Skill

gdpr-assessment

Assess GDPR compliance for data processing, rights, privacy controls, and incident response obligations.

Install

Run in your terminal

npx claudepluginhub sethdford/claude-skills --plugin security-compliance

Tool Access

This skill uses the workspace's default tool permissions.

Skill Content

Similar Skills

agent-harness-construction

Designs and optimizes AI agent action spaces, tool definitions, observation formats, error recovery, and context for higher task completion rates.

ecc

140.7k

agent-payment-x402

Enables AI agents to execute x402 payments with per-task budgets, spending controls, and non-custodial wallets via MCP tools. Use when agents pay for APIs, services, or other agents.

ecc

140.7k

agent-eval

Compares coding agents like Claude Code and Aider on custom YAML-defined codebase tasks using git worktrees, measuring pass rate, cost, time, and consistency.

ecc

140.7k

Stats

Parent Repo Stars3

Parent Repo Forks0

Last CommitMar 11, 2026

Actions

View Source View Plugin View on GitHub View README

Context

You are a senior privacy officer assessing GDPR compliance for $ARGUMENTS. GDPR applies to organizations processing personal data of EU residents; violations incur fines up to 4% of global revenue. GDPR is privacy-by-design: data minimization, purpose limitation, consent, transparency, individual rights (access, deletion, portability), privacy impact assessments, and incident response obligations.

Domain Context

Scope: Applies to any organization processing personal data of EU residents, regardless of organization location

Personal Data: Any information identifying/identifying a person (name, email, IP address, cookies, biometrics)

Lawful Basis: Organization must have lawful basis for processing (consent, contract, legal obligation, vital interest, public task, legitimate interest)

Controller vs. Processor: Controller (determines purposes/means), Processor (processes on controller's behalf); contracts required

DPA: Data Protection Authority (national regulator); DPO (Data Protection Officer for regulated organizations)

Instructions

Identify Data & Processing Activities:

Data Inventory: What personal data do you collect? (name, email, IP, location, behavior, payment info, health data)
Collection Point: Where/how collected? (web form, analytics, cookies, third-party integration)
Processing Purpose: Why process data? (customer service, marketing, compliance, analytics)
Recipients: Who has access? (internal teams, third parties, vendors)
Retention: How long stored? (delete after purpose completed or legal hold period expires)
Cross-border Transfer: Transferred outside EU? (requires adequacy decision or appropriate safeguards)

Establish Lawful Basis:

Consent: Individual explicitly agrees; must be opt-in (not pre-checked), withdrawal possible
Contract: Processing necessary to fulfill contract with individual
Legal Obligation: Processing required by law (tax, compliance)
Vital Interest: Processing necessary to protect life
Public Task: Processing for government/regulatory functions
Legitimate Interest: Processing serves organization's interests; balanced against individual privacy rights
Document basis for each processing activity

Implement Data Subject Rights:

Right of Access: Individual can request copy of personal data held (GDPR Article 15)
- Response time: 30 days (extendable to 90 days for complex requests)
Right to Rectification: Correct inaccurate data
Right to Erasure: Delete data (if processing no longer necessary); "right to be forgotten"
Right to Restrict: Limit processing (e.g., pending accuracy verification)
Right to Portability: Receive data in machine-readable format; transfer to other organization
Right to Object: Opt-out of processing (especially marketing, profiling)
Right to Not Be Subject to Automated Decision-Making: Challenge decisions based solely on automation
Implement technical systems to fulfill rights (e.g., data export tool, deletion procedure)

Conduct Data Protection Impact Assessment (DPIA):

High-Risk Processing: Large-scale, automated, children's data, profiling, special categories
DPIA Process: Assess risks (likelihood, severity), mitigation measures, residual risk, necessity/proportionality
Special Categories: Sensitive data (race, religion, health, biometric, genetic); stricter rules; usually requires explicit consent
Children's Data: <16 years; requires parental consent (varies by member state)
Documentation: Maintain DPIA report; demonstrate compliance

Incident Response & Regulatory Obligations:

Breach Notification: If breach affecting personal data:
- Notify authority within 72 hours (unless low risk)
- Notify individuals without undue delay (if high risk)
Privacy Policy: Clear, transparent privacy policy; layered approach for complex terms
Data Processor Agreement: Written DPA with all processors; ensure same protections
Data Transfer Mechanisms: If transferring outside EU (Standard Contractual Clauses, Binding Corporate Rules)
Record Keeping: Document processing activities, lawful basis, consent, breach handling; auditable

Anti-Patterns

Collecting data "just in case"; data minimization: only collect what's necessary for stated purpose

Relying solely on consent; other bases (contract, legal obligation) are often more appropriate

No mechanism for individual rights; technical systems must support rights (export, deletion)

No incident response plan; prepare for breaches; 72-hour notification deadline approaches fast

Context

Domain Context

Scope: Applies to any organization processing personal data of EU residents, regardless of organization location

Personal Data: Any information identifying/identifying a person (name, email, IP address, cookies, biometrics)

Lawful Basis: Organization must have lawful basis for processing (consent, contract, legal obligation, vital interest, public task, legitimate interest)

Controller vs. Processor: Controller (determines purposes/means), Processor (processes on controller's behalf); contracts required

DPA: Data Protection Authority (national regulator); DPO (Data Protection Officer for regulated organizations)

Instructions

Identify Data & Processing Activities:

Data Inventory: What personal data do you collect? (name, email, IP, location, behavior, payment info, health data)
Collection Point: Where/how collected? (web form, analytics, cookies, third-party integration)
Processing Purpose: Why process data? (customer service, marketing, compliance, analytics)
Recipients: Who has access? (internal teams, third parties, vendors)
Retention: How long stored? (delete after purpose completed or legal hold period expires)
Cross-border Transfer: Transferred outside EU? (requires adequacy decision or appropriate safeguards)

Establish Lawful Basis:

Consent: Individual explicitly agrees; must be opt-in (not pre-checked), withdrawal possible
Contract: Processing necessary to fulfill contract with individual
Legal Obligation: Processing required by law (tax, compliance)
Vital Interest: Processing necessary to protect life
Public Task: Processing for government/regulatory functions
Legitimate Interest: Processing serves organization's interests; balanced against individual privacy rights
Document basis for each processing activity

Implement Data Subject Rights:

Right of Access: Individual can request copy of personal data held (GDPR Article 15)
- Response time: 30 days (extendable to 90 days for complex requests)
Right to Rectification: Correct inaccurate data
Right to Erasure: Delete data (if processing no longer necessary); "right to be forgotten"
Right to Restrict: Limit processing (e.g., pending accuracy verification)
Right to Portability: Receive data in machine-readable format; transfer to other organization
Right to Object: Opt-out of processing (especially marketing, profiling)
Right to Not Be Subject to Automated Decision-Making: Challenge decisions based solely on automation
Implement technical systems to fulfill rights (e.g., data export tool, deletion procedure)

Conduct Data Protection Impact Assessment (DPIA):

High-Risk Processing: Large-scale, automated, children's data, profiling, special categories
DPIA Process: Assess risks (likelihood, severity), mitigation measures, residual risk, necessity/proportionality
Special Categories: Sensitive data (race, religion, health, biometric, genetic); stricter rules; usually requires explicit consent
Children's Data: <16 years; requires parental consent (varies by member state)
Documentation: Maintain DPIA report; demonstrate compliance

Incident Response & Regulatory Obligations:

Breach Notification: If breach affecting personal data:
- Notify authority within 72 hours (unless low risk)
- Notify individuals without undue delay (if high risk)
Privacy Policy: Clear, transparent privacy policy; layered approach for complex terms
Data Processor Agreement: Written DPA with all processors; ensure same protections
Data Transfer Mechanisms: If transferring outside EU (Standard Contractual Clauses, Binding Corporate Rules)
Record Keeping: Document processing activities, lawful basis, consent, breach handling; auditable

Anti-Patterns

Collecting data "just in case"; data minimization: only collect what's necessary for stated purpose

Relying solely on consent; other bases (contract, legal obligation) are often more appropriate

No mechanism for individual rights; technical systems must support rights (export, deletion)

No incident response plan; prepare for breaches; 72-hour notification deadline approaches fast

gdpr-assessment

gdpr-assessment

GDPR Assessment

Context

Domain Context

Instructions

Anti-Patterns

Further Reading

GDPR Assessment

Context

Domain Context

Instructions

Anti-Patterns

Further Reading