GDPR
Skill packages tagged with “GDPR”
Cross-Compliance Matrix
Produce a unified multi-framework compliance matrix mapping controls across ISO 27001:2022, NIST CSF 2.0, SOC 2 TSC, GDPR, NIS2/DORA, and NIST 800-53/CMMC. Scores coverage per framework, identifies gaps, and prioritizes remediation by cross-framework benefit and regulatory severity.
Data Processing Agreement (DPA) — SCC & sub-processor sync
Draft the legal annex for DPAs governing controller–processor data transfers under GDPR and CCPA. Inserts the correct Standard Contractual Clauses by data importer country and validates sub-processor list against the privacy portal.
DPC Cross-Border Data Processing (Lead SSA)
Draft Article 30 Records of Processing Activities for US firms using Ireland as Lead Supervisory Authority. Covers main establishment justification (GDPR Art. 4(16), EDPB criteria) and validation so the Irish DPC remains the competent authority.
DPC GDPR Accuracy and Retention
Accuracy and retention for DPC self-assessment: purpose limitation, minimisation, accuracy, retention policies, secure destruction, and no unregulated duplication.
DPC GDPR Breach Notification
Breach notification and response under Ireland DPC and GDPR Art. 33–34: 72h to DPC, data subject communication for high risk, risk levels, form, and internal record.
DPC GDPR Certification
GDPR certification under Ireland DPC and Art. 42–43: DPC-approved criteria, INAB-accredited certification bodies, and documentation for certification readiness.
DPC GDPR Controller Obligations
Other controller obligations for DPC checklist: processor/supplier agreements (Art. 28–29), DPO (37–39), DPIA (35).
DPC GDPR Data Breaches (Self-Assessment)
Breach preparedness for DPC checklist: incident response plan, procedures to notify DPC and individuals, documentation, and cooperation. For actual notification use DPC GDPR Breach Notification skill.
DPC GDPR Data Security
Data security (Art. 32) for DPC self-assessment: risk assessment, technical and organisational measures, encryption, recovery, and secure destruction.
DPC GDPR Data Subject Rights
Data subject rights (Art. 15–23) for DPC self-assessment: SAR, portability, deletion/rectification, restriction, object, profiling, and restrictions.
DPC GDPR International Transfers
International data transfers (Art. 44–50) for DPC self-assessment: adequacy, SCCs, documentation, and transparency to data subjects.
DPC GDPR Personal Data (Legal Basis)
Personal data for DPC self-assessment: consent (Art. 7–9), children (Art. 8), and legitimate interest assessment.
DPC GDPR Readiness
GDPR readiness and self-assessment aligned to the Ireland DPC Self-Assessment Checklist: data mapping, legal basis, retention, and links to the eight detailed checklist areas.
DPC GDPR Transparency
Transparency (Art. 12–14) for DPC self-assessment: information to data subjects, Art. 13/14 lists, and proactive rights information.
GDPR Consent Form (Art. 7)
Draft consent forms and consent notices for personal data processing under GDPR Article 7. Covers all conditions for valid consent: freely given, specific, informed, unambiguous. Includes validation against EDPB Guidelines 05/2020.
GDPR Gap Assessment
Perform a structured gap assessment against GDPR (Regulation 2016/679). Mandatory artifact detector scans for missing compliance documents; maturity rater suggests 0-5 maturity per domain across all compliance domains (principles, lawful basis, transparency, data subject rights including Art. 19, controller obligations, security, breach notification, DPIA including Art. 36 prior consultation, DPO governance, processor management, international transfers, training). Produces findings register and prioritized remediation roadmap with Art. 83 fine tier analysis.
GDPR Legitimate Interest Assessment (Art. 6(1)(f))
Conduct a three-part Legitimate Interest Assessment (LIA) under GDPR Art. 6(1)(f): purpose test, necessity test, and balancing test. Validates against EDPB Opinion 08/2024, WP217, and CJEU case law (Rigas, Fashion ID, Meta/Bundeskartellamt).
GDPR Privacy by Design & Default (Art. 25)
Assess and document data protection by design and by default measures per GDPR Article 25 and EDPB Guidelines 4/2019. Covers the seven foundational principles, Hoepman's eight design strategies, Art. 25(2) four-dimension default settings review, controller/processor scope, DPIA necessity assessment (EDPB WP248 rev.01), and organisational measures.
GDPR ROPA & DPIA Author
Guided elaboration of Records of Processing Activities (ROPA) and Data Protection Impact Assessments (DPIA): processing purposes, legal basis, data categories, recipients, retention, safeguards, and DPIA necessity assessment and risk mitigation.
GDPR Vendor & Processor Audit (Art. 28)
Plan and document processor audits under GDPR Art. 28(3)(h). Covers Art. 28(3)(a-h) contract compliance, sub-processor chain review, international transfer assessment (SCCs, adequacy, BCRs, TIA), Art. 32 technical measures evaluation, Art. 28(5) certification review, and corrective action tracking.
HIQA Data Protection and Confidentiality Policy
Draft or update a data protection and confidentiality policy aligned with HIQA, GDPR, and Irish law.
ISO 27701 Privacy Policy Generator
Generate a comprehensive privacy policy/notice aligned to ISO 27701 Clause 6 controller obligations. Uses PII inventory and controller controls as inputs to produce a legally-grounded, auditable privacy policy covering all 15 mandatory topics, plus a condensed privacy notice for user-facing communication.
Multi-Jurisdiction Data Processing Agreement (GDPR + CCPA + UK)
Draft an integrated Data Processing Agreement covering EU GDPR Article 28, EU Standard Contractual Clauses (SCCs), UK IDTA or UK Addendum, and US state privacy laws (CCPA/CPRA, CPA, VCDPA). Includes jurisdiction checker, SCC module selection, and Transfer Impact Assessment.
Privacy & PII Protection Program
Build a comprehensive privacy program aligned with ISO 27001:2022 A.5.34 and major privacy regulations (GDPR, LGPD, CCPA). Produces five core privacy documents: external-facing privacy policy, Record of Processing Activities (ROPA), Data Protection Impact Assessment (DPIA) template, data subject rights procedure, and data breach notification procedure with jurisdiction-specific regulatory timelines.
Third-Party Risk Assessment (TPRA)
Assess vendor security posture by validating SIG questionnaire responses against evidence and auditing SOC 2 reports for coverage gaps. Produces structured TPRA reports aligned with NIST SP 800-161 and GDPR Article 28, with automated tools that flag unsupported vendor claims, expired reports, and bridge-letter gaps.