privacy-compliance
Installation
SKILL.md
⚠️ EXPERIMENTAL — This skill is provided for educational and informational purposes only. It does NOT constitute legal advice. All responsibility for usage rests with the user. Consult qualified legal professionals before acting on any output.
Privacy Compliance Navigator
Tools and guidance for multi-regulation privacy compliance across 9 major global privacy frameworks, DPA review, and data subject request lifecycle management.
Table of Contents
- Tools
- Reference Guides
- Workflows
- Troubleshooting
- Success Criteria
- Scope & Limitations
- Anti-Patterns
- Tool Reference
Tools
Privacy Regulation Checker
Determines which privacy regulations apply to an organization based on its location, data subjects, data types, and processing activities. Generates a compliance obligations matrix and flags gaps.
# Basic check — organization in Germany processing EU and US data
python scripts/privacy_regulation_checker.py \
--org-location DE \
--data-subjects EU,US \
--data-types personal,sensitive,financial \
--processing-activities marketing,analytics,hr
# JSON output for integration
python scripts/privacy_regulation_checker.py \
--org-location SG \
--data-subjects SG,AU,CN \
--data-types personal,health \
--processing-activities healthcare,research \
--json
# Include gap analysis against current practices
python scripts/privacy_regulation_checker.py \
--org-location US-CA \
--data-subjects EU,US,BR \
--data-types personal,biometric \
--processing-activities ecommerce,profiling \
--current-practices consent_mechanism,breach_process,retention_policy
Determines:
- Which of 9 regulations apply based on territorial scope rules
- Key obligations per applicable regulation
- Data subject rights required per regulation
- Response timelines per regulation
- Gap analysis when current practices are provided
Output:
- Applicable regulations list with confidence level
- Per-regulation obligations matrix
- Gap analysis with risk ratings
- Recommended priority actions
DSR Tracker
Manages Data Subject Request lifecycle across multiple regulations with deadline calculation, status tracking, and overdue alerts.
# Add a new GDPR access request
python scripts/dsr_tracker.py add \
--type access --regulation gdpr \
--subject "Jane Smith" --email "jane@example.com"
# Add CCPA deletion request
python scripts/dsr_tracker.py add \
--type deletion --regulation ccpa \
--subject "John Doe" --email "john@example.com"
# List all open requests
python scripts/dsr_tracker.py list
# List overdue requests only
python scripts/dsr_tracker.py list --overdue
# Update request status
python scripts/dsr_tracker.py update --id DSR-0001 --status verified
# Dashboard view with time remaining
python scripts/dsr_tracker.py dashboard
# Export as JSON
python scripts/dsr_tracker.py dashboard --json
Supported Request Types:
| Type | GDPR Art. | CCPA Section | LGPD Art. |
|---|---|---|---|
| Access | Art. 15 | §1798.100 | Art. 18 |
| Deletion/Erasure | Art. 17 | §1798.105 | Art. 18(VI) |
| Correction/Rectification | Art. 16 | §1798.106 | Art. 18(III) |
| Portability | Art. 20 | §1798.130 | Art. 18(V) |
| Restriction | Art. 18 | — | Art. 18(IV) |
| Objection | Art. 21 | §1798.120 | Art. 18(IV) |
| Automated Decision Opt-Out | Art. 22 | §1798.185 | Art. 20 |
| Withdraw Consent | Art. 7(3) | — | Art. 18(IX) |
Deadline Calculation:
| Regulation | Initial Deadline | Extension | Extension Deadline |
|---|---|---|---|
| GDPR | 30 calendar days | +60 days (complex) | 90 calendar days |
| CCPA | 10 business days (ack) + 45 calendar days | +45 days | 90 calendar days |
| LGPD | 15 calendar days | — | — |
| POPIA | 30 calendar days | — | — |
| PIPEDA | 30 calendar days | +30 days | 60 calendar days |
| PDPA (SG) | 30 calendar days | — | — |
| Privacy Act (AU) | 30 calendar days | +30 days | 60 calendar days |
| PIPL | 15 calendar days | +15 days | 30 calendar days |
| UK GDPR | 30 calendar days | +60 days | 90 calendar days |
Statuses: received → verified → processing → completed | denied | extended
Reference Guides
Global Privacy Regulations
references/global_privacy_regulations.md
Comprehensive comparison of 9 major privacy regulations covering:
- Territorial scope and applicability criteria
- Legal bases for processing
- Data subject rights comparison matrix
- Breach notification requirements and timelines
- Cross-border transfer mechanisms
- DPO requirements
- Penalty structures
DPA Review Checklist
references/dpa_review_checklist.md
Complete Data Processing Agreement review guide:
- Art. 28 GDPR required elements
- 10 processor obligations with analysis points
- International transfer mechanisms (SCCs June 2021, module selection)
- Transfer impact assessment requirements
- Common DPA issues with risk levels
- Practical negotiation considerations
DSR Handling Guide
references/dsr_handling_guide.md
Data Subject Request handling reference:
- 8 request types with intake procedures
- Identity verification methods
- Response timelines per regulation
- Exemptions by regulation
- 6-step response process
- Regulatory monitoring approach
Workflows
Workflow 1: Regulation Applicability Assessment
Step 1: Identify organization parameters
→ Location, data subjects, data types, processing activities
Step 2: Run regulation checker
→ python scripts/privacy_regulation_checker.py --org-location [LOC] ...
Step 3: Review applicable regulations and obligations
→ Prioritize by risk (penalties, data volume, enforcement activity)
Step 4: Gap analysis against current practices
→ Re-run with --current-practices flag
Step 5: Build remediation roadmap
→ Address critical gaps first (missing legal basis, no breach process)
Workflow 2: Data Subject Request Handling
Step 1: Receive and log request
→ python scripts/dsr_tracker.py add --type [type] --regulation [reg] ...
Step 2: Verify identity (proportionate to sensitivity)
→ See references/dsr_handling_guide.md for methods
→ python scripts/dsr_tracker.py update --id [ID] --status verified
Step 3: Gather data from all systems
→ python scripts/dsr_tracker.py update --id [ID] --status processing
Step 4: Apply exemptions if applicable
→ Check references/dsr_handling_guide.md exemptions table
Step 5: Prepare and send response within deadline
→ python scripts/dsr_tracker.py update --id [ID] --status completed
Step 6: Monitor dashboard for overdue requests
→ python scripts/dsr_tracker.py dashboard
Workflow 3: DPA Review
Step 1: Check DPA against Art. 28 required elements
→ Use references/dpa_review_checklist.md
Step 2: Verify processor obligations (10 items)
→ Sub-processing, deletion, audit rights, etc.
Step 3: Assess international transfer provisions
→ SCC module selection (C2P, C2C, P2P, P2C)
→ Transfer impact assessment
→ Supplementary measures
Step 4: Review practical considerations
→ Liability caps, insurance, termination, data locations
Step 5: Document findings and negotiate amendments
Workflow 4: Multi-Regulation Compliance Program
Step 1: Run regulation checker for full scope
→ python scripts/privacy_regulation_checker.py [params]
Step 2: Map overlapping obligations across regulations
→ Use references/global_privacy_regulations.md comparison matrix
Step 3: Build unified controls (satisfy strictest requirement)
→ GDPR-first approach covers most other regulations
Step 4: Layer regulation-specific requirements
→ CCPA opt-out mechanisms, LGPD DPO, PIPL localization
Step 5: Monitor regulatory changes
→ See references/dsr_handling_guide.md monitoring approach
Troubleshooting
| Problem | Possible Cause | Resolution |
|---|---|---|
| Regulation checker flags unexpected regulation | Data subjects in jurisdiction not considered | Review data flow maps; even indirect data collection (analytics, cookies) can trigger territorial scope |
| DSR deadline missed | Request not logged promptly or status not updated | Implement intake SLA (log within 24 hours); use dashboard daily for overdue alerts |
| DPA missing Art. 28 elements | Template from processor is incomplete | Use DPA review checklist to identify gaps; require amendments before signing |
| Cross-border transfer mechanism unclear | Multiple transfer layers (controller → processor → sub-processor) | Map full data flow chain; each transfer leg needs its own mechanism |
| Conflicting obligations across regulations | Retention vs. deletion requirements differ | Document conflicts; apply strictest obligation unless local law mandates otherwise; seek legal counsel |
| Identity verification proportionality unclear | Over-verification deters legitimate requests | Match verification to risk: low-risk data = email confirmation; high-risk = ID verification |
Success Criteria
- All applicable regulations identified and mapped — regulation checker confirms coverage with zero unaddressed jurisdictions where data subjects reside
- 100% of DSRs responded within statutory deadlines — dashboard shows zero overdue requests; extension documented where used
- DPAs reviewed against Art. 28 checklist before signing — all 10 processor obligations addressed; international transfer mechanisms validated
- Compliance matrix maintained and current — quarterly review of obligations per regulation with change log
- Regulatory monitoring active — escalation criteria defined; new regulation applicability assessed within 30 days of enactment
Scope & Limitations
In Scope:
- Applicability assessment for 9 major privacy regulations
- Data subject request tracking with multi-regulation deadline calculation
- DPA review against Art. 28 GDPR requirements
- Cross-regulation obligation mapping
- Gap analysis against current practices
- International transfer mechanism assessment
Out of Scope:
- Legal advice on specific legal basis selection — consult qualified privacy counsel
- Supervisory authority filings or breach notifications
- Cookie consent implementation or consent management platform configuration
- Binding Corporate Rules (BCR) application process
- Sector-specific regulations (HIPAA, FERPA, GLBA) beyond the 9 covered frameworks
- Data Protection Impact Assessments (see
dpia-assessmentskill)
Anti-Patterns
| Anti-Pattern | Why It Fails | Better Approach |
|---|---|---|
| GDPR-only compliance | Organizations assume GDPR covers all obligations; miss CCPA opt-out requirements, LGPD DPO mandate, PIPL data localization | Run regulation checker against all jurisdictions where data subjects reside; layer regulation-specific controls |
| One-size-fits-all DSR process | Applying GDPR 30-day timeline to all regulations misses CCPA 10-business-day acknowledgment or PIPL 15-day deadline | Configure per-regulation deadlines; use DSR tracker with regulation parameter for accurate deadline calculation |
| Ignoring sub-processor chains in DPA review | DPA covers direct processor but sub-processors transfer data to third countries without TIA | Map full processing chain in DPA review; require Art. 28(2) sub-processor obligations; validate each transfer leg |
| Treating privacy as a one-time project | Regulations evolve; new laws enacted; enforcement priorities shift | Implement regulatory monitoring with escalation criteria; quarterly compliance reviews |
Tool Reference
privacy_regulation_checker.py
Determines applicable privacy regulations and maps obligations based on organization parameters.
| Flag | Required | Description |
|---|---|---|
--org-location <code> |
Yes | Organization headquarters (ISO country code, e.g., DE, US-CA, SG) |
--data-subjects <list> |
Yes | Comma-separated locations of data subjects (EU, US, BR, ZA, CA, SG, AU, CN, UK) |
--data-types <list> |
Yes | Comma-separated data types (personal, sensitive, financial, health, biometric, children) |
--processing-activities <list> |
Yes | Comma-separated activities (marketing, analytics, hr, ecommerce, profiling, healthcare, research) |
--current-practices <list> |
No | Comma-separated current practices for gap analysis |
--json |
No | Output in JSON format |
dsr_tracker.py
Tracks Data Subject Request lifecycle with multi-regulation deadline calculation.
| Subcommand | Description |
|---|---|
add |
Add new DSR (--type, --regulation, --subject, --email required) |
list |
List all requests (--overdue for overdue only) |
update |
Update request status (--id, --status required) |
dashboard |
Show dashboard with time remaining and alerts |
| Flag | Description |
|---|---|
--type <type> |
Request type: access, deletion, correction, portability, restriction, objection, automated_decision, withdraw_consent |
--regulation <reg> |
Regulation: gdpr, ccpa, lgpd, popia, pipeda, pdpa, privacy_act_au, pipl, uk_gdpr |
--subject <name> |
Data subject name |
--email <email> |
Data subject email |
--id <id> |
Request ID (e.g., DSR-0001) |
--status <status> |
Status: received, verified, processing, completed, denied, extended |
--overdue |
Filter to overdue requests only |
--json |
Output in JSON format |
--data-file <path> |
Custom data file path (default: dsr_requests.json) |