alirezarezvani/gdpr-audit-prep
compliance-os/skills/gdpr-audit-prep/SKILL.md
/cs:gdpr-audit-prep <scope> — GDPR audit 6-question Article-cited forcing interrogation. Use before annual internal GDPR review, post-breach internal audit, DPA investigation readiness, or acquisition due diligence.
$ install --global
skillsauthnpx skillsauth add alirezarezvani/claude-skills gdpr-audit-prepInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 14, 2026, 3:36 AM151.3s1 file scanned
SKILL.md
- name:
- gdpr-audit-prep
- description:
- /cs:gdpr-audit-prep <scope> — GDPR audit 6-question Article-cited forcing interrogation. Use before annual internal GDPR review, post-breach internal audit, DPA investigation readiness, or acquisition due diligence.
/cs:gdpr-audit-prep — GDPR DPO Forcing Questions
Command: /cs:gdpr-audit-prep <scope>
The GDPR DPO auditor pressure-tests any privacy compliance work. Six Article-cited questions before any internal audit, breach response, DPA investigation, or acquisition due diligence.
When to Run
- Before annual internal GDPR audit
- Before quarterly Article 30 RoPA refresh
- Before launching new high-risk processing (Article 35 DPIA required)
- Post-breach (Articles 33-34)
- Before DPA investigation response or supervisory authority engagement
- During acquisition due diligence (target company privacy posture)
- Quarterly during high-volume new-feature shipping
The Six DPO Questions
1. Show me the Article 30 RoPA — with last-updated date.
Most-cited finding area.
- Must include all Article 30(1)(a)-(g) elements for controllers
- Must include all Article 30(2)(a)-(d) elements for processors
- Updated within reasonable time of changes (90 days expected)
- Joint controller arrangements documented per Article 26
2. For this processing activity, what's the lawful basis under Article 6?
Article 6 is exclusive — pick ONE basis per purpose.
- Six options: consent / contract / legal obligation / vital interests / public task / legitimate interests
- Where "legitimate interests": LIA documented
- Where "consent": records per Article 7; withdrawal mechanism
- Special categories (Article 9) require an Article 9(2) exception
3. For high-risk processing, where's the DPIA per Article 35?
Required for high-risk; sample 3-5 activities.
- Article 35(7)(a)-(d) required elements:
- Systematic description of processing
- Necessity + proportionality assessment
- Risks to rights + freedoms
- Measures to address risks
- DPO consulted per Article 35(2)
- Article 36 prior consultation triggered for residual high risk
- For AI systems: integrates with EU AI Act Article 27 FRIA (cross-check with cs-ai-act-compliance)
4. Show me a DSAR from the last 30 days — and the response timing.
Articles 15-22 operational workflow.
- Response within 1 month (Article 12(3)); extension up to 2 months for complex requests
- Identity verification process documented
- Right of access response includes all Article 15 information
- Right to erasure (Article 17) workflow covers backups + processors
5. Show me Transfer Impact Assessments for the largest non-EU transfers.
Schrems II discipline.
- Adequacy decision OR SCCs (Article 46) OR derogation (Article 49)
- TIA per EDPB Recommendations 01/2020 + 02/2020
- Supplementary measures where TIA flagged risk
- US transfers covered by EU-US Data Privacy Framework adequacy (Jul 2023) — verify list of certified entities
6. Show me the breach log per Article 33(5) — all breaches, not just notifiable ones.
Article 33(5) requires logging ALL breaches.
- Internal breach detection mechanism documented
- Article 33 DPA notification within 72 hours (where required)
- Article 34 data subject notification (where high risk)
- Root cause + corrective action via CAPA system
- Cross-check with cs-ciso-iso27001 for A.5.24-27 incident management alignment
Workflow
# 1. Compliance posture
python ../../ra-qm-team/skills/gdpr-dsgvo-expert/scripts/gdpr_compliance_checker.py compliance_state.json
# 2. DPIA for high-risk activities
python ../../ra-qm-team/skills/gdpr-dsgvo-expert/scripts/dpia_generator.py processing_activity.json
# 3. DSAR workflow validation
python ../../ra-qm-team/skills/gdpr-dsgvo-expert/scripts/data_subject_rights_tracker.py dsar_log.json
# 4. Cross-framework reuse with ISO 27001 + SOC 2 + ISO 42001
python ../../skills/compliance-os/scripts/cross_framework_mapper.py program.json
Output Format
# GDPR Audit Prep: <scope>
**Date:** YYYY-MM-DD
**Article Citations:** Every finding cites Article + paragraph; no paraphrase.
## The Decision Being Made
[RoPA-refresh | DPIA-required | DSAR-workflow | transfer-risk | breach-followup | DPA-readiness]
## Article 30 RoPA Status
- Last refresh: YYYY-MM-DD
- Required elements present: yes/no per processing activity
- Joint controller arrangements: documented/missing
## Article 6 Lawful Basis Discipline
- Activities reviewed: N
- Legitimate-interests claims without LIA: <list>
- Article 9 special categories with documented exception: yes/no
## Article 35 DPIA Quality
- High-risk activities requiring DPIA: <list>
- DPIAs complete per Article 35(7): pass/fail per activity
- Article 36 prior consultation triggered: <list>
## Data Subject Rights (Articles 12-22)
- DSARs in last 90 days: N
- Average response time: X days (target: ≤ 30)
- Right to erasure backup-processor flow: complete/incomplete
## Article 28 Processor Management
- Processors reviewed: N
- Contracts with all Article 28(3)(a)-(j) clauses: % complete
- Sub-processor flow-down notification mechanism: yes/no
## Schrems II Transfer Status
- Non-EU transfers: <list>
- Mechanism per transfer: adequacy / SCCs / derogation
- TIA on file: yes/no per transfer
- Supplementary measures where needed: <list>
## Article 33-34 Breach Discipline
- Breach log last 12 months: N
- Article 33 notification timing: ≤ 72h ratio
- Article 34 data subject notification (where high risk): on-time ratio
## Cross-Framework Impact
- ISO 27001 Article 32 alignment: clean / gaps
- EU AI Act Article 27 FRIA integration: applicable / not
- SOC 2 Privacy TSC alignment (if scope): clean / gaps
## Verdict
🟢 DPA-READY | 🟡 GAPS-IDENTIFIED | 🔴 NOT-READY
## Top 3 Actions
[3 concrete next steps with owner + Article-cited timeline]
## Outside Counsel Required
[Article-level ambiguities flagged: Schrems II supplementary measure adequacy, EU AI Act ↔ GDPR interaction, sectoral derogation interpretation, novel DPA enforcement]
Routing
/cs:compliance-readiness— for multi-framework view/cs:iso27001-audit-prep— for Article 32 organizational measures/cs:ai-act-readiness— for EU AI Act Article 27 FRIA integration/cs:soc2-audit-prep— for SOC 2 Privacy TSC overlap/cs:gc-review— for novel-case legal review
Related
- Agent:
cs-dpo-gdpr - Skill:
gdpr-dsgvo-expert - Playbook: gdpr_audit_playbook.md
- Adjacent:
../iso27001-audit-prep/,../ai-act-readiness/,../soc2-audit-prep/,../compliance-readiness/
Version: 1.0.0
Related Skills
alirezarezvani/code-reviewer
tools
VerifiedTrustedCommunity
Code review automation for TypeScript, JavaScript, Python, Go, Swift, Kotlin, C#, .NET, Java, C, C++, Rust, Ruby, PHP, and Dart/Flutter. Analyzes PRs for complexity and risk, checks code quality for SOLID violations and code smells, generates review reports. Use when reviewing pull requests, analyzing code quality, identifying issues, generating review checklists.
16,546SKILL.mdUpdated May 10, 2026
alirezarezvani/research-ops-skills
tools
VerifiedTrustedCommunity
Use when planning, funding, scoping, or synthesizing enterprise research across workstreams — clinical study design, R&D program finance, market sizing/surveys, or product/user research. Triggers on "design this clinical study", "what sample size", "R&D budget", "burn rate", "capitalize or expense", "TAM SAM SOM", "market sizing", "survey design", "segment the market", "plan user interviews", "usability test", "synthesize research insights". Forks context to route to one of four Research-Operations sub-skills (clinical-research, research-finance, market-research, product-research) and returns a digest. Distinct from ra-qm-team (regulatory submission), finance (corporate close/valuation), research/grants (funding discovery), product-team (persona/journey/live experiments), and marketing-skill (campaign analytics).
16,359SKILL.mdUpdated May 28, 2026
alirezarezvani/research-finance
development
VerifiedTrustedCommunity
Use when managing the money for an internal R&D program or portfolio — building a multi-period program budget with the F&A (indirect) split, tracking burn rate and runway against value-inflection milestones, or routing R&D cost items to a capitalize-vs-expense determination. Every budget output surfaces its assumptions block; capitalize-vs-expense is decision-support only and routes to a named finance owner — it never books an entry or decides accounting treatment. Distinct from finance/financial-analysis (corporate DCF, close, valuation) and research/grants (funding discovery — this manages money already won).
16,359SKILL.mdUpdated May 28, 2026
alirezarezvani/product-research
development
VerifiedTrustedCommunity
Use when planning and synthesizing product/user research as a method-and-repository discipline — selecting the right method for the goal (generative interviews vs usability test vs concept test vs validation), computing method-based saturation/sample size with an explicit confidence level, or synthesizing coded observations into insights while flagging single-source anecdotes. Never fabricates user insight; an insight requires recurrence across independent participants. Distinct from product-team/ux-researcher-designer (persona/journey artifacts), product-discovery (discovery-sprint planning), and experiment-designer (live A/B) — this is the research-ops method + insight-repository layer.
16,359SKILL.mdUpdated May 28, 2026