Browse Skills

UK GDPR & DPIA (Data Protection)

    UK GDPR DPIA ICO Data Protection Privacy Compliance Breach Notification Technology
    Get Started with This Skill

    Overview

    Conduct and validate Data Protection Impact Assessments (DPIAs) under the UK GDPR and ICO guidance for high-risk processing in technology and data-driven businesses. The skill walks you through the full DPIA lifecycle — from screening and scoping through risk assessment to sign-off — and suggests technical and organisational safeguards aligned with UK Adequacy standards for international transfers. It also validates internal breach-notification policies against the 72-hour ICO reporting window (Art. 33/34).

    Tools

    • dpia_risk_mitigator — Analyses a DPIA document for required sections (processing description, necessity and proportionality, risk assessment, mitigation measures), detects risk categories mentioned in the text (confidentiality, international transfers, profiling, sensitive data, vulnerable data subjects, and more), and recommends UK-GDPR-aligned safeguards for each category — including IDTA, UK Addendum to EU SCCs, and Transfer Impact Assessment guidance for international transfers. Also flags unfilled placeholders.

    • breach_notification_logic — Validates an internal breach-notification policy against UK GDPR Art. 33 and Art. 34. Checks for: 72-hour ICO notification window, risk-to-rights assessment, required notification content, communication to data subjects for high-risk breaches, breach register (Art. 33(5)), processor-to-controller obligations, and roles and responsibilities.

    Getting Started

    Add your draft DPIA or breach-notification policy (Markdown or text) to the project workspace, then activate the UK GDPR & DPIA (Data Protection) skill. The agent will guide you through the DPIA workflow step by step, using the ICO-aligned template and validation tools.

    Example conversation

    Session where a user conducts a DPIA for a new customer analytics platform that involves profiling and international data transfers.

    You: We’re launching a customer analytics platform that profiles users to personalise product recommendations. Some data will be transferred to a processor in the US. I need a DPIA.

    Agent: I’ll start by screening for DPIA requirements. Your processing involves profiling (criterion 1), automated decision-making with potential significant effect (criterion 2), and large-scale processing (criterion 5) — that’s three ICO triggers, so a DPIA is mandatory.

    I’ve created a DPIA from the template at docs/dpia-analytics-platform.md. I’ve pre-filled the processing description based on what you’ve told me. Let me walk through the remaining sections.

    Agent: I’ve completed sections 1–4 of the DPIA. Now I’ll run the risk mitigator to check for gaps and get safeguard recommendations.

    Running dpia_risk_mitigator on docs/dpia-analytics-platform.md:

    • Sections: 4/4 present (processing description, necessity, risk assessment, mitigation).
    • Risk categories detected: Confidentiality, Automated decision-making, International transfers, Scale.
    • Suggested safeguards include: encryption at rest/in transit, Art. 22 human-intervention rights, IDTA or UK Addendum to EU SCCs for the US transfer, Transfer Impact Assessment, and data minimisation review.

    I’ve incorporated these into section 4. For the US transfer I’ve added section 5 with IDTA as the transfer mechanism and documented the Transfer Impact Assessment findings.

    You: We also need to update our breach-notification policy. Can you validate the current version?

    Agent: Running breach_notification_logic on docs/breach-notification-policy.md:

    • Elements present: 6/7 — 72-hour window, ICO as authority, risk assessment, notification content, breach register, roles and responsibilities.
    • Missing: Communication to data subjects for high-risk breaches (Art. 34).
    • Warning: No processor-to-controller notification clause found (Art. 33(2)).

    I’ll add the missing Art. 34 section and the processor obligation clause now.

    Excerpt from dpia_risk_mitigator output

    Example output when the DPIA is complete and covers international transfers.

    ================================================================
DPIA Risk Mitigator — UK GDPR / ICO Guidance
File: docs/dpia-analytics-platform.md
================================================================

--- Required DPIA sections ---
  [OK] Processing description
  [OK] Necessity and proportionality
  [OK] Risk assessment
  [OK] Mitigation measures
  Result: 4/4 sections present

--- Risk categories detected ---
  • Confidentiality
  • Automated decision-making
  • International transfers
  • Scale

--- Suggested safeguards (UK GDPR / ICO / UK Adequacy) ---
  [Confidentiality]
    → Encryption at rest and in transit (AES-256 / TLS 1.2+)
    → Role-based access control (RBAC) with least-privilege principle
    → Multi-factor authentication for access to personal data stores
    → Data Loss Prevention (DLP) tooling on egress channels

  [Automated decision-making]
    → Art. 22 safeguards: right to human intervention, right to contest, right to an explanation
    → Regular review and audit of automated decision-making models
    → Document logic, significance, and envisaged consequences for data subjects

  [International transfers]
    → UK Adequacy Regulations: verify recipient country has adequacy decision, or use appropriate safeguards
    → International Data Transfer Agreement (IDTA) or UK Addendum to EU SCCs
    → Transfer Impact Assessment (TIA) documenting risks in recipient country
    → Supplementary measures where TIA identifies residual risks

  [Scale]
    → Data minimisation review — collect only what is strictly necessary
    → Automated retention and deletion policies enforced at infrastructure level
    → Privacy-enhancing technologies (PETs): pseudonymisation, aggregation, k-anonymity

================================================================
RESULT: OK — all required DPIA sections are present.
================================================================

    Excerpt from a generated DPIA

    Example of the international-transfers section produced with the skill.

    ## 5. UK Adequacy — international transfers

- **Recipient country:** United States
- **Adequacy decision:** No (as of assessment date)
- **Transfer mechanism:** International Data Transfer Agreement (IDTA)
- **Transfer Impact Assessment:** US surveillance laws (FISA 702, EO 12333) assessed.
  Risk mitigated by: (1) encryption in transit and at rest with keys held in the UK,
  (2) contractual prohibition on disclosing data to government authorities without
  notifying the controller, (3) pseudonymisation of direct identifiers before transfer.
- **Supplementary measures:** AES-256 encryption, pseudonymisation of user identifiers,
  contractual audit rights, annual review of US legal landscape.

    Ready to let your expertise drive the workflow?

    Stop wrestling with rigid templates and complex tooling. Write your process in markdown, let the agent handle the rest.

    Get Started