pinkpixel-dev/implementing-gdpr-data-subject-access-request
SKILLS/implementing-gdpr-data-subject-access-request/SKILL.md
Automates GDPR Data Subject Access Request (DSAR) workflows including identity verification, PII discovery across databases and files using regex and NER, data mapping, response templating per Article 15 requirements, deadline tracking, and audit logging. Covers ICO/EDPB guidance compliance, exemption handling, and scalable batch processing. Use when building or auditing DSAR response capabilities under GDPR/UK GDPR.
$ install --global
skillsauthnpx skillsauth add pinkpixel-dev/skills-collection-2 implementing-gdpr-data-subject-access-requestInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 13, 2026, 4:34 AM152.2s3 files scanned
SKILL.md
- name:
- implementing-gdpr-data-subject-access-request
- description:
- >
- domain:
- cybersecurity
- subdomain:
- privacy-compliance
- tags:
- [gdpr, dsar, privacy, pii-discovery, data-subject-rights, compliance, article-15]
- version:
- 1.0
- author:
- mukul975
- license:
- Apache-2.0
Implementing GDPR Data Subject Access Request (DSAR) Workflow
When to Use
- When building automated DSAR processing pipelines for GDPR/UK GDPR compliance
- When implementing PII discovery across structured and unstructured data sources
- When creating response templates that satisfy Article 15 disclosure requirements
- When auditing existing DSAR handling for regulatory compliance gaps
- When scaling DSAR processing from manual to automated workflows
Prerequisites
- Python 3.8+ with required dependencies (spacy, presidio-analyzer, jinja2)
- Access to data sources where personal data resides (databases, file shares, logs)
- Understanding of GDPR Article 15 requirements and ICO/EDPB guidance
- Appropriate authorization and data protection officer (DPO) approval
- Test environment with synthetic or anonymized data for validation
Background
GDPR Article 15 - Right of Access
Under GDPR Article 15, data subjects have the right to obtain from the controller:
- Confirmation that their personal data is being processed
- A copy of all personal data held about them
- Supplementary information including:
- Purposes of processing
- Categories of personal data
- Recipients or categories of recipients
- Retention periods or criteria to determine them
- Right to rectification, erasure, restriction, or objection
- Right to lodge a complaint with a supervisory authority
- Source of the data (if not collected directly from the subject)
- Existence of automated decision-making, including profiling
Timeline Requirements
- Standard deadline: 1 calendar month from receipt of valid request
- Complex extension: Up to 2 additional months (must notify within first month)
- Clock pause: Permitted when identity verification or clarification is needed
- Format: Electronic form if request made electronically (unless otherwise requested)
- Cost: Free of charge (unless manifestly unfounded/excessive)
ICO/EDPB Guidance Key Points
- No formal format required for DSARs - verbal, written, social media all valid
- Request need not mention "subject access request" or cite Article 15
- Identity verification must be proportionate to the risk
- Exemptions exist for legal privilege, third-party data, trade secrets
- EDPB coordinated enforcement actions cover right of access compliance
Instructions
Step 1: DSAR Intake and Verification
Implement a request intake system that captures the request through any channel, verifies the requester's identity, and starts the compliance clock.
from agent import DSARWorkflowEngine
engine = DSARWorkflowEngine(config_path="dsar_config.json")
# Register a new DSAR
request = engine.register_dsar(
requester_name="Jane Smith",
requester_email="[email protected]",
request_channel="email",
request_text="I would like a copy of all personal data you hold about me.",
identity_docs=["passport_verified"],
)
print(f"DSAR ID: {request['dsar_id']}, Deadline: {request['deadline']}")
Step 2: PII Discovery Across Data Sources
Scan databases, files, and logs using regex patterns and NER to find all personal data associated with the data subject.
from agent import PIIDiscoveryEngine
pii_engine = PIIDiscoveryEngine()
# Scan structured data (database)
db_results = pii_engine.scan_database(
connection_string="postgresql://user:pass@localhost/appdb",
search_identifiers={"email": "[email protected]", "name": "Jane Smith"},
)
# Scan unstructured data (files, logs)
file_results = pii_engine.scan_files(
directories=["/var/log/app", "/data/exports", "/data/documents"],
search_identifiers={"email": "[email protected]", "name": "Jane Smith"},
)
# Scan with NER for contextual PII detection
ner_results = pii_engine.scan_with_ner(
text_corpus=file_results["raw_text_matches"],
entity_types=["PERSON", "EMAIL", "PHONE_NUMBER", "LOCATION", "DATE_OF_BIRTH"],
)
all_pii = pii_engine.consolidate_results(db_results, file_results, ner_results)
print(f"Found {all_pii['total_records']} PII records across {all_pii['source_count']} sources")
Step 3: Data Mapping and Classification
Map discovered PII to processing purposes, legal bases, and retention periods as required by Article 15.
from agent import DataMapper
mapper = DataMapper(data_inventory_path="data_inventory.json")
# Map PII to Article 15 categories
mapped_data = mapper.map_to_article15(
pii_records=all_pii,
data_subject_id="[email protected]",
)
# Output includes processing purposes, recipients, retention for each data category
for category in mapped_data["categories"]:
print(f"Category: {category['name']}")
print(f" Purpose: {category['processing_purpose']}")
print(f" Legal basis: {category['legal_basis']}")
print(f" Retention: {category['retention_period']}")
print(f" Recipients: {', '.join(category['recipients'])}")
Step 4: Exemption Review
Apply exemptions where lawful (third-party data, legal privilege, trade secrets) before compiling the response.
from agent import ExemptionReviewer
reviewer = ExemptionReviewer()
# Check for applicable exemptions
review_result = reviewer.review_exemptions(
mapped_data=mapped_data,
exemption_checks=[
"third_party_data",
"legal_professional_privilege",
"trade_secrets",
"crime_prevention",
"management_forecasting",
],
)
# Apply redactions where exemptions apply
redacted_data = reviewer.apply_redactions(mapped_data, review_result["exemptions"])
print(f"Applied {review_result['exemption_count']} exemptions")
Step 5: Response Generation
Generate a compliant DSAR response package with cover letter, data export, and supplementary information document.
from agent import DSARResponseGenerator
generator = DSARResponseGenerator(template_dir="templates/")
# Generate complete response package
response = generator.generate_response(
dsar_id=request["dsar_id"],
data_subject="Jane Smith",
mapped_data=redacted_data,
format="pdf", # or "json", "csv"
)
# Package includes: cover letter, data export, supplementary info, audit log
for doc in response["documents"]:
print(f"Generated: {doc['filename']} ({doc['type']})")
Step 6: Audit Trail and Compliance Logging
Maintain complete audit trail of the DSAR lifecycle for accountability.
from agent import DSARAuditLogger
logger = DSARAuditLogger(log_path="dsar_audit_logs/")
# Log complete DSAR lifecycle
logger.log_event(request["dsar_id"], "request_received", {
"channel": "email",
"identity_verified": True,
})
logger.log_event(request["dsar_id"], "pii_discovery_complete", {
"records_found": all_pii["total_records"],
"sources_scanned": all_pii["source_count"],
})
logger.log_event(request["dsar_id"], "response_sent", {
"format": "pdf",
"documents_count": len(response["documents"]),
"exemptions_applied": review_result["exemption_count"],
})
# Generate compliance report
compliance_report = logger.generate_compliance_report(request["dsar_id"])
Examples
Complete DSAR Processing Pipeline
from agent import DSARWorkflowEngine, PIIDiscoveryEngine, DSARResponseGenerator
# Full automated pipeline
engine = DSARWorkflowEngine(config_path="dsar_config.json")
pii = PIIDiscoveryEngine()
gen = DSARResponseGenerator(template_dir="templates/")
# 1. Intake
req = engine.register_dsar(
requester_name="John Doe",
requester_email="[email protected]",
request_channel="web_form",
request_text="Please provide all my data under GDPR Article 15.",
identity_docs=["email_verified", "account_match"],
)
# 2. Discover
results = pii.full_scan(
search_identifiers={"email": "[email protected]"},
sources=["database", "files", "logs"],
)
# 3. Generate response
response = gen.generate_response(
dsar_id=req["dsar_id"],
data_subject="John Doe",
mapped_data=results,
)
# 4. Track deadline
engine.update_status(req["dsar_id"], "response_sent")
print(f"DSAR {req['dsar_id']} completed, {engine.days_remaining(req['dsar_id'])} days remaining")
PII Regex Pattern Testing
from agent import PIIPatternMatcher
matcher = PIIPatternMatcher()
# Test individual patterns
test_text = "Contact [email protected] or call +44 20 7946 0958. SSN: 123-45-6789"
matches = matcher.scan_text(test_text)
for m in matches:
print(f" [{m['type']}] '{m['value']}' (confidence: {m['confidence']})")
References
- GDPR Article 15: https://gdpr-info.eu/art-15-gdpr/
- ICO Subject Access Request Guidance: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/subject-access-requests/
- EDPB Guidelines 01/2022 on Right of Access: https://www.edpb.europa.eu/system/files/2023-04/edpb_guidelines_202201_data_subject_rights_access_v2_en.pdf
- GDPR Article 12 (DSAR Modalities): https://gdpr-info.eu/art-12-gdpr/
- Regulation (EU) 2025/2518 (Procedural Rules): Cross-border GDPR enforcement procedural rules
Related Skills
pinkpixel-dev/implementing-rapid7-insightvm-for-scanning
development
VerifiedTrustedCommunity
Deploy and configure Rapid7 InsightVM Security Console and Scan Engines for authenticated and unauthenticated vulnerability scanning across enterprise environments.
1SKILL.mdUpdated May 29, 2026
pinkpixel-dev/implementing-ransomware-kill-switch-detection
testing
VerifiedTrustedCommunity
Detects and exploits ransomware kill switch mechanisms including mutex-based execution guards, domain-based kill switches, and registry-based termination checks. Implements proactive mutex vaccination and kill switch domain monitoring to prevent ransomware from executing. Activates for requests involving ransomware kill switch analysis, mutex vaccination, WannaCry-style domain kill switches, or malware execution guard detection.
1SKILL.mdUpdated May 29, 2026
pinkpixel-dev/implementing-ransomware-backup-strategy
testing
VerifiedTrustedCommunity
Designs and implements a ransomware-resilient backup strategy following the 3-2-1-1-0 methodology (3 copies, 2 media types, 1 offsite, 1 immutable/air-gapped, 0 errors on restore verification). Configures backup schedules aligned to RPO/RTO requirements, implements backup credential isolation to prevent ransomware from compromising backup infrastructure, and establishes automated restore testing. Activates for requests involving ransomware backup planning, backup resilience, air-gapped backup design, or backup recovery point objective configuration.
1SKILL.mdUpdated May 29, 2026
pinkpixel-dev/implementing-purdue-model-network-segmentation
testing
VerifiedTrustedCommunity
Implement network segmentation based on the Purdue Enterprise Reference Architecture (PERA) model to separate industrial control system networks into hierarchical security zones from Level 0 physical process through Level 5 enterprise, enforcing strict traffic control between OT and IT domains.
1SKILL.mdUpdated May 29, 2026