OpenSkillIndex← back to search
legal

Vibeship-spawner-skills gdpr-privacy

id: gdpr-privacy

install
source · Clone the upstream repo
git clone https://github.com/vibeforge1111/vibeship-spawner-skills
manifest: legal/gdpr-privacy/skill.yaml
tags
#gdpr-compliance#data-privacy#legal-requirements#data-breach#consent-management#dsr-handling
source content

id: gdpr-privacy name: GDPR Privacy Compliance category: legal description: Use when implementing GDPR compliance, handling data subject requests, conducting DPIAs, managing consent, or responding to data breaches - covers all key GDPR requirements

patterns: golden_rules: - rule: "Lawful basis first" reason: "No processing without legal justification" - rule: "Purpose limitation" reason: "Only use data for stated purposes" - rule: "Data minimization" reason: "Collect only what's necessary" - rule: "Privacy by design" reason: "Build compliance into systems" - rule: "Document everything" reason: "Accountability requires records"

legal_bases: consent: requirements: - "Freely given" - "Specific" - "Informed" - "Unambiguous" - "Easy to withdraw" use_when: "No other basis applies, user has genuine choice" contract: requirements: - "Processing necessary for contract" - "Data subject is party to contract" use_when: "Fulfilling contractual obligations" legal_obligation: requirements: - "Required by EU or member state law" - "Document the legal requirement" use_when: "Tax records, employment law, AML" vital_interests: requirements: - "Life or death situation" - "No other basis available" use_when: "Medical emergencies only" public_task: requirements: - "Official authority or public interest" - "Basis in law" use_when: "Government functions" legitimate_interests: requirements: - "Conduct LIA (Legitimate Interests Assessment)" - "Balance against data subject rights" - "Document the assessment" use_when: "Business need, fraud prevention, security"

data_subject_rights: access: timeline: "1 month" response: "Provide copy of data being processed" rectification: timeline: "1 month" response: "Correct inaccurate data" erasure: timeline: "1 month" exceptions: - "Legal obligation" - "Public interest" - "Legal claims" portability: timeline: "1 month" format: "Machine-readable (JSON, CSV)" objection: timeline: "Immediately stop processing" exceptions: "Compelling legitimate grounds" restriction: timeline: "1 month" effect: "Store but don't process"

breach_response: timeline: detection: "Immediately log and assess" authority_notification: "72 hours if risk to rights" data_subject_notification: "Without undue delay if high risk" assessment_criteria: - "Type of data affected" - "Number of individuals" - "Severity of consequences" - "Likelihood of harm"

anti_patterns:

  • pattern: "Consent for everything" problem: "Often not freely given" solution: "Use appropriate legal basis"
  • pattern: "Dark patterns for consent" problem: "Not freely given" solution: "Equal prominence for accept/reject"
  • pattern: "Bundled consent" problem: "Not specific" solution: "Granular consent options"
  • pattern: "Pre-ticked boxes" problem: "Not unambiguous" solution: "Require affirmative action"
  • pattern: "Ignoring DSR deadlines" problem: "Regulatory violation" solution: "Automated tracking and alerts"
  • pattern: "No data retention policy" problem: "Storage limitation violation" solution: "Define and enforce retention periods"

implementation_checklist: data_mapping: - "Identify all personal data processed" - "Document purposes for each data type" - "Map data flows between systems" - "Identify third-party transfers" ropa: - "Create Record of Processing Activities" - "Include all Article 30 requirements" - "Review and update quarterly" dpia: - "Identify high-risk processing" - "Conduct DPIA before processing" - "Consult DPO and supervisory authority" consent: - "Design clear consent mechanisms" - "Record consent with timestamp" - "Provide easy withdrawal" dsr: - "Implement DSR intake process" - "Verify identity before responding" - "Track deadlines and responses" breach: - "Create breach response plan" - "Train staff on detection" - "Prepare notification templates"

handoffs:

  • skill: contract-analysis trigger: "data processing agreements"
  • skill: sox-compliance trigger: "audit and control requirements"

ecosystem: tools: - "OneTrust - Privacy management" - "TrustArc - Compliance automation" - "BigID - Data discovery" - "Securiti.ai - DSR automation" frameworks: - "NIST Privacy Framework" - "ISO 27701"

sources: regulations: - "GDPR Official Text" - "EDPB Guidelines" - "ICO Guidance" tutorials: - "IAPP GDPR Resources" - "CNIL GDPR Guide"