gdpr-data-handling

by wshobson

The gdpr-data-handling skill helps teams turn GDPR requirements into practical review guidance for consent, lawful basis, data subject rights, retention, and privacy-by-design decisions.

Stars32.5k

Favorites0

Comments0

AddedMar 30, 2026

CategoryCompliance Review

Install Command

npx skills add https://github.com/wshobson/agents --skill gdpr-data-handling

Curation Score

This skill scores 68/100, which means it is acceptable to list for directory users who want a substantial GDPR implementation guide, but they should expect mostly document-based guidance rather than executable workflow support. The repository shows real coverage of consent, data subject rights, legal bases, and privacy-by-design use cases, yet it provides no scripts, references, install command, or supporting artifacts that would reduce execution guesswork further.

68/100

Strengths

Good triggerability: the description and 'When to Use This Skill' section clearly target EU personal data processing, consent management, DSR handling, compliance reviews, and privacy-first system design.
Substantive workflow content: the skill is long and structured, with multiple sections covering personal data categories, lawful bases, and data subject rights rather than placeholder material.
Practical compliance framing: it appears aimed at implementation decisions and reviews, which gives agents more reusable structure than a generic one-off GDPR prompt.

Cautions

Operational leverage is limited by format: there are no scripts, templates, checklists as separate assets, or machine-actionable rules to help an agent execute reliably.
Trust and adoption clarity are constrained because the repository includes no references, source links, or explicit install/usage instructions in SKILL.md.

Security Checklist Playbook Workflow Documentation Audit

Overview

The gdpr-data-handling skill helps an agent turn broad GDPR requirements into concrete implementation guidance for data processing, consent, data subject rights, retention, and privacy-by-design decisions. It is most useful when you need more than a generic “be GDPR compliant” prompt and want a structured way to review a product, workflow, or policy against common GDPR obligations.

Who should use it

Best-fit users are:

product and engineering teams shipping features that process EU personal data
compliance, legal-ops, and security reviewers doing an initial gap review
founders or operators designing consent flows, DSR handling, or retention controls
AI builders who need gdpr-data-handling for Compliance Review before launch

If you already know the system you are reviewing but need a disciplined checklist and output structure, this skill is a strong fit.

Real job-to-be-done

Most users do not need a law-school summary of GDPR. They need help answering practical questions such as:

what personal data categories are involved
which legal basis is being claimed
whether consent is actually needed
which data subject rights must be supported
where retention, deletion, and auditability are weak
what remediation work should happen before release

That is the core value of the gdpr-data-handling skill.

What makes it different from a generic prompt

A normal prompt may produce broad privacy advice. This skill is more useful when you need the model to reason through GDPR-specific dimensions like:

personal data categories, including special category and children's data
lawful bases under Article 6
data subject rights handling
privacy by design expectations
operational compliance tasks, not just policy text

The differentiator is structure: it gives the agent a better frame for compliance review work, especially when your input is messy.

What to know before installing

This skill appears to be a single-file guidance skill centered on SKILL.md, with no extra scripts or reference folders. That means adoption is easy, but output quality depends heavily on the facts you provide. It can accelerate review and drafting, but it does not replace legal counsel, jurisdiction-specific advice, or evidence gathering from your actual systems.

Install the skill from the repository that contains it:

npx skills add https://github.com/wshobson/agents --skill gdpr-data-handling

After install, invoke it from your agent environment the same way you use other skills in your workflow. Because the repository exposes only SKILL.md for this skill, there is little setup beyond installation and prompt preparation.

Read this file first

Start with:

plugins/hr-legal-compliance/skills/gdpr-data-handling/SKILL.md

Since there are no supporting references/, resources/, or scripts surfaced here, nearly all of the working guidance lives in that file. Read it before relying on the skill for a real review, especially if you need to understand its scope boundaries.

Best use cases in practice

Use gdpr-data-handling usage for tasks like:

reviewing a new feature that collects or shares personal data
checking whether a consent flow is actually necessary and valid
mapping a product workflow to lawful bases
assessing DSR readiness for access, deletion, or portability
drafting a compliance review memo with risks and remediation items
pressure-testing privacy-by-design claims before launch

It is strongest when the agent has concrete system facts, not just abstract intentions.

Inputs the skill needs to work well

Give the skill enough operational detail to reason about obligations. The most useful inputs are:

what the product does
which users are in scope, especially EU users or children
what data fields are collected
where data comes from and where it goes
whether special category or criminal data is involved
why each processing activity happens
current consent and notice flows
retention periods
DSR handling process
vendors, subprocessors, and transfer context

Weak input: “Review our app for GDPR.”

Strong input: “Review our hiring platform for GDPR. We collect name, email, CV, interview notes, optional disability accommodation details, and recruiter assessments. EU candidates can create accounts, upload documents, and request deletion. Data is stored in AWS EU-West, shared with a US email vendor and analytics provider. We currently rely on consent for marketing emails and contract necessity for application processing.”

Turn a rough goal into a strong prompt

A good gdpr-data-handling guide prompt usually has four parts:

system description
data inventory
legal/compliance assumptions
desired output format

Example prompt:
“Use the gdpr-data-handling skill to perform a compliance review of our employee wellness app. Identify personal data categories, likely legal bases, where explicit consent is required, DSR obligations, retention risks, and privacy-by-design gaps. Then produce a prioritized remediation list with high/medium/low severity and note assumptions where facts are missing.”

That prompt is better because it asks for classification, analysis, and prioritization rather than generic GDPR advice.

A practical workflow that saves time

A reliable workflow is:

describe the system and users
list data categories and processing purposes
ask the agent to map each activity to a lawful basis
ask for rights, consent, retention, and transfer implications
request a gap list with severity and next actions
revise with missing facts after the first pass

This staged approach works better than asking for a final policy or legal conclusion immediately.

What outputs to request

For implementation work, ask for outputs you can act on:

processing activity table
lawful basis map
consent decision matrix
DSR support checklist
retention and deletion requirements
privacy-by-design recommendations
launch blockers vs non-blockers
open questions for legal review

These formats make the gdpr-data-handling skill more useful to engineering and compliance teams than a narrative essay.

Where the skill is likely to help most

This skill adds the most value when your team needs an initial structured review but does not have a mature privacy playbook. It is especially useful for surfacing missing assumptions: teams often know what they collect, but not which legal basis they are actually relying on or how they would fulfill an access or deletion request end to end.

Constraints and tradeoffs

Because the skill is documentation-driven and has no bundled automation, it will not inspect your databases, logs, vendor contracts, or production configs by itself. It can reason from supplied facts and generate strong review artifacts, but it cannot verify implementation evidence. Treat it as a guided compliance analysis layer, not as an auditing system.

When ordinary prompting is enough

If you only need a short explanation of GDPR concepts, a general prompt may be enough. Install gdpr-data-handling when you want repeatable structure for implementation review, especially around legal basis selection, rights handling, and design decisions that have to become engineering tasks.

Yes, if you already understand your product. The skill helps beginners by organizing the review around practical GDPR concepts like lawful bases and rights. It is less helpful if you have not yet mapped your data flows, because the model will have to guess too much.

Yes. That is one of the best reasons to use it. The skill is well suited to first-pass compliance review of a feature, product, or workflow, especially when you want a gap list and remediation plan rather than a generic explanation of the regulation.

Does it replace a lawyer or DPO?

No. The gdpr-data-handling skill can help identify likely obligations, risks, and missing controls, but it does not create legal advice or validate that your interpretation will hold in a regulator dispute. Use it to improve preparation and reduce blind spots before legal review.

No. Consent is only one lawful basis, and many teams overuse it. The skill also helps with contract necessity, legitimate interests, legal obligation, privacy-by-design, DSR handling, and data classification. That broader framing is one reason to prefer it over a narrow consent-only checklist.

When should I not use this skill?

Skip it if:

your task is purely non-EU privacy work with no GDPR angle
you need automated evidence collection from systems
you want jurisdiction-specific legal advice beyond the skill's scope
you do not yet know what data your system processes

In those cases, first do data discovery or involve a specialist.

A plain prompt often returns generic compliance language. gdpr-data-handling usage is better when you need the model to consistently inspect categories of data, legal basis, rights, and implementation implications in one pass. The structure reduces omissions, especially in feature reviews.

Give the skill a processing inventory, not a slogan

The biggest quality jump comes from replacing vague requests with a compact processing inventory. Include:

actor: customer, employee, candidate, child, patient
data: fields collected
purpose: why processed
basis: your current assumption
movement: storage, sharing, transfers
lifecycle: retention and deletion

This lets gdpr-data-handling produce analysis instead of speculation.

Flag high-risk categories early

Call out special category data, criminal data, children's data, large-scale monitoring, or cross-border transfers at the start of the prompt. These facts materially change the compliance analysis and often determine whether extra safeguards or deeper review are needed.

Ask for assumptions to be separated from conclusions

A common failure mode is false certainty. Improve output by asking the agent to label:

confirmed facts
assumptions
likely obligations
unresolved legal questions

That separation makes the result safer to circulate internally.

Request remediation in implementation language

Do not stop at “identify GDPR risks.” Ask for:

required controls
owner suggestions
priority level
evidence to collect
proposed product or process changes

This turns the gdpr-data-handling guide into an execution tool for engineering and compliance teams.

Compare current state vs target state

For stronger results, supply what already exists:

consent banner or account flow
privacy notice summary
retention rules
deletion process
vendor list
security controls

Then ask the skill to compare current state against target GDPR expectations. Gap analysis is much more actionable than a generic checklist.

Iterate after the first output

Use the first run to expose missing facts. Then follow up with prompts like:

“Reassess legal bases now that analytics is optional and disabled by default for EU users.”
“Update the review assuming disability information is processed only when candidates request accommodations.”
“Prioritize remediation items that block launch in the next 30 days.”

This second pass is often where the gdpr-data-handling skill becomes genuinely decision-useful.

Watch for these common failure modes

Poor results usually come from:

unclear data categories
no distinction between controller and processor roles
assuming consent is always required
ignoring retention and deletion operations
forgetting vendor sharing or international transfers
asking for a final legal answer without enough facts

Fix those inputs before blaming the skill.

Pair it with repository-specific context

If you are reviewing an actual codebase or product, paste architecture notes, API fields, signup flows, and vendor docs into the prompt. The skill itself is general guidance; your system context is what turns it into a meaningful review.

The best way to improve gdpr-data-handling outcomes is to use it as part of a living workflow: design review, pre-launch review, DSR readiness checks, and post-change reassessment. Teams get more value when they revisit the analysis after product changes instead of treating the first output as final.

Ratings & Reviews

No ratings yet

Share your review

0/10000

Latest reviews

Saving...

more skill

wcag-audit-patterns

by wshobson

wcag-audit-patterns is a structured WCAG 2.2 audit skill for accessibility reviews. Use it to combine automated findings with manual checks, prioritize issues by severity and conformance level, and generate actionable remediation guidance for pages, flows, and components.

UX Audit

Favorites 0GitHub 32.5k

claude-api

by anthropics

claude-api is a practical skill for installing and using the Claude API and Anthropic SDKs. It helps developers choose the right SDK or raw HTTP path, detect language-specific docs, and implement streaming, tool use, files, batches, and error handling with less guesswork.

API Development

Favorites 0GitHub 105k

ckm:design-system

by nextlevelbuilder

ckm:design-system helps you build three-layer tokens, component specs, CSS variables, Tailwind mappings, and brand-consistent slide assets from a clear token architecture.

Design Systems

Favorites 0GitHub 53.6k

vercel-react-best-practices

by vercel-labs

vercel-react-best-practices is a Vercel Engineering skill that guides AI agents to optimize React and Next.js performance with prioritized rules for waterfalls, bundle size, and rendering.

Frontend Development

Favorites 0GitHub 24k

shadcn

by shadcn-ui

Use the shadcn skill to inspect project context, run the right CLI commands, install components, and compose UI with documented patterns for base vs radix, forms, theming, and registries.

UI Design

Favorites 0GitHub 111k

systematic-debugging

by obra

systematic-debugging is a root-cause-first debugging skill for bugs, flaky tests, build failures, and unexpected behavior. Learn the four-phase workflow, companion files, and when to use it before proposing fixes.

Debugging

Favorites 0GitHub 121.8k

xlsx

by anthropics

The xlsx skill helps agents read, edit, repair, create, and convert .xlsx, .xlsm, .csv, and .tsv files when the required deliverable is a spreadsheet. It is strongest for template-preserving updates, formula-safe workbook edits, messy tabular cleanup, and practical spreadsheet workflows backed by repo scripts for packing, validation, and recalculation.

Spreadsheet Workflows

Favorites 0GitHub 105.1k

skill-creator

by anthropics

skill-creator is a Skill Authoring meta-skill for drafting new skills, revising existing SKILL.md files, running evals, comparing variants, and improving trigger descriptions with repository scripts and review tools.

Skill Authoring

Favorites 0GitHub 105.1k

pptx

by anthropics

Use the pptx skill to read, create, edit, split, merge, and inspect PowerPoint .pptx files. It guides you through text extraction with markitdown, thumbnail review, unpack/edit/clean/pack workflows, and PptxGenJS for new deck creation.

PowerPoint

Favorites 0GitHub 105.1k

pdf

by anthropics

The pdf skill guides PDF Processing tasks like text extraction, merge and split operations, rendering pages to images, and PDF form workflows. It is especially useful for checking fillable fields, extracting form metadata, and validating non-fillable form layouts with scripts.

PDF Processing

Favorites 0GitHub 105.1k

mcp-builder

by anthropics

mcp-builder is a practical guide for planning, building, and evaluating MCP servers for external APIs and services. It helps developers choose tool scope, naming, transport, Python or Node implementation patterns, and evaluation workflows so agents can use the server reliably.

MCP Server Development

Favorites 0GitHub 105k

copy-editing

by coreyhaines31

Use the copy-editing skill to improve existing marketing copy with a Seven Sweeps workflow. Learn install steps, recommended files, usage prompts, and how to preserve voice while tightening wording, proof, clarity, and copy-editing for Proofreading.

Proofreading

Favorites 0GitHub 17.3k

revops

by coreyhaines31

The revops skill helps agents design and optimize revenue operations, including lead lifecycle management, scoring, routing, and CRM automation. Use revops to define lifecycle stages, build scoring models, set routing rules, and implement automation workflows in HubSpot, Salesforce, or mixed stacks. Ideal for RevOps managers, CRM admins, and GTM leaders needing practical frameworks and reference files for CRM operations. Install via parent repo and follow the guide for best results.

CRM Operations

Favorites 0GitHub 17.3k

supabase-postgres-best-practices

by supabase

supabase-postgres-best-practices is a Supabase Postgres optimization skill for query tuning, indexing, schema design, RLS performance, locking, and connection management.

Database Engineering

Favorites 0GitHub 1.7k

docx

by anthropics

The docx skill helps agents create, inspect, convert, and edit .docx files with practical workflows for pandoc, unpack/repack, comments, tracked changes, and LibreOffice-based conversion.

DOCX Workflows

Favorites 0GitHub 0

writing-skills

by obra

writing-skills is a Skill Authoring guide for creating, editing, and validating agent skills with a test-driven workflow. Learn the key files, prerequisites, and practical steps for pressure scenarios, baseline tests, and concise SKILL.md iteration.

Skill Authoring

Favorites 0GitHub 121.9k

gdpr-data-handling

Overview of gdpr-data-handling skill

What the gdpr-data-handling skill does

Who should use it

Real job-to-be-done

What makes it different from a generic prompt

What to know before installing

How to Use gdpr-data-handling skill