF-001 | Under review | Systematic evaluation of employees based on work performance (Art. 35(3)(a)) |
| RPA-005 | CCTV surveillance | Yes | DPIA-2024-CCTV-001 | Approved (2024-06-15) | Systematic monitoring of publicly accessible area (Art. 35(3)(c)) |
| RPA-006 | Genomic data analysis | Yes | DPIA-2025-GEN-002 | Draft | Large-scale processing of genetic data with automated profiling |
| RPA-007 | Customer CRM | No | — | — | Standard B2B customer management, no profiling |
| RPA-008 | Pharmacovigilance reporting | Yes | DPIA-2024-PV-001 | Approved (2024-04-10) | Systematic processing of health data for adverse event monitoring |
Each DPIA must reference the RoPA entry (or entries) it covers:
| DPIA Reference | DPIA Title | RoPA Entries Covered | Status |
|---|---|---|---|
| DPIA-2024-ONC-04 | Phase III Oncology Trial HBX-2025-ONC-04 | RPA-002 | Approved |
| DPIA-2025-PERF-001 | Employee Performance Analytics System | RPA-004 | Under review |
| DPIA-2024-CCTV-001 | Office CCTV Surveillance System | RPA-005 | Approved |
| DPIA-2025-GEN-002 | Personalised Medicine Genomic Analysis | RPA-006, RPA-009 | Draft |
| DPIA-2024-PV-001 | Pharmacovigilance Adverse Event Processing | RPA-008 | Approved |
When any of the following RoPA fields change, assess whether the existing DPIA remains valid or requires an update under Art. 35(11):
| RoPA Field Changed | DPIA Impact | Action Required |
|---|---|---|
| Purpose expanded or new purpose added | May increase risk profile | Re-assess DPIA necessity; update DPIA if risk changes |
| New category of data subjects (especially vulnerable groups) | Increases risk | Update DPIA risk assessment |
| New special category data processed | Increases risk substantially | Update or conduct new DPIA |
| New recipient or processor added | May change risk profile | Review DPIA data sharing risks section |
| New international transfer | Increases risk (Schrems II considerations) | Update DPIA transfer risk section |
| Retention period extended | May increase risk | Review DPIA proportionality assessment |
| Security measures reduced or changed | Directly affects risk mitigation | Update DPIA risk mitigation measures |
| Processing volume significantly increased | Scale change may trigger new DPIA threshold | Re-assess Art. 35(3)(b) large-scale criterion |
| DPIA Event | RoPA Impact | Action Required |
|---|---|---|
| New DPIA approved | RoPA entry must reference DPIA | Add DPIA reference to RoPA entry |
| DPIA identifies new risk mitigation measures | Security measures field may need update | Update Art. 30(1)(g) to reflect new measures |
| DPIA recommends purpose limitation | Purpose field may need narrowing | Update Art. 30(1)(b) to reflect restricted purpose |
| DPIA recommends reduced retention | Retention field must be updated | Update Art. 30(1)(f) with new retention period |
| DPIA recommends additional safeguards for transfers | Transfer field must be updated | Update Art. 30(1)(e) with new safeguards |
| DPIA prior consultation outcome (Art. 36) | May restrict or condition processing | Update all affected RoPA fields per SA conditions |
| DPIA rejected (processing deemed too risky) | Processing activity must not proceed | RoPA entry should not be created, or existing entry archived |
| Lawful Basis Event | RoPA Impact | DPIA Impact |
|---|---|---|
| Consent withdrawn (Art. 7(3)) | Processing must cease; RoPA entry archived or updated | DPIA risk assessment may change if consent was a mitigating factor |
| Legitimate interest challenged | LIA must be re-conducted; RoPA purpose may change | DPIA balancing test must be updated |
| New legal obligation identified | RoPA lawful basis field updated | DPIA may be less relevant if processing is legally mandated |
| Lawful basis changed (e.g., consent to legitimate interest) | RoPA purpose and lawful basis fields updated | DPIA risk profile may change; Art. 9 condition may be affected |
When a change occurs in any of the three registers, propagate checks to the linked registers:
RoPA Change Detected
│
├── Is this entry linked to a DPIA?
│ ├── Yes → Flag DPIA for review (Art. 35(11))
│ └── No → Does the change make the processing high-risk?
│ ├── Yes → Trigger DPIA necessity assessment
│ └── No → No DPIA action required
│
└── Does this change affect the lawful basis?
├── Yes → Flag lawful basis assessment for review
└── No → No lawful basis action required
DPIA Change Detected
│
├── Does the DPIA outcome change risk mitigation measures?
│ └── Yes → Update RoPA security measures field
│
├── Does the DPIA outcome change processing scope?
│ └── Yes → Update RoPA purpose, data categories, or recipients
│
└── Does the DPIA outcome affect lawful basis assessment?
└── Yes → Flag lawful basis for review
Lawful Basis Change Detected
│
├── Update RoPA lawful basis field
└── Review DPIA assumptions about lawful basis
Each RoPA entry should include the following linkage fields:
{
"record_id": "RPA-002",
"processing_activity": "Clinical trial participant data management",
"dpia_required": true,
"dpia_reference": "DPIA-2024-ONC-04",
"dpia_status": "Approved",
"dpia_approval_date": "2024-02-28",
"dpia_next_review_date": "2025-02-28",
"lawful_basis_reference": "CON-2024-CT-04",
"lawful_basis_type": "Art. 6(1)(a) consent + Art. 9(2)(a) explicit consent",
"lawful_basis_assessment_date": "2024-01-15",
"art9_condition": "Art. 9(2)(a) — explicit consent per ICH E6(R2) informed consent process",
"linked_lia": null,
"prior_consultation_required": false,
"prior_consultation_reference": null
}
Use this checklist to determine whether a RoPA entry requires a DPIA:
| Criterion | Art. 35 Reference | Applicable | Notes |
|---|---|---|---|
| Systematic and extensive profiling with significant effects | Art. 35(3)(a) | [ ] | E.g., employee performance scoring, credit scoring |
| Large-scale processing of special category or criminal data | Art. 35(3)(b) | [ ] | E.g., clinical trials, genetic analysis, health data |
| Systematic monitoring of publicly accessible area | Art. 35(3)(c) | [ ] | E.g., CCTV, public Wi-Fi tracking |
| On supervisory authority blacklist | Art. 35(4) | [ ] | Check CNIL/BfDI/ICO published blacklists |
| Evaluation or scoring | WP29 Guidelines | [ ] | Including profiling and predicting |
| Automated decision-making with legal/significant effects | WP29 Guidelines | [ ] | Art. 22 processing |
| Systematic monitoring | WP29 Guidelines | [ ] | Employee monitoring, network monitoring |
| Sensitive data or data of highly personal nature | WP29 Guidelines | [ ] | Location data, financial data, communications metadata |
| Large scale | WP29 Guidelines | [ ] | Number of data subjects, volume, geographic scope |
| Matching or combining datasets | WP29 Guidelines | [ ] | From different sources/controllers for different purposes |
| Vulnerable data subjects | WP29 Guidelines | [ ] | Children, employees, patients, elderly |
| Innovative use or applying new technology | WP29 Guidelines | [ ] | AI/ML, IoT, biometrics, blockchain |
| Transfer outside EEA | WP29 Guidelines | [ ] | Especially to countries without adequacy |
| Processing preventing data subjects from exercising a right | WP29 Guidelines | [ ] | Blocking access to a service or contract |
Rule of thumb (EDPB/WP29): If two or more of these criteria apply, a DPIA is likely required.