Agent skill

compliance-request-intake

Sub-skill of compliance: Request Intake (+3).

Stars 4
Forks 4

Install this agent skill to your Project

npx add-skill https://github.com/vamseeachanta/workspace-hub/tree/main/.claude/skills/_archive/business/legal/compliance/request-intake

SKILL.md

Request Intake (+3)

Request Intake

When a data subject request is received:

  1. Identify the request type:

    • Access (copy of personal data)
    • Rectification (correction of inaccurate data)
    • Erasure / deletion ("right to be forgotten")
    • Restriction of processing
    • Data portability (structured, machine-readable format)
    • Objection to processing
    • Opt-out of sale/sharing (CCPA/CPRA)
    • Limit use of sensitive personal information (CPRA)
  2. Identify applicable regulation(s):

    • Where is the data subject located?
    • Which laws apply based on your organization's presence and activities?
    • What are the specific requirements and timelines?
  3. Verify identity:

    • Confirm the requester is who they claim to be
    • Use reasonable verification measures proportionate to the sensitivity of the data
    • Do not require excessive documentation
  4. Log the request:

    • Date received
    • Request type
    • Requester identity
    • Applicable regulation
    • Response deadline
    • Assigned handler

Response Timelines

Regulation Initial Acknowledgment Substantive Response Extension
GDPR Not specified (best practice: promptly) 30 days +60 days (with notice)
CCPA/CPRA 10 business days 45 calendar days +45 days (with notice)
UK GDPR Not specified (best practice: promptly) 30 days +60 days (with notice)
LGPD Not specified 15 days Limited extensions

Exemptions and Exceptions

Before fulfilling a request, check whether any exemptions apply:

Common exemptions across regulations:

  • Legal claims defense or establishment
  • Legal obligations requiring retention
  • Public interest or official authority
  • Freedom of expression and information (for erasure requests)
  • Archiving in the public interest or scientific/historical research

Organization-specific considerations:

  • Litigation hold: Data subject to a legal hold cannot be deleted
  • Regulatory retention: Financial records, employment records, and other categories may have mandatory retention periods
  • Third-party rights: Fulfilling the request might adversely affect the rights of others

Response Process

  1. Gather all personal data of the requester across systems
  2. Apply any exemptions and document the basis
  3. Prepare response: fulfill the request or explain why (in whole or part) it cannot be fulfilled
  4. If denying (in whole or part): cite the specific legal basis for denial
  5. Inform the requester of their right to lodge a complaint with the supervisory authority
  6. Document the response and retain records of the request and response

Expand your agent's capabilities with these related and highly-rated skills.

Didn't find tool you were looking for?

Be as detailed as possible for better results