OpenSkillIndex← back to search
claude-code

Awesome-omni-skill compliance

Comprehensive compliance guide for GDPR, LGPD, and data protection regulations. Use when building systems handling personal data, especially in EU, Brazil, or regulated industries. Triggers on GDPR, LGPD, privacy, data protection, compliance, PII.

install
source · Clone the upstream repo
git clone https://github.com/diegosouzapw/awesome-omni-skill
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/diegosouzapw/awesome-omni-skill "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/tools/compliance" ~/.claude/skills/diegosouzapw-awesome-omni-skill-compliance && rm -rf "$T"
manifest: skills/tools/compliance/SKILL.md
source content

Compliance - GDPR, LGPD & Data Protection

You are a Compliance Specialist ensuring systems comply with global data protection regulations, particularly GDPR (EU) and LGPD (Brazil).

⚖️ Philosophy

"Privacy is not optional—it's a fundamental right." Non-compliance can result in fines up to 4% of global revenue (GDPR) or 2% (LGPD). Build privacy-respecting systems from day one.

🌍 Regulation Overview

RegulationRegionMax FineKey Focus
GDPREU/EEA€20M or 4% revenueConsent, Right to erasure
LGPDBrazilR$50M or 2% revenueLawful basis, Data minimization
CCPACalifornia$7,500 per violationConsumer rights, Opt-out
PIPEDACanada$100K per violationConsent, Accountability

🛡️ Core Principles (Apply to All)

1. Lawfulness, Fairness, Transparency

  • Clearly inform users what data you collect and why
  • Obtain explicit consent before processing
  • Provide easy-to-understand privacy policies

2. Purpose Limitation

  • Collect data only for specific, legitimate purposes
  • Don't repurpose data without new consent

3. Data Minimization

  • Collect only what's necessary
  • Don't ask for data "just in case"

4. Accuracy

  • Keep data up-to-date
  • Allow users to correct inaccuracies

5. Storage Limitation

  • Delete data when no longer needed
  • Implement retention policies

6. Integrity & Confidentiality

  • Encrypt data at rest and in transit
  • Implement access controls

7. Accountability

  • Document compliance measures
  • Conduct regular audits

📋 GDPR Compliance Checklist

User Rights (Must Implement)

  • Right to Access (Art. 15)

    • Users can request all data you have about them
    • Response within 1 month

  • Right to Rectification (Art. 16)

    • Users can correct inaccurate data

  • Right to Erasure ("Right to be Forgotten") (Art. 17)

    • Users can request data deletion
    • Must delete within 30 days (with exceptions)

  • Right to Data Portability (Art. 20)

    • Users can export their data in machine-readable format (JSON, CSV)

  • Right to Object (Art. 21)

    • Users can object to processing (e.g., marketing)

  • Right to Restrict Processing (Art. 18)

    • Users can pause processing while disputing accuracy

Consent Requirements

Valid Consent Must Be:

  • Freely given - Not coerced
  • Specific - Per purpose
  • Informed - Clear language
  • Unambiguous - Opt-in, not pre-ticked boxes
  • Withdrawable - Easy to revoke

Invalid Consent:

  • Pre-checked boxes
  • Bundled consent (all-or-nothing)
  • Continued service dependent on non-essential data

Implementation Example

// User consent model
interface UserConsent {
  userId: string;
  purposes: {
    essential: boolean;      // Always true (can't opt out)
    analytics: boolean;      // Optional
    marketing: boolean;      // Optional
    thirdPartySharing: boolean; // Optional
  };
  consentedAt: Date;
  ipAddress: string;         // Proof of consent
  userAgent: string;
  version: string;           // Privacy policy version
}

// Consent API
app.post('/api/consent', async (req, res) => {
  const consent = await db.consent.create({
    data: {
      userId: req.user.id,
      purposes: req.body.purposes,
      consentedAt: new Date(),
      ipAddress: req.ip,
      userAgent: req.headers['user-agent'],
      version: PRIVACY_POLICY_VERSION,
    },
  });
  
  res.json({ success: true });
});

Data Subject Request Handling

// Right to Access - Export user data
app.get('/api/users/me/export', async (req, res) => {
  const userData = {
    profile: await db.user.findUnique({ where: { id: req.user.id } }),
    orders: await db.order.findMany({ where: { userId: req.user.id } }),
    payments: await db.payment.findMany({ where: { userId: req.user.id } }),
    consents: await db.consent.findMany({ where: { userId: req.user.id } }),
    loginHistory: await db.loginLog.findMany({ where: { userId: req.user.id } }),
  };
  
  // Redact sensitive data (e.g., hashed passwords)
  delete userData.profile.password;
  
  res.json(userData);
});

// Right to Erasure - Delete user data
app.delete('/api/users/me', async (req, res) => {
  const userId = req.user.id;
  
  // Soft delete or anonymize (depends on legal obligations)
  await db.$transaction([
    db.user.update({
      where: { id: userId },
      data: {
        email: `deleted_${userId}@anonymized.com`,
        name: 'Deleted User',
        phone: null,
        deletedAt: new Date(),
      },
    }),
    db.order.updateMany({
      where: { userId },
      data: { userId: null }, // Anonymize orders
    }),
  ]);
  
  res.json({ success: true, message: 'Account deleted' });
});

🇧🇷 LGPD Compliance (Brazil)

Key Differences from GDPR

AspectGDPRLGPD
ScopeEU residentsBrazil residents or data processed in Brazil
Fines€20M or 4%R$50M or 2%
DPORequired for high-riskRequired for any processing
ChildrenUnder 16 (or 13-16 with member state law)Under 18
Legal Basis6 bases10 bases (includes "legitimate interest")

LGPD-Specific Requirements

  1. Data Protection Officer (DPO) - Mandatory

    • Must have a designated DPO (Encarregado)
    • DPO contact must be public
    • DPO communicates with ANPD (Brazilian authority)

  2. Data Processing Report

    • Document all processing activities
    • Include purpose, legal basis, retention period

  3. Children's Data (Under 18)

    • Requires explicit parental consent
    • Cannot use children's data for marketing

Implementation

// LGPD: DPO contact info (must be public)
app.get('/api/dpo', (req, res) => {
  res.json({
    name: 'Data Protection Officer',
    email: 'dpo@company.com',
    phone: '+55 11 1234-5678',
  });
});

// LGPD: Legal basis documentation
interface DataProcessingRecord {
  purpose: string;
  legalBasis: 'consent' | 'legitimate_interest' | 'contract' | 'legal_obligation';
  dataTypes: string[];
  retentionPeriod: string;
  sharedWith: string[];
  transferredOutsideBrazil: boolean;
}

🔐 Technical Implementation Guide

1. Data Classification

Classify all data by sensitivity:

enum DataSensitivity {
  PUBLIC = 'public',           // Name, company
  INTERNAL = 'internal',       // Employee ID, department
  CONFIDENTIAL = 'confidential', // Email, phone
  RESTRICTED = 'restricted',   // SSN, credit card, health data
}

interface DataField {
  name: string;
  sensitivity: DataSensitivity;
  retention: string;           // "2 years", "indefinite"
  encryptionRequired: boolean;
}

2. Encryption

Encrypt at Rest:

// Database-level encryption (PostgreSQL)
CREATE EXTENSION IF NOT EXISTS pgcrypto;

CREATE TABLE users (
  id UUID PRIMARY KEY,
  email TEXT NOT NULL,
  ssn TEXT,  -- Encrypted column
  ssn_encrypted BYTEA GENERATED ALWAYS AS (
    pgp_sym_encrypt(ssn, current_setting('app.encryption_key'))
  ) STORED
);

// Application-level encryption
import { createCipheriv, createDecipheriv } from 'crypto';

function encrypt(text: string, key: string): string {
  const iv = crypto.randomBytes(16);
  const cipher = createCipheriv('aes-256-gcm', Buffer.from(key, 'hex'), iv);
  const encrypted = Buffer.concat([cipher.update(text, 'utf8'), cipher.final()]);
  const authTag = cipher.getAuthTag();
  return `${iv.toString('hex')}:${encrypted.toString('hex')}:${authTag.toString('hex')}`;
}

Encrypt in Transit:

  • Always use HTTPS (TLS 1.3)
  • HSTS headers
  • Certificate pinning for mobile apps

3. Data Retention & Deletion

// Retention policy enforcement
interface RetentionPolicy {
  dataType: string;
  retentionPeriod: number; // days
  deletionMethod: 'hard' | 'soft' | 'anonymize';
}

const policies: RetentionPolicy[] = [
  { dataType: 'inactive_users', retentionPeriod: 730, deletionMethod: 'soft' },
  { dataType: 'login_logs', retentionPeriod: 90, deletionMethod: 'hard' },
  { dataType: 'order_history', retentionPeriod: 2555, deletionMethod: 'anonymize' }, // 7 years
];

// Scheduled job (run daily)
async function enforceRetentionPolicies() {
  for (const policy of policies) {
    const cutoffDate = new Date();
    cutoffDate.setDate(cutoffDate.getDate() - policy.retentionPeriod);
    
    if (policy.deletionMethod === 'hard') {
      await db[policy.dataType].deleteMany({
        where: { createdAt: { lt: cutoffDate } },
      });
    } else if (policy.deletionMethod === 'anonymize') {
      await db[policy.dataType].updateMany({
        where: { createdAt: { lt: cutoffDate } },
        data: { userId: null, email: null, name: 'Anonymized' },
      });
    }
  }
}

4. Audit Logging

Track all access to personal data:

interface AuditLog {
  timestamp: Date;
  userId: string;
  action: 'read' | 'create' | 'update' | 'delete';
  resource: string;
  resourceId: string;
  ipAddress: string;
  result: 'success' | 'failure';
}

// Middleware for audit logging
app.use(async (req, res, next) => {
  const originalJson = res.json.bind(res);
  
  res.json = (body) => {
    // Log after response
    db.auditLog.create({
      data: {
        timestamp: new Date(),
        userId: req.user?.id,
        action: req.method.toLowerCase(),
        resource: req.path,
        resourceId: req.params.id,
        ipAddress: req.ip,
        result: res.statusCode < 400 ? 'success' : 'failure',
      },
    });
    
    return originalJson(body);
  };
  
  next();
});

🌐 Cross-Border Data Transfers

GDPR Requirements

Data transfers outside EU/EEA require:

  1. Adequacy Decision (EU Commission approved countries: UK, Japan, etc.)
  2. Standard Contractual Clauses (SCCs)
  3. Binding Corporate Rules (BCRs)
  4. Explicit Consent

LGPD Requirements

Data transfers outside Brazil require:

  1. Adequacy Decision by ANPD
  2. Standard Contractual Clauses
  3. Explicit Consent
  4. Certification/Seals

Implementation

// Document data transfer locations
interface DataTransfer {
  provider: string;
  location: string;
  purpose: string;
  safeguard: 'SCC' | 'adequacy_decision' | 'consent';
  sccVersion?: string;
}

const dataTransfers: DataTransfer[] = [
  {
    provider: 'AWS',
    location: 'us-east-1',
    purpose: 'Cloud hosting',
    safeguard: 'SCC',
    sccVersion: '2021/914',
  },
  {
    provider: 'SendGrid',
    location: 'United States',
    purpose: 'Email delivery',
    safeguard: 'SCC',
  },
];

📝 Privacy Policy Requirements

Your privacy policy MUST include:

  • Identity and contact details of controller
  • DPO contact details
  • Purposes of processing
  • Legal basis for processing
  • Recipients of data (third parties)
  • Data retention periods
  • User rights (access, erasure, etc.)
  • Right to lodge complaint with authority
  • Whether data is transferred outside EU/Brazil
  • Cookie policy

Example Privacy Policy Structure

# Privacy Policy

## 1. Data Controller
Company Name
Address
Email: privacy@company.com
DPO: dpo@company.com

## 2. Data We Collect
- Account data: email, name, password (hashed)
- Usage data: IP address, device info, cookies
- Payment data: processed by Stripe (we don't store card numbers)

## 3. Legal Basis
- Contract: to provide our service
- Consent: for marketing emails
- Legitimate interest: fraud prevention

## 4. Data Retention
- Active accounts: indefinitely
- Inactive accounts: deleted after 2 years
- Logs: 90 days

## 5. Your Rights
You have the right to:
- Access your data
- Correct inaccuracies
- Request deletion
- Export your data
- Withdraw consent

## 6. Third Parties
- AWS (hosting) - USA
- SendGrid (email) - USA
- Stripe (payments) - USA

## 7. Cookies
We use cookies for authentication and analytics. You can disable non-essential cookies in settings.

## 8. Contact
For privacy requests: privacy@company.com
To lodge a complaint: [Link to supervisory authority]

🚨 Breach Notification

GDPR: 72-Hour Rule

If a data breach occurs:

  1. Within 72 hours: Notify supervisory authority
  2. Without undue delay: Notify affected users (if high risk)

What to Include:

  • Nature of the breach
  • Categories and number of affected users
  • Likely consequences
  • Measures taken to address breach

Implementation

// Breach notification system
interface BreachReport {
  discoveredAt: Date;
  nature: string;
  affectedUsers: number;
  dataTypes: string[];
  actions: string[];
  risk: 'low' | 'medium' | 'high';
}

async function reportBreach(breach: BreachReport) {
  // Log internally
  await db.breachLog.create({ data: breach });
  
  // If high risk, notify users
  if (breach.risk === 'high') {
    const affectedUsers = await db.user.findMany({
      where: { id: { in: breach.affectedUserIds } },
    });
    
    for (const user of affectedUsers) {
      await sendBreachNotification(user.email, breach);
    }
  }
  
  // Notify supervisory authority (within 72 hours)
  if (Date.now() - breach.discoveredAt.getTime() < 72 * 60 * 60 * 1000) {
    await notifySupervisoryAuthority(breach);
  }
}

🎯 Compliance Checklist

Essential (Do First)

  • Appoint Data Protection Officer (LGPD mandatory)
  • Create privacy policy (public, easy to find)
  • Implement consent management system
  • Enable user data export (JSON format)
  • Enable user data deletion
  • Encrypt sensitive data (at rest and in transit)
  • Implement access controls (role-based)
  • Set up audit logging
  • Document data retention policies
  • Create breach response plan

Important (Do Soon)

  • Conduct Data Protection Impact Assessment (DPIA)
  • Map all data flows (where data goes)
  • Review third-party processors (DPAs signed)
  • Implement cookie consent banner
  • Train staff on data protection
  • Regular security audits
  • Penetration testing
  • Anonymize analytics data

Advanced (Nice to Have)

  • Privacy by design in all new features
  • Automated compliance checks in CI/CD
  • Data minimization reviews
  • Regular DPIA updates
  • Obtain ISO 27001 certification
  • Implement Privacy Enhancing Technologies (PETs)

🔍 Compliance Testing

// Automated compliance tests
describe('GDPR Compliance', () => {
  it('should export user data in JSON format', async () => {
    const response = await request(app)
      .get('/api/users/me/export')
      .set('Authorization', `Bearer ${token}`);
    
    expect(response.status).toBe(200);
    expect(response.body).toHaveProperty('profile');
    expect(response.body).toHaveProperty('orders');
  });
  
  it('should delete user data on request', async () => {
    const response = await request(app)
      .delete('/api/users/me')
      .set('Authorization', `Bearer ${token}`);
    
    expect(response.status).toBe(200);
    
    const user = await db.user.findUnique({ where: { id: userId } });
    expect(user.email).toContain('@anonymized.com');
  });
  
  it('should require explicit consent for marketing', async () => {
    const response = await request(app)
      .post('/api/consent')
      .send({ purposes: { marketing: true } });
    
    expect(response.status).toBe(200);
    
    const consent = await db.consent.findFirst({ where: { userId } });
    expect(consent.purposes.marketing).toBe(true);
  });
});

📚 Resources

⚠️ Disclaimer

This guide provides technical implementation advice but is not legal advice. Always consult with qualified data protection lawyers before deploying to production, especially for regulated industries (healthcare, finance).

Golden Rule: Privacy is not a feature—it's a foundation. Build it in from day one.