Claude-Skills privacy-compliance

install

source · Clone the upstream repo

git clone https://github.com/borghei/Claude-Skills

Claude Code · Install into ~/.claude/skills/

T=$(mktemp -d) && git clone --depth=1 https://github.com/borghei/Claude-Skills "$T" && mkdir -p ~/.claude/skills && cp -r "$T/legal/privacy-compliance" ~/.claude/skills/borghei-claude-skills-privacy-compliance && rm -rf "$T"

manifest: legal/privacy-compliance/SKILL.md

source content

⚠️ EXPERIMENTAL — This skill is provided for educational and informational purposes only. It does NOT constitute legal advice. All responsibility for usage rests with the user. Consult qualified legal professionals before acting on any output.

Privacy Compliance Navigator

Tools and guidance for multi-regulation privacy compliance across 9 major global privacy frameworks, DPA review, and data subject request lifecycle management.

Tools
- Privacy Regulation Checker
- DSR Tracker
Reference Guides
Workflows
Troubleshooting
Success Criteria
Scope & Limitations
Anti-Patterns
Tool Reference

Tools

Privacy Regulation Checker

Determines which privacy regulations apply to an organization based on its location, data subjects, data types, and processing activities. Generates a compliance obligations matrix and flags gaps.

# Basic check — organization in Germany processing EU and US data
python scripts/privacy_regulation_checker.py \
  --org-location DE \
  --data-subjects EU,US \
  --data-types personal,sensitive,financial \
  --processing-activities marketing,analytics,hr

# JSON output for integration
python scripts/privacy_regulation_checker.py \
  --org-location SG \
  --data-subjects SG,AU,CN \
  --data-types personal,health \
  --processing-activities healthcare,research \
  --json

# Include gap analysis against current practices
python scripts/privacy_regulation_checker.py \
  --org-location US-CA \
  --data-subjects EU,US,BR \
  --data-types personal,biometric \
  --processing-activities ecommerce,profiling \
  --current-practices consent_mechanism,breach_process,retention_policy

Determines:

Which of 9 regulations apply based on territorial scope rules
Key obligations per applicable regulation
Data subject rights required per regulation
Response timelines per regulation
Gap analysis when current practices are provided

Output:

Applicable regulations list with confidence level
Per-regulation obligations matrix
Gap analysis with risk ratings
Recommended priority actions

DSR Tracker

Manages Data Subject Request lifecycle across multiple regulations with deadline calculation, status tracking, and overdue alerts.

# Add a new GDPR access request
python scripts/dsr_tracker.py add \
  --type access --regulation gdpr \
  --subject "Jane Smith" --email "jane@example.com"

# Add CCPA deletion request
python scripts/dsr_tracker.py add \
  --type deletion --regulation ccpa \
  --subject "John Doe" --email "john@example.com"

# List all open requests
python scripts/dsr_tracker.py list

# List overdue requests only
python scripts/dsr_tracker.py list --overdue

# Update request status
python scripts/dsr_tracker.py update --id DSR-0001 --status verified

# Dashboard view with time remaining
python scripts/dsr_tracker.py dashboard

# Export as JSON
python scripts/dsr_tracker.py dashboard --json

Supported Request Types:

Type	GDPR Art.	CCPA Section	LGPD Art.
Access	Art. 15	§1798.100	Art. 18
Deletion/Erasure	Art. 17	§1798.105	Art. 18(VI)
Correction/Rectification	Art. 16	§1798.106	Art. 18(III)
Portability	Art. 20	§1798.130	Art. 18(V)
Restriction	Art. 18	—	Art. 18(IV)
Objection	Art. 21	§1798.120	Art. 18(IV)
Automated Decision Opt-Out	Art. 22	§1798.185	Art. 20
Withdraw Consent	Art. 7(3)	—	Art. 18(IX)

Deadline Calculation:

Regulation	Initial Deadline	Extension	Extension Deadline
GDPR	30 calendar days	+60 days (complex)	90 calendar days
CCPA	10 business days (ack) + 45 calendar days	+45 days	90 calendar days
LGPD	15 calendar days	—	—
POPIA	30 calendar days	—	—
PIPEDA	30 calendar days	+30 days	60 calendar days
PDPA (SG)	30 calendar days	—	—
Privacy Act (AU)	30 calendar days	+30 days	60 calendar days
PIPL	15 calendar days	+15 days	30 calendar days
UK GDPR	30 calendar days	+60 days	90 calendar days

Statuses: received → verified → processing → completed | denied | extended

Reference Guides

Global Privacy Regulations

references/global_privacy_regulations.md

Comprehensive comparison of 9 major privacy regulations covering:

Territorial scope and applicability criteria
Legal bases for processing
Data subject rights comparison matrix
Breach notification requirements and timelines
Cross-border transfer mechanisms
DPO requirements
Penalty structures

DPA Review Checklist

references/dpa_review_checklist.md

Complete Data Processing Agreement review guide:

Art. 28 GDPR required elements
10 processor obligations with analysis points
International transfer mechanisms (SCCs June 2021, module selection)
Transfer impact assessment requirements
Common DPA issues with risk levels
Practical negotiation considerations

DSR Handling Guide

references/dsr_handling_guide.md

Data Subject Request handling reference:

8 request types with intake procedures
Identity verification methods
Response timelines per regulation
Exemptions by regulation
6-step response process
Regulatory monitoring approach

Workflows

Workflow 1: Regulation Applicability Assessment

Step 1: Identify organization parameters
        → Location, data subjects, data types, processing activities

Step 2: Run regulation checker
        → python scripts/privacy_regulation_checker.py --org-location [LOC] ...

Step 3: Review applicable regulations and obligations
        → Prioritize by risk (penalties, data volume, enforcement activity)

Step 4: Gap analysis against current practices
        → Re-run with --current-practices flag

Step 5: Build remediation roadmap
        → Address critical gaps first (missing legal basis, no breach process)

Workflow 2: Data Subject Request Handling

Step 1: Receive and log request
        → python scripts/dsr_tracker.py add --type [type] --regulation [reg] ...

Step 2: Verify identity (proportionate to sensitivity)
        → See references/dsr_handling_guide.md for methods
        → python scripts/dsr_tracker.py update --id [ID] --status verified

Step 3: Gather data from all systems
        → python scripts/dsr_tracker.py update --id [ID] --status processing

Step 4: Apply exemptions if applicable
        → Check references/dsr_handling_guide.md exemptions table

Step 5: Prepare and send response within deadline
        → python scripts/dsr_tracker.py update --id [ID] --status completed

Step 6: Monitor dashboard for overdue requests
        → python scripts/dsr_tracker.py dashboard

Workflow 3: DPA Review

Step 1: Check DPA against Art. 28 required elements
        → Use references/dpa_review_checklist.md

Step 2: Verify processor obligations (10 items)
        → Sub-processing, deletion, audit rights, etc.

Step 3: Assess international transfer provisions
        → SCC module selection (C2P, C2C, P2P, P2C)
        → Transfer impact assessment
        → Supplementary measures

Step 4: Review practical considerations
        → Liability caps, insurance, termination, data locations

Step 5: Document findings and negotiate amendments

Workflow 4: Multi-Regulation Compliance Program

Step 1: Run regulation checker for full scope
        → python scripts/privacy_regulation_checker.py [params]

Step 2: Map overlapping obligations across regulations
        → Use references/global_privacy_regulations.md comparison matrix

Step 3: Build unified controls (satisfy strictest requirement)
        → GDPR-first approach covers most other regulations

Step 4: Layer regulation-specific requirements
        → CCPA opt-out mechanisms, LGPD DPO, PIPL localization

Step 5: Monitor regulatory changes
        → See references/dsr_handling_guide.md monitoring approach

Troubleshooting

Problem	Possible Cause	Resolution
Regulation checker flags unexpected regulation	Data subjects in jurisdiction not considered	Review data flow maps; even indirect data collection (analytics, cookies) can trigger territorial scope
DSR deadline missed	Request not logged promptly or status not updated	Implement intake SLA (log within 24 hours); use dashboard daily for overdue alerts
DPA missing Art. 28 elements	Template from processor is incomplete	Use DPA review checklist to identify gaps; require amendments before signing
Cross-border transfer mechanism unclear	Multiple transfer layers (controller → processor → sub-processor)	Map full data flow chain; each transfer leg needs its own mechanism
Conflicting obligations across regulations	Retention vs. deletion requirements differ	Document conflicts; apply strictest obligation unless local law mandates otherwise; seek legal counsel
Identity verification proportionality unclear	Over-verification deters legitimate requests	Match verification to risk: low-risk data = email confirmation; high-risk = ID verification

Success Criteria

All applicable regulations identified and mapped — regulation checker confirms coverage with zero unaddressed jurisdictions where data subjects reside
100% of DSRs responded within statutory deadlines — dashboard shows zero overdue requests; extension documented where used
DPAs reviewed against Art. 28 checklist before signing — all 10 processor obligations addressed; international transfer mechanisms validated
Compliance matrix maintained and current — quarterly review of obligations per regulation with change log
Regulatory monitoring active — escalation criteria defined; new regulation applicability assessed within 30 days of enactment

Scope & Limitations

In Scope:

Applicability assessment for 9 major privacy regulations
Data subject request tracking with multi-regulation deadline calculation
DPA review against Art. 28 GDPR requirements
Cross-regulation obligation mapping
Gap analysis against current practices
International transfer mechanism assessment

Out of Scope:

Legal advice on specific legal basis selection — consult qualified privacy counsel
Supervisory authority filings or breach notifications
Cookie consent implementation or consent management platform configuration
Binding Corporate Rules (BCR) application process
Sector-specific regulations (HIPAA, FERPA, GLBA) beyond the 9 covered frameworks
Data Protection Impact Assessments (see
```
dpia-assessment
```
skill)

Anti-Patterns

Anti-Pattern	Why It Fails	Better Approach
GDPR-only compliance	Organizations assume GDPR covers all obligations; miss CCPA opt-out requirements, LGPD DPO mandate, PIPL data localization	Run regulation checker against all jurisdictions where data subjects reside; layer regulation-specific controls
One-size-fits-all DSR process	Applying GDPR 30-day timeline to all regulations misses CCPA 10-business-day acknowledgment or PIPL 15-day deadline	Configure per-regulation deadlines; use DSR tracker with regulation parameter for accurate deadline calculation
Ignoring sub-processor chains in DPA review	DPA covers direct processor but sub-processors transfer data to third countries without TIA	Map full processing chain in DPA review; require Art. 28(2) sub-processor obligations; validate each transfer leg
Treating privacy as a one-time project	Regulations evolve; new laws enacted; enforcement priorities shift	Implement regulatory monitoring with escalation criteria; quarterly compliance reviews

Tool Reference

privacy_regulation_checker.py

Determines applicable privacy regulations and maps obligations based on organization parameters.

Flag	Required	Description
`--org-location <code>`	Yes	Organization headquarters (ISO country code, e.g., DE, US-CA, SG)
`--data-subjects <list>`	Yes	Comma-separated locations of data subjects (EU, US, BR, ZA, CA, SG, AU, CN, UK)
`--data-types <list>`	Yes	Comma-separated data types (personal, sensitive, financial, health, biometric, children)
`--processing-activities <list>`	Yes	Comma-separated activities (marketing, analytics, hr, ecommerce, profiling, healthcare, research)
`--current-practices <list>`	No	Comma-separated current practices for gap analysis
`--json`	No	Output in JSON format

dsr_tracker.py

Tracks Data Subject Request lifecycle with multi-regulation deadline calculation.

Subcommand	Description
`add`	Add new DSR ( `--type` , `--regulation` , `--subject` , `--email` required)
`list`	List all requests ( `--overdue` for overdue only)
`update`	Update request status ( `--id` , `--status` required)
`dashboard`	Show dashboard with time remaining and alerts

Flag	Description
`--type <type>`	Request type: access, deletion, correction, portability, restriction, objection, automated_decision, withdraw_consent
`--regulation <reg>`	Regulation: gdpr, ccpa, lgpd, popia, pipeda, pdpa, privacy_act_au, pipl, uk_gdpr
`--subject <name>`	Data subject name
`--email <email>`	Data subject email
`--id <id>`	Request ID (e.g., DSR-0001)
`--status <status>`	Status: received, verified, processing, completed, denied, extended
`--overdue`	Filter to overdue requests only
`--json`	Output in JSON format
`--data-file <path>`	Custom data file path (default: dsr_requests.json)