Agent skill
compliance-gdpr-general-data-protection-regulation
Sub-skill of compliance: GDPR (General Data Protection Regulation) (+2).
Install this agent skill to your Project
npx add-skill https://github.com/vamseeachanta/workspace-hub/tree/main/.claude/skills/_archive/business/legal/compliance/gdpr-general-data-protection-regulation
SKILL.md
GDPR (General Data Protection Regulation) (+2)
GDPR (General Data Protection Regulation)
Scope: Applies to processing of personal data of individuals in the EU/EEA, regardless of where the processing organization is located.
Key Obligations for In-House Legal Teams:
- Lawful basis: Identify and document lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation, vital interest, public task)
- Data subject rights: Respond to access, rectification, erasure, portability, restriction, and objection requests within 30 days (extendable by 60 days for complex requests)
- Data protection impact assessments (DPIAs): Required for processing likely to result in high risk to individuals
- Breach notification: Notify supervisory authority within 72 hours of becoming aware of a personal data breach; notify affected individuals without undue delay if high risk
- Records of processing: Maintain Article 30 records of processing activities
- International transfers: Ensure appropriate safeguards for transfers outside EEA (SCCs, adequacy decisions, BCRs)
- DPO requirement: Appoint a Data Protection Officer if required (public authority, large-scale processing of special categories, large-scale systematic monitoring)
Common In-House Legal Touchpoints:
- Reviewing vendor DPAs for GDPR compliance
- Advising product teams on privacy by design requirements
- Responding to supervisory authority inquiries
- Managing cross-border data transfer mechanisms
- Reviewing consent mechanisms and privacy notices
CCPA / CPRA (California Consumer Privacy Act / California Privacy Rights Act)
Scope: Applies to businesses that collect personal information of California residents and meet revenue, data volume, or data sale thresholds.
Key Obligations:
- Right to know: Consumers can request disclosure of personal information collected, used, and shared
- Right to delete: Consumers can request deletion of their personal information
- Right to opt-out: Consumers can opt out of the sale or sharing of personal information
- Right to correct: Consumers can request correction of inaccurate personal information (CPRA addition)
- Right to limit use of sensitive personal information: Consumers can limit use of sensitive PI to specific purposes (CPRA addition)
- Non-discrimination: Cannot discriminate against consumers who exercise their rights
- Privacy notice: Must provide a privacy notice at or before collection describing categories of PI collected and purposes
- Service provider agreements: Contracts with service providers must restrict use of PI to the specified business purpose
Response Timelines:
- Acknowledge receipt within 10 business days
- Respond substantively within 45 calendar days (extendable by 45 days with notice)
Other Key Regulations to Monitor
| Regulation | Jurisdiction | Key Differentiators |
|---|---|---|
| LGPD (Brazil) | Brazil | Similar to GDPR; requires DPO appointment; National Data Protection Authority (ANPD) enforcement |
| POPIA (South Africa) | South Africa | Information Regulator oversight; required registration of processing |
| PIPEDA (Canada) | Canada (federal) | Consent-based framework; OPC oversight; being modernized |
| PDPA (Singapore) | Singapore | Do Not Call registry; mandatory breach notification; PDPC enforcement |
| Privacy Act (Australia) | Australia | Australian Privacy Principles (APPs); notifiable data breaches scheme |
| PIPL (China) | China | Strict cross-border transfer rules; data localization requirements; CAC oversight |
| UK GDPR | United Kingdom | Post-Brexit UK version; ICO oversight; similar to EU GDPR with UK-specific adequacy |
Recommended Agent Skills
Expand your agent's capabilities with these related and highly-rated skills.
gsd-complete-milestone
Archive completed milestone and prepare for next version
gsd-reapply-patches
Reapply local modifications after a GSD update
gsd-verify-work
Validate built features through conversational UAT
gsd-thread
Manage persistent context threads for cross-session work
clinical-trial-protocol
Generate clinical trial protocols for medical devices or drugs through a modular, waypoint-based architecture with research-only and full protocol modes.
single-cell-rna-qc
Performs quality control on single-cell RNA-seq data (.h5ad or .h5 files) using scverse best practices with MAD-based filtering and comprehensive visualizations.
Didn't find tool you were looking for?