A

gdpr-audit-prep

by alirezarezvani

gdpr-audit-prep helps teams pressure-test GDPR readiness with six Article-cited DPO questions for RoPA, lawful basis, DPIA, transfers, breach, retention, and evidence gaps before audits or due diligence.

Stars22.1k
Favorites0
Comments0
AddedJul 11, 2026
CategoryCompliance Review
Install Command
npx skills add alirezarezvani/claude-skills --skill gdpr-audit-prep
Curation Score

This skill scores 73/100, which means it is acceptable for directory listing as a focused GDPR audit-prep prompt that gives agents a clearer interrogation structure than a generic compliance prompt. Directory users should view it as a lightweight DPO-style checklist for pressure-testing GDPR readiness, not as a full audit system with supporting templates, scripts, or legal references.

73/100
Strengths
  • Clear trigger and use cases: the command `/cs:gdpr-audit-prep <scope>` is explicitly tied to annual GDPR reviews, breach response, DPA investigation readiness, and acquisition due diligence.
  • Operationally useful core: the skill centers on six Article-cited DPO questions, including Article 30 RoPA, Article 6 lawful basis, DPIA triggers, and breach-related Articles 33-34.
  • Good agent leverage for interrogation: the forcing-question format helps an agent challenge missing compliance evidence rather than produce generic GDPR commentary.
Cautions
  • No supporting files, references, scripts, templates, or install guidance are present, so users only get the SKILL.md workflow.
  • The repository evidence suggests limited practical implementation detail beyond the checklist-style interrogation, which may not be enough for teams needing a complete GDPR audit package.
Overview

Overview of gdpr-audit-prep skill

What gdpr-audit-prep does

gdpr-audit-prep is a compliance review skill for pressure-testing GDPR readiness with six DPO-style, Article-cited questions. It is designed to make an AI assistant interrogate privacy evidence rather than produce a soft checklist. The core job is simple: before an audit, breach response, DPA engagement, DPIA, RoPA refresh, or acquisition review, use the skill to expose missing records, weak lawful basis claims, undocumented transfers, stale retention rules, and incomplete data subject rights handling.

Best fit for compliance review teams

The gdpr-audit-prep skill is best for privacy leads, legal operations teams, DPO support staff, security/compliance managers, and startup operators preparing for GDPR scrutiny. It is especially useful when you already have some artifacts—RoPA, DPIA, privacy notice, DPA list, transfer impact assessment, retention schedule, breach log—but need a structured challenge before handing materials to counsel, auditors, buyers, or a supervisory authority.

What makes it different from a generic GDPR prompt

A generic prompt may summarize GDPR obligations. gdpr-audit-prep is narrower and more useful for operational review: it asks forcing questions tied to specific GDPR Articles, with attention to Article 30 records, Article 6 lawful basis, DPIA triggers, international transfers, breach notification, and evidence quality. The value is not that it “does GDPR”; it helps reveal whether your claimed compliance position can be defended with dated, specific, reviewable documentation.

Important adoption limits

This skill does not replace legal advice, a DPO, or a full GDPR audit program. It also ships as a single SKILL.md without bundled scripts, references, or helper resources, so users should expect a prompt-workflow asset rather than an automated evidence scanner. It works best when you provide concrete scope and documents; it is weak if you ask it to “check GDPR compliance” with no processing activity, geography, vendor list, or audit objective.

How to Use gdpr-audit-prep skill

gdpr-audit-prep install and repository path

For a Claude skills workflow, install from the repository path:

npx skills add alirezarezvani/claude-skills --skill gdpr-audit-prep

The upstream location is compliance-os/skills/gdpr-audit-prep in alirezarezvani/claude-skills. Start by reading SKILL.md; there are no separate README.md, rules/, references/, resources/, or scripts to inspect for this skill. That makes installation straightforward, but it also means your own evidence pack and prompt framing carry most of the output quality.

Inputs the skill needs before review

For strong gdpr-audit-prep usage, give the assistant a defined scope and the evidence you want challenged. Useful inputs include:

  • Processing activity name, controller/processor role, countries, data subjects, and data categories
  • RoPA extract with last-updated date
  • Lawful basis by purpose, including any legitimate interests assessment
  • DPIA or rationale for not completing one
  • Vendor/subprocessor list, SCCs, transfer mechanism, and transfer risk notes
  • Retention schedule and deletion controls
  • Breach log or incident-response context
  • Privacy notice, DSAR procedure, and consent records where relevant

A poor prompt is: “Check if we are GDPR compliant.”
A stronger prompt is: “Use gdpr-audit-prep for Compliance Review of our EU customer analytics processing. We are controller, use Mixpanel and AWS, process account IDs, usage events, IP addresses, and support metadata. Review the attached RoPA extract, LIA, DPA list, retention schedule, and privacy notice. Identify audit-facing gaps by GDPR Article, evidence needed, and owner-ready remediation questions.”

Practical workflow for complete prompts

Run the skill before the formal review meeting, not after decisions are fixed. A useful workflow is:

  1. Define the exact scope: annual audit, Article 30 refresh, high-risk launch, breach readiness, DPA investigation, or M&A diligence.
  2. Paste or attach the relevant artifacts instead of asking from memory.
  3. Ask the skill to answer each DPO forcing question with: finding, GDPR Article, evidence seen, evidence missing, risk, and next action.
  4. Separate facts from assumptions. If the model infers something, require it to label the inference.
  5. Convert the first output into a remediation tracker with owner, due date, evidence link, and audit status.

Tips that improve output quality

Ask for adversarial review, not reassurance. Phrases like “challenge our evidence,” “act as a DPO before supervisory authority engagement,” and “do not accept undocumented claims” usually produce better results than “summarize compliance.” If you have multiple processing activities, run gdpr-audit-prep separately for each one; Article 6 basis, retention, transfers, and DPIA logic often differ by purpose.

gdpr-audit-prep skill FAQ

Is gdpr-audit-prep suitable for beginners?

Yes, if the beginner has access to real privacy documents and understands the processing activity. The skill’s six-question structure makes GDPR review easier to start, but it will not teach every GDPR concept from scratch. Beginners should pair the output with legal or privacy professional review before making external claims.

When should I not use gdpr-audit-prep?

Do not use it as the only authority for legal interpretation, regulator correspondence, breach notification decisions, or final DPIA approval. It is also a poor fit for broad privacy program design, cookie banner implementation, CCPA-only reviews, or automated codebase scanning. Use it when the task is GDPR audit preparation and evidence challenge.

How is this different from a privacy checklist?

A checklist asks whether an item exists. The gdpr-audit-prep guide approach asks whether the item is defensible: dated, Article-aligned, tied to a specific processing purpose, and supported by records. That distinction matters because many GDPR audit failures are not total absence of documents; they are stale RoPAs, mixed lawful bases, unsupported legitimate interest claims, or undocumented cross-border transfers.

Does it work for processors and controllers?

Yes, but you must say which role applies. Article 30 requirements differ for controllers and processors, and the evidence expected for contracts, subprocessors, instructions, and joint controller arrangements changes materially. If your organization has both roles, split the review by processing relationship.

How to Improve gdpr-audit-prep skill

Improve gdpr-audit-prep with better evidence packs

The fastest way to improve gdpr-audit-prep results is to provide an evidence pack before asking for conclusions. Include file names, dates, document owners, and known gaps. For example: “RoPA updated 2024-11-02, LIA draft missing balancing test, SCCs signed with vendor but no TIA, retention rule says 24 months but deletion job not evidenced.” This helps the assistant distinguish audit findings from missing context.

Watch for common failure modes

The main failure mode is accepting vague compliance language. Push back on outputs that say “ensure appropriate measures” without naming the record, Article, control, or missing proof. Another failure is collapsing purposes together; one product workflow may involve account creation, billing, analytics, fraud prevention, and support, each with different lawful basis and retention logic.

Iterate from questions to remediation

After the first run, ask for a second pass that converts findings into an action plan. Useful follow-up prompt: “Turn the unresolved gdpr-audit-prep findings into a remediation table with priority, GDPR Article, required evidence, accountable team, suggested due date, and what would satisfy an auditor.” This makes the skill more operational for Compliance Review.

Add local policy context before final use

For production use, adapt the skill to your organization’s risk appetite and document standards. Add your RoPA template, DPIA threshold rules, breach escalation policy, vendor review criteria, transfer assessment method, and retention taxonomy. The skill becomes more reliable when it reviews against your actual compliance operating model instead of generic GDPR expectations.

Ratings & Reviews

No ratings yet
Share your review
Sign in to leave a rating and comment for this skill.
G
0/10000
Latest reviews
Saving...