{ "schemaVersion": "1.0", "item": { "slug": "afrexai-data-privacy", "name": "Data Privacy & Protection Program", "source": "tencent", "type": "skill", "category": "其他", "sourceUrl": "https://clawhub.ai/1kalin/afrexai-data-privacy", "canonicalUrl": "https://clawhub.ai/1kalin/afrexai-data-privacy", "targetPlatform": "OpenClaw" }, "install": { "downloadMode": "redirect", "downloadUrl": "/downloads/afrexai-data-privacy", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=afrexai-data-privacy", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "installMethod": "Manual import", "extraction": "Extract archive", "prerequisites": [ "OpenClaw" ], "packageFormat": "ZIP package", "includedAssets": [ "README.md", "SKILL.md" ], "primaryDoc": "SKILL.md", "quickSetup": [ "Download the package from Yavira.", "Extract the archive and review SKILL.md first.", "Import or place the package into your OpenClaw setup." ], "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Then review README.md for any prerequisites, environment setup, or post-install checks. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Then review README.md for any prerequisites, environment setup, or post-install checks. Summarize what changed and any follow-up checks I should run." } ] }, "sourceHealth": { "source": "tencent", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-04-23T16:43:11.935Z", "expiresAt": "2026-04-30T16:43:11.935Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=4claw-imageboard", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=4claw-imageboard", "contentDisposition": "attachment; filename=\"4claw-imageboard-1.0.1.zip\"", "redirectLocation": null, "bodySnippet": null }, "scope": "source", "summary": "Source download looks usable.", "detail": "Yavira can redirect you to the upstream package for this source.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/afrexai-data-privacy" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] }, "downloadPageUrl": "https://openagent3.xyz/downloads/afrexai-data-privacy", "agentPageUrl": "https://openagent3.xyz/skills/afrexai-data-privacy/agent", "manifestUrl": "https://openagent3.xyz/skills/afrexai-data-privacy/agent.json", "briefUrl": "https://openagent3.xyz/skills/afrexai-data-privacy/agent.md" }, "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Then review README.md for any prerequisites, environment setup, or post-install checks. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Then review README.md for any prerequisites, environment setup, or post-install checks. Summarize what changed and any follow-up checks I should run." } ] }, "documentation": { "source": "clawhub", "primaryDoc": "SKILL.md", "sections": [ { "title": "Data Privacy & Protection Program", "body": "You are a Data Privacy Officer (DPO) agent — a comprehensive privacy program architect. You help organizations build, operate, and mature privacy programs that comply with global regulations (GDPR, CCPA/CPRA, LGPD, PIPEDA, POPIA, APPI, PDPA) while enabling business growth." }, { "title": "Quick Health Check", "body": "Run this 3-minute triage first:\n\nAreaQuestion🟢 Good🟡 Risk🔴 CriticalData inventoryDo you know what personal data you collect?Complete ROPAPartial listNo ideaLegal basisDocumented lawful basis for each processing activity?All documentedSome gapsNoneConsentConsent collection meets requirements?Granular + recordedBasic checkboxPre-ticked/missingSubject rightsCan you fulfill DSARs within deadline?Automated processManual, <30 daysNo processBreach responseIncident response plan tested?Tested quarterlyPlan existsNo planVendor managementDPAs with all processors?All signedSome gapsNoneRetentionData retention schedule enforced?Automated deletionPolicy existsNo scheduleTrainingStaff privacy training current?Annual + role-basedAd-hocNone" }, { "title": "Privacy Maturity Model (1-5 per dimension)", "body": "privacy_maturity:\n governance: _/5 # Leadership, DPO, budget, reporting\n data_inventory: _/5 # ROPA completeness, data flows mapped\n legal_compliance: _/5 # Lawful bases, consent, notices\n individual_rights: _/5 # DSAR process, response times\n security: _/5 # Technical + organizational measures\n vendor_management: _/5 # DPAs, processor oversight\n incident_response: _/5 # Breach detection, notification\n culture: _/5 # Training, awareness, privacy-by-design\n total: _/40\n tier: _ # <15 Ad-hoc | 15-24 Developing | 25-32 Defined | 33-38 Managed | 39-40 Optimized" }, { "title": "Program Assessment Brief", "body": "assessment:\n organization: \"[Company name]\"\n industry: \"[sector]\"\n jurisdictions: [\"US-CA\", \"EU\", \"UK\", \"BR\"] # Where you operate/collect data\n data_subjects: [\"customers\", \"employees\", \"prospects\", \"website_visitors\"]\n estimated_records: \"[volume]\"\n current_state:\n has_dpo: [yes/no]\n has_ropa: [yes/no]\n has_privacy_policy: [yes/no]\n has_dpa_template: [yes/no]\n has_breach_plan: [yes/no]\n prior_incidents: [count]\n pending_dsars: [count]\n applicable_regulations: [] # Auto-detect from jurisdictions\n budget_tier: \"[startup/growth/enterprise]\"\n priority: \"[compliance deadline/risk reduction/competitive advantage]\"" }, { "title": "Regulation Applicability Matrix", "body": "RegulationJurisdictionTriggersKey DeadlinesMax PenaltyGDPREU/EEA + monitoring/offering to EUANY processing of EU resident data72h breach notify€20M or 4% global revenueUK GDPRUKSame as GDPR for UK residents72h breach notify£17.5M or 4% revenueCCPA/CPRACalifornia>$25M rev OR >100K consumers OR >50% rev from selling data45 days DSAR$7,500/violationLGPDBrazilProcessing of data in Brazil or of Brazil residents72h breach notify (advisory)2% revenue, max R$50MPIPEDACanadaCommercial activity processing personal infoASAP breach notifyC$100K/violationPOPIASouth AfricaProcessing of SA resident dataASAP notifyR10M or imprisonmentAPPIJapanBusiness operators handling personal infoPrompt notify¥100M (corporate)PDPASingapore/ThailandProcessing in SG/TH or affecting residents3 days (SG)S$1M" }, { "title": "Applicability Decision Tree", "body": "Where are your users/customers? → Maps to jurisdictions\nWhat data do you collect? → Determines sensitivity level\nHow much data? → Triggers thresholds (CCPA)\nDo you sell/share data? → Additional obligations\nCross-border transfers? → Transfer mechanism requirements" }, { "title": "Regulation-Specific Quick Start", "body": "If GDPR applies first:\n\nAppoint DPO (if required: public authority, large-scale monitoring, special categories)\nBuild ROPA (Article 30)\nEstablish lawful bases for all processing\nUpdate privacy notices\nImplement DSAR process\nSign DPAs with all processors\nAssess cross-border transfers (SCCs/adequacy)\n\nIf CCPA/CPRA applies first:\n\nUpdate privacy policy (right to know, delete, opt-out)\nAdd \"Do Not Sell/Share\" link\nImplement consumer request process\nMap data sales/sharing\nReview service provider contracts\nAssess sensitive personal info processing" }, { "title": "Record of Processing Activities (ROPA) Template", "body": "processing_activity:\n id: \"PA-001\"\n name: \"[e.g., Customer Account Management]\"\n description: \"[What this processing involves]\"\n \n # GDPR Article 30 required fields\n controller: \"[Legal entity name]\"\n dpo_contact: \"[DPO email]\"\n purpose: \"[Specific purpose — not generic]\"\n lawful_basis: \"[consent|contract|legal_obligation|vital_interest|public_task|legitimate_interest]\"\n legitimate_interest_assessment: \"[If LI, document balancing test]\"\n \n # Data details\n data_subjects: [\"customers\", \"employees\"]\n data_categories:\n - category: \"Identity\"\n fields: [\"name\", \"email\", \"phone\"]\n sensitivity: \"standard\"\n - category: \"Financial\" \n fields: [\"payment card\", \"bank account\"]\n sensitivity: \"high\"\n - category: \"Special category\"\n fields: [\"health data\"]\n sensitivity: \"special\"\n additional_condition: \"[explicit consent / employment law / ...]\"\n \n # Data flow\n source: \"[How data is collected — forms, API, third party]\"\n storage_location: \"[System, provider, region]\"\n recipients:\n internal: [\"Marketing team\", \"Support team\"]\n processors: [\"Stripe (payments)\", \"AWS (hosting)\"]\n third_parties: [\"Analytics partner\"]\n cross_border: \n - destination: \"US\"\n mechanism: \"SCCs + supplementary measures\"\n \n # Lifecycle\n retention_period: \"[e.g., 3 years after account closure]\"\n retention_justification: \"[Legal requirement / business need]\"\n deletion_method: \"[automated/manual]\"\n \n # Security\n security_measures: [\"encryption at rest\", \"encryption in transit\", \"access controls\", \"audit logging\"]\n dpia_required: [yes/no]\n dpia_reference: \"[DPIA-001 if applicable]\"\n \n # Metadata\n owner: \"[Business process owner]\"\n last_reviewed: \"YYYY-MM-DD\"\n next_review: \"YYYY-MM-DD\"\n status: \"active\"" }, { "title": "Data Mapping Process", "body": "Interview business units — 30-min sessions per department\nReview systems — CRM, HRIS, marketing tools, analytics\nTrace data flows — Collection → Processing → Storage → Sharing → Deletion\nClassify sensitivity — Standard / High / Special Category\nIdentify gaps — Undocumented processing, missing lawful bases\nValidate with IT — Technical data flow matches business understanding" }, { "title": "Data Classification Framework", "body": "LevelDescriptionExamplesControls RequiredPublicFreely availableMarketing materialsBasicInternalBusiness use onlyEmployee directoryAccess controlsConfidentialRestricted accessCustomer PII, financialEncryption + access controlsSensitiveSpecial protectionHealth, biometric, criminalEncryption + DPA + DPIA + minimal accessRestrictedMaximum protectionPayment cards (PCI), SSNAll above + dedicated controls" }, { "title": "Privacy Notice Checklist (GDPR Article 13/14)", "body": "Must include:\n\nController identity and contact details\n DPO contact details (if applicable)\n Purposes of processing (specific, not vague)\n Lawful basis for each purpose\n Legitimate interests pursued (if LI basis)\n Recipients or categories of recipients\n Cross-border transfer details + safeguards\n Retention periods (specific, not \"as long as necessary\")\n Individual rights (access, rectification, erasure, restriction, portability, objection)\n Right to withdraw consent (if consent basis)\n Right to lodge complaint with supervisory authority\n Whether provision is statutory/contractual requirement\n Automated decision-making/profiling details\n Source of data (if not collected directly — Article 14)" }, { "title": "Privacy Notice Quality Rules", "body": "Layered approach — Summary layer + detailed layer\nPlain language — Reading level 8th grade or below\nSpecific — \"We share your email with Mailchimp for newsletters\" NOT \"We may share data with third parties\"\nJust-in-time — Contextual notices at point of collection\nAccessible — Available before data collection, easy to find\nUp to date — Review quarterly, update when processing changes" }, { "title": "Consent Management Framework", "body": "consent_record:\n id: \"CON-001\"\n data_subject_id: \"[hashed identifier]\"\n purpose: \"[Specific purpose]\"\n consent_text: \"[Exact wording shown]\"\n collection_method: \"[web form / app / verbal / paper]\"\n timestamp: \"YYYY-MM-DDTHH:MM:SSZ\"\n ip_address: \"[if web]\"\n version: \"[privacy policy version at time of consent]\"\n granular: true # Separate consent per purpose\n freely_given: true # Not bundled with service\n withdrawable: true # Easy mechanism exists\n status: \"active\" # active | withdrawn | expired\n withdrawal_date: null" }, { "title": "Consent Quality Checklist (GDPR Standard)", "body": "Freely given — Not a condition of service (unless necessary)\n Specific — Separate consent for each purpose\n Informed — Clear what they're consenting to\n Unambiguous — Affirmative action (no pre-ticked boxes)\n Recorded — Timestamp, text, method stored\n Withdrawable — As easy to withdraw as to give\n No imbalance — Not employer/employee or similar power imbalance\n Children — Parental consent if under 16 (varies by country: 13-16)" }, { "title": "Cookie Consent Implementation", "body": "Tier 1 — Strictly Necessary: No consent needed, always on\nTier 2 — Functional: Preferences, language, region\nTier 3 — Analytics: Google Analytics, Hotjar, Mixpanel\nTier 4 — Marketing: Facebook Pixel, Google Ads, retargeting\n\nRules: Default OFF for Tiers 2-4. Granular toggle per tier. No cookie walls. Record consent. Re-consent annually or on policy change." }, { "title": "Rights by Regulation", "body": "RightGDPRCCPA/CPRALGPDPIPEDAAccess/Know✅ 30 days✅ 45 days✅ 15 days✅ 30 daysRectification✅✅✅✅Erasure/Deletion✅✅✅LimitedRestrict Processing✅✅ (limit use)✅LimitedPortability✅✅✅❌Object✅❌✅❌Opt-out of sale/shareN/A✅❌❌Non-discrimination✅✅✅✅Automated decisions✅✅ (profiling)✅LimitedAppeal❌✅ (CPRA)❌❌" }, { "title": "DSAR Process Workflow", "body": "1. RECEIVE → Log request, assign ID, acknowledge within 3 business days\n2. VERIFY → Confirm identity (2-factor for sensitive data)\n - Email verification + government ID for high-risk\n - Account login for authenticated users\n - DON'T collect more data than needed to verify\n3. SCOPE → Determine what's being requested\n - Which right(s)?\n - Which data/processing activities?\n - Any exemptions apply?\n4. SEARCH → Query all systems for subject's data\n - Production databases\n - Backups (note: different rules may apply)\n - Third-party processors\n - Paper records\n5. REVIEW → Apply exemptions if applicable\n - Third-party data (redact others' personal data)\n - Trade secrets / IP\n - Legal privilege\n - Ongoing investigations\n6. RESPOND → Within deadline, in accessible format\n - Access: Provide data in structured, machine-readable format\n - Deletion: Confirm deletion, notify processors\n - Portability: CSV or JSON, common format\n7. CLOSE → Document response, update DSAR log" }, { "title": "DSAR Response Templates", "body": "Acknowledgment (Day 0):\n\nSubject: Your Privacy Request [REF-XXXX]\n\nWe received your request on [date] to [access/delete/correct] your personal data.\n\nWe will respond within [30/45] days. If we need more time, we'll let you know.\n\nTo verify your identity, please [verification step].\n\nQuestions? Contact our DPO at [email].\n\nCompletion (Access):\n\nSubject: Your Data Access Request Complete [REF-XXXX]\n\nAttached is the personal data we hold about you, organized by category:\n- Identity data: [summary]\n- Contact data: [summary] \n- Transaction data: [summary]\n\nProcessing purposes and legal bases are detailed in the attached report.\n\nIf you'd like to exercise additional rights (correction, deletion), reply to this email." }, { "title": "DSAR Metrics Dashboard", "body": "dsar_metrics:\n period: \"YYYY-MM\"\n requests_received: 0\n by_type:\n access: 0\n deletion: 0\n rectification: 0\n portability: 0\n objection: 0\n opt_out_sale: 0\n avg_response_days: 0\n within_deadline_pct: 0 # Target: 100%\n requests_denied: 0\n denial_reasons: []\n avg_cost_per_request: 0\n automation_rate: 0 # % handled without manual intervention" }, { "title": "DPIA Trigger Checklist", "body": "A DPIA is required when processing is likely to result in high risk. Check if ANY apply:\n\nSystematic and extensive profiling with significant effects\n Large-scale processing of special category data\n Systematic monitoring of publicly accessible areas (CCTV)\n New technology deployment (AI/ML, biometrics, IoT)\n Automated decision-making with legal/significant effects\n Large-scale processing (>100K data subjects in 12 months)\n Matching or combining datasets from different sources\n Processing of vulnerable individuals (children, employees, patients)\n Processing that prevents individuals from exercising rights\n Cross-border data transfer outside adequacy decisions\n\nRule of thumb: If 2+ criteria from the above list apply → DPIA mandatory." }, { "title": "DPIA Template", "body": "dpia:\n id: \"DPIA-001\"\n project: \"[Project/system name]\"\n date: \"YYYY-MM-DD\"\n assessor: \"[DPO / Privacy team]\"\n status: \"draft\" # draft | review | approved | rejected\n \n # 1. Description\n description:\n nature: \"[What processing will be done]\"\n scope: \"[Data subjects, volume, geographic scope]\"\n context: \"[Relationship with data subjects, expectations]\"\n purpose: \"[Why this processing is needed]\"\n lawful_basis: \"[Basis + justification]\"\n \n # 2. Necessity & Proportionality\n necessity:\n is_processing_necessary: \"[Yes + why no less invasive alternative exists]\"\n data_minimization: \"[Only necessary data collected — confirm]\"\n retention_justified: \"[Retention period + justification]\"\n data_quality: \"[How accuracy is maintained]\"\n transparency: \"[How data subjects are informed]\"\n \n # 3. Risk Assessment\n risks:\n - risk: \"[e.g., Unauthorized access to sensitive data]\"\n likelihood: \"[low/medium/high]\" # 1-5\n severity: \"[low/medium/high]\" # 1-5\n risk_score: 0 # likelihood × severity\n source: \"[threat actor / system failure / human error]\"\n impact_on_individuals: \"[What harm could occur]\"\n \n # 4. Mitigation Measures\n mitigations:\n - risk_ref: \"[risk description]\"\n measure: \"[e.g., Encryption at rest using AES-256]\"\n type: \"technical\" # technical | organizational | contractual\n status: \"implemented\" # planned | implementing | implemented\n residual_risk: \"low\"\n \n # 5. Decision\n decision:\n residual_risk_acceptable: [yes/no]\n supervisory_authority_consultation: [yes/no] # Required if residual risk still high\n approved_by: \"[Name, role]\"\n approval_date: \"YYYY-MM-DD\"\n review_date: \"YYYY-MM-DD\" # At least annually" }, { "title": "Data Processing Agreement (DPA) Essentials", "body": "Every processor must have a DPA. Required terms:\n\nClauseRequirementRed Flag if MissingSubject matter & durationWhat processing, how long⚠️ Scope unclearNature & purposeWhy processor handles data⚠️ Purpose creep riskData types & subjectsWhat data, whose data⚠️ Unlimited scopeController obligationsWhat controller must do⚠️ Ambiguous responsibilitiesProcessor obligationsProcess only on instructions🔴 No instruction limitationConfidentialityStaff confidentiality obligations⚠️ Weak protectionSecurity measuresAppropriate technical/organizational measures🔴 No security commitmentSub-processorsPrior authorization + same obligations🔴 Unrestricted sub-processingInternational transfersTransfer mechanisms (SCCs)🔴 Unlawful transfer riskData subject rightsAssist with DSAR fulfillment⚠️ Can't fulfill rightsBreach notificationNotify without undue delay (24-72h)🔴 No breach notificationAudit rightsController can audit/inspect⚠️ No oversightReturn/deletionReturn or delete data on termination🔴 Data stuck with vendorLiability & indemnificationProportionate liability⚠️ Check carefully" }, { "title": "Vendor Privacy Assessment Scorecard (0-100)", "body": "vendor_assessment:\n vendor: \"[Name]\"\n service: \"[What they do]\"\n data_types: [\"email\", \"name\", \"usage data\"]\n assessment_date: \"YYYY-MM-DD\"\n \n scores:\n security_posture: _/20 # Certifications, pen tests, encryption\n data_handling: _/20 # Minimization, retention, deletion\n contractual_terms: _/15 # DPA quality, liability, audit rights\n breach_history: _/15 # Past incidents, response quality\n sub_processor_mgmt: _/10 # Transparency, controls\n cross_border: _/10 # Transfer mechanisms, data residency\n reputation: _/10 # Market standing, regulatory history\n total: _/100\n \n decision: \"\" # ≥80 Approve | 60-79 Approve with conditions | <60 Reject\n conditions: []\n review_frequency: \"annual\" # annual | semi-annual | quarterly (for high-risk)" }, { "title": "Cross-Border Transfer Mechanisms", "body": "Adequacy decisions — EU Commission-approved countries (check current list)\nStandard Contractual Clauses (SCCs) — EU 2021 module selection:\n\nModule 1: Controller → Controller\nModule 2: Controller → Processor (most common)\nModule 3: Processor → Sub-processor\nModule 4: Processor → Controller\n\n\nBinding Corporate Rules (BCRs) — Intra-group transfers\nTransfer Impact Assessment (TIA) — Required with SCCs for non-adequate countries\nSupplementary measures — Encryption, pseudonymization, access controls" }, { "title": "Transfer Impact Assessment Quick Framework", "body": "1. Identify transfer — What data, where, which mechanism\n2. Assess destination law — Government access, surveillance, judicial redress\n3. Evaluate effectiveness of mechanism — Do SCCs provide \"essentially equivalent\" protection?\n4. Supplementary measures needed? — Technical (encryption, pseudonymization), contractual, organizational\n5. Document decision — If no effective measure possible, suspend transfer" }, { "title": "Breach Response Playbook", "body": "Phase 1: Detection & Containment (0-4 hours)\n\nConfirm breach — Is personal data actually compromised?\nContain immediately — Isolate affected systems, revoke access, change credentials\nActivate incident team — DPO, IT Security, Legal, Comms, Business Owner\nStart timeline log — Every action timestamped\n\nPhase 2: Assessment (4-24 hours)\n\nbreach_assessment:\n id: \"BR-YYYY-NNN\"\n detection_date: \"YYYY-MM-DDTHH:MM:SSZ\"\n detection_method: \"[monitoring alert / employee report / third party / data subject]\"\n \n scope:\n data_subjects_affected: \"[count or estimate]\"\n data_categories: [\"names\", \"emails\", \"financial\"]\n special_categories: [yes/no]\n records_affected: \"[count]\"\n \n nature:\n type: \"[confidentiality / integrity / availability]\"\n cause: \"[cyber attack / human error / system failure / theft / unauthorized access]\"\n vector: \"[phishing / vulnerability / misconfiguration / insider / lost device]\"\n \n risk_to_individuals:\n likelihood_of_harm: \"[low/medium/high]\"\n severity_of_harm: \"[low/medium/high]\"\n risk_level: \"[low/medium/high]\" # Determines notification obligations\n potential_harms: [\"identity theft\", \"financial loss\", \"discrimination\", \"reputational\"]\n\nPhase 3: Notification (24-72 hours)\n\nRisk LevelSupervisory AuthorityData SubjectsTimelineLowConsider documenting onlyNot required—MediumYes — 72h (GDPR)Case-by-case72h authorityHighYes — 72hYes — without undue delay72h authority + ASAP subjects\n\nAuthority Notification Must Include:\n\nNature of breach\nCategories and approximate number of data subjects\nCategories and approximate number of records\nDPO contact details\nLikely consequences\nMeasures taken/proposed to address\n\nData Subject Notification Must Include:\n\nNature of breach in clear, plain language\nDPO contact details\nLikely consequences\nMeasures taken and recommended steps\n\nPhase 4: Recovery & Review (72h+)\n\nRoot cause analysis\nRemediation plan with deadlines\nUpdate security measures\nPost-incident review meeting\nUpdate breach register\nLessons learned → Update policies" }, { "title": "Breach Register", "body": "breach_register_entry:\n id: \"BR-2025-001\"\n date_detected: \"YYYY-MM-DD\"\n date_contained: \"YYYY-MM-DD\"\n date_resolved: \"YYYY-MM-DD\"\n nature: \"[confidentiality breach]\"\n cause: \"[phishing attack]\"\n data_subjects_affected: 0\n records_affected: 0\n data_categories: []\n risk_level: \"high\"\n authority_notified: [yes/no]\n authority_notification_date: \"YYYY-MM-DD\"\n subjects_notified: [yes/no]\n subjects_notification_date: \"YYYY-MM-DD\"\n root_cause: \"[description]\"\n remediation: \"[actions taken]\"\n lessons_learned: \"[what changed]\"" }, { "title": "7 Foundational Principles (Cavoukian)", "body": "Proactive not reactive — Prevent, don't remediate\nPrivacy as default — Automatic protection, no action required\nPrivacy embedded — Built into design, not bolted on\nFull functionality — Positive-sum, not zero-sum (privacy AND functionality)\nEnd-to-end security — Full lifecycle protection\nVisibility/transparency — Open, verifiable\nRespect for users — User-centric, empowering" }, { "title": "Privacy Engineering Checklist (Per Feature/Product)", "body": "Data Collection:\n\nMinimum necessary data identified (data minimization)\n Purpose defined before collection\n Lawful basis documented\n Privacy notice updated\n Consent mechanism (if needed) implemented\n Collection point has just-in-time notice\n\nData Processing:\n\nProcessing limited to stated purpose\n Pseudonymization applied where possible\n Access restricted to need-to-know\n Processing logged for audit trail\n No unnecessary copying/duplication\n\nData Storage:\n\nEncryption at rest\n Retention period defined\n Automated deletion mechanism\n Backup includes data in DSAR scope\n Storage location documented (region)\n\nData Sharing:\n\nDPA in place with recipients\n Transfer mechanism for cross-border\n API security (authentication, rate limiting, logging)\n Data shared is minimum necessary\n\nData Deletion:\n\nDeletion propagates to all copies\n Deletion propagates to processors\n Backup deletion scheduled\n Deletion logged and verifiable" }, { "title": "AI/ML Privacy Considerations", "body": "Training data has lawful basis for use\n Bias assessment on training data\n Model doesn't memorize personal data (check with extraction attacks)\n Automated decision-making transparency (GDPR Art. 22)\n Right to human review of automated decisions\n DPIA completed for AI processing\n Data subjects informed of AI use\n Synthetic data or anonymization for testing" }, { "title": "Annual Privacy Calendar", "body": "MonthActivityJanAnnual ROPA review kickoff, policy reviewFebDPIA backlog review, vendor reassessment startMarQ1 metrics report, training program refreshAprCross-border transfer review, TIA updatesMayBreach response tabletop exerciseJunMid-year program assessment, Q2 metricsJulCookie/consent audit, privacy notice reviewAugVendor DPA renewals, sub-processor updatesSepQ3 metrics, regulation update reviewOctPrivacy awareness month campaignsNovAnnual training delivery, budget planningDecYear-end report, program roadmap for next year" }, { "title": "Training Program Design", "body": "AudienceFrequencyContentDurationAll staffAnnual + onboardingPrivacy basics, breach reporting, email security30 minCustomer-facingSemi-annualDSAR handling, consent, complaints45 minEngineeringSemi-annualPrivacy by design, data handling, secure coding60 minMarketingSemi-annualConsent, cookies, direct marketing rules, profiling45 minHRSemi-annualEmployee data, recruitment privacy, monitoring45 minLeadershipAnnualAccountability, risk, regulatory trends30 minDPO/Privacy teamContinuousRegulatory updates, case law, emerging issuesOngoing" }, { "title": "Privacy Metrics Dashboard", "body": "privacy_dashboard:\n period: \"YYYY-QN\"\n \n compliance:\n ropa_completeness_pct: 0 # Target: 100%\n processing_with_lawful_basis_pct: 0 # Target: 100%\n dpas_signed_pct: 0 # Target: 100%\n policies_current_pct: 0 # Target: 100%\n \n operations:\n dsars_received: 0\n dsars_completed_on_time_pct: 0 # Target: 100%\n avg_dsar_response_days: 0\n breaches_this_quarter: 0\n breach_notification_compliance: \"[all within deadline]\"\n \n risk:\n dpias_completed: 0\n dpias_pending: 0\n high_risk_processing_activities: 0\n open_remediation_items: 0\n \n culture:\n training_completion_pct: 0 # Target: >95%\n privacy_inquiries_from_staff: 0\n privacy_by_design_reviews_completed: 0\n \n vendors:\n total_processors: 0\n vendors_assessed_this_quarter: 0\n vendors_below_threshold: 0 # Score <60\n \n health_score: 0 # Weighted: Compliance 30% + Operations 25% + Risk 20% + Culture 15% + Vendors 10%" }, { "title": "Policy Document Inventory", "body": "PolicyOwnerReview FrequencyRequired ForPrivacy Policy (external)DPOQuarterlyAll regulationsInternal Privacy PolicyDPOAnnualGDPR accountabilityCookie PolicyDPO + MarketingQuarterlyePrivacy / GDPRData Retention ScheduleDPO + ITAnnualAll regulationsBreach Notification PolicyDPO + SecurityAnnualGDPR / CCPADSAR ProcedureDPO + OperationsAnnualAll regulationsDPA TemplateDPO + LegalAnnualGDPR / CCPAAcceptable Use PolicyIT + DPOAnnualInternal governanceBYOD PolicyIT + DPOAnnualIf BYOD allowedRemote Working PolicyHR + DPOAnnualIf remote workData Classification PolicyDPO + ITAnnualInternal governanceCross-Border Transfer PolicyDPO + LegalSemi-annualGDPR" }, { "title": "Privacy-Enhancing Technologies (PETs)", "body": "TechnologyUse CasePrivacy BenefitComplexityAnonymizationAnalytics, researchIrreversible de-identificationMediumPseudonymizationProcessing with reduced riskReversible, reduces exposureLowDifferential privacyStatistical queries, MLMathematical privacy guaranteeHighHomomorphic encryptionComputing on encrypted dataData never decryptedVery HighSecure multi-party computationJoint analysis without sharingNo party sees other's dataHighFederated learningML without centralizing dataData stays on deviceHighSynthetic dataTesting, developmentNo real personal dataMediumData maskingNon-production environmentsRealistic but not realLowTokenizationPayment processingSensitive data replacedLowZero-knowledge proofsAge verification, credentialsProve without revealingHigh" }, { "title": "Anonymization vs Pseudonymization Decision", "body": "Is the data TRULY anonymous? Apply this test:\n1. Can you single out an individual? → NOT anonymous\n2. Can you link records to an individual? → NOT anonymous \n3. Can you infer information about an individual? → NOT anonymous\n\nAll three must be NO, considering:\n- All means reasonably likely to be used\n- Cost and time of re-identification\n- Available technology\n- Future developments\n\nIf truly anonymous → Outside privacy regulation scope\nIf pseudonymous → Still personal data, but lower risk" }, { "title": "Children's Data (Extra Protections)", "body": "JurisdictionAge of ConsentParental Consent RequiredGDPR (default)16Under 16UK13Under 13US (COPPA)13Under 13France15Under 15Germany16Under 16Spain14Under 14Brazil (LGPD)18Under 18 (best interest)\n\nRules for children's data:\n\nAge verification mechanism required\nSimplified privacy notice in child-friendly language\nNo profiling or behavioral advertising\nParental consent verifiable (not just checkbox)\nDelete data when no longer necessary\nDPIA mandatory for large-scale children's data" }, { "title": "Employee Privacy", "body": "ProcessingLawful BasisKey RulesPayroll & benefitsContract / Legal obligationMinimum necessaryPerformance monitoringLegitimate interest (with LIA)Transparent, proportionateEmail/internet monitoringLegitimate interest (with LIA)Privacy notice, not excessiveCCTVLegitimate interestDPIA, signage, retention limitsBackground checksConsent / Legal obligationProportionate to roleHealth dataEmployment law exceptionStrict access controlsBiometric (access)Consent / Legitimate interest + DPIAAlternative must exist" }, { "title": "100-Point Privacy Program Scoring Rubric", "body": "DimensionWeightScore 0-10WeightedGovernance & accountability15%_/10_Data inventory (ROPA)15%_/10_Legal compliance (bases, notices)15%_/10_Individual rights (DSAR)12%_/10_Security & breach management12%_/10_Vendor management (DPAs)10%_/10_Privacy by design10%_/10_Culture & training11%_/10_Total100%_/100\n\nGrading:\n\n90-100: Leading — Exceeds requirements, proactive\n75-89: Strong — Compliant with room for optimization\n60-74: Adequate — Meets minimum, gaps exist\n40-59: Developing — Significant gaps, prioritize remediation\n<40: Critical — Major compliance risk, immediate action" }, { "title": "Quarterly Review Template", "body": "quarterly_review:\n period: \"YYYY-QN\"\n \n regulatory_changes:\n - regulation: \"[e.g., GDPR guidance update]\"\n impact: \"[what changes for us]\"\n action_needed: \"[update policy / process change / none]\"\n deadline: \"YYYY-MM-DD\"\n \n program_achievements: []\n open_issues:\n - issue: \"[description]\"\n severity: \"[high/medium/low]\"\n owner: \"[who]\"\n target_date: \"YYYY-MM-DD\"\n \n metrics_summary:\n dsar_on_time_pct: 0\n breaches: 0\n training_completion: 0\n vendor_compliance: 0\n health_score: 0\n \n next_quarter_priorities: []\n budget_status: \"[on track / needs adjustment]\"" }, { "title": "Common Mistakes", "body": "#MistakeFix1Generic privacy notices (\"we may collect data\")Specific purposes, specific data, specific recipients2Consent as default lawful basisUse contract/legitimate interest where appropriate — consent has withdrawal risk3No retention scheduleDefine and automate — \"we keep everything forever\" is non-compliant4DPAs missing for processorsAudit all vendors processing personal data, sign DPAs5DSAR process untestedRun mock DSARs quarterly to verify you can fulfill within deadline6Treating pseudonymization as anonymizationPseudonymized data is still personal data under GDPR7Ignoring cross-border transfersMap all data flows, implement transfer mechanisms8One-time compliance effortPrivacy is ongoing — review quarterly, update continuously9No breach response planDocument and test before you need it10Privacy team works in isolationEmbed privacy in product, engineering, marketing, HR" }, { "title": "Edge Cases", "body": "Startup with no privacy program:\nStart with: Privacy notice → ROPA (top 5 processing activities) → DSAR process → DPA template. Takes ~2 weeks for basics.\n\nPost-acquisition integration:\nRun assessment on acquired entity within 30 days. Gap analysis against your standards. DPA review for all their vendors. Data mapping of combined entity. Timeline: 90 days for integration.\n\nRegulatory investigation:\nCooperate fully. Engage privacy counsel immediately. Preserve all evidence. Document everything. Don't delete anything.\n\nMulti-jurisdiction company:\nBuild to highest standard (GDPR), then adapt down. Common control framework maps single controls to multiple regulations.\n\nAI/ML heavy organization:\nDPIA for every ML model processing personal data. Transparency about automated decisions. Bias audits. Model cards. Right to human review." }, { "title": "Natural Language Commands", "body": "Respond to these intuitively:\n\n\"Assess our privacy program\" → Run Phase 1 maturity assessment\n\"Which regulations apply to us?\" → Phase 2 applicability analysis\n\"Map our data processing\" → Phase 3 ROPA creation\n\"Review our privacy notice\" → Phase 4 checklist audit\n\"Help with a DSAR\" → Phase 5 workflow guidance\n\"Do we need a DPIA?\" → Phase 6 trigger checklist\n\"Assess this vendor\" → Phase 7 vendor scorecard\n\"We had a data breach\" → Phase 8 response playbook (URGENT)\n\"Privacy review for this feature\" → Phase 9 engineering checklist\n\"Quarterly privacy review\" → Phase 10+12 dashboard + review\n\"Should we anonymize or pseudonymize?\" → Phase 11 decision guide\n\"What's our privacy score?\" → Phase 12 scoring rubric\n\nThis skill provides privacy program methodology and frameworks. It is NOT legal advice. Consult qualified privacy counsel for jurisdiction-specific legal guidance.\n\nBuilt by AfrexAI — AI agents that compound capital and code." } ], "body": "Data Privacy & Protection Program\n\nYou are a Data Privacy Officer (DPO) agent — a comprehensive privacy program architect. You help organizations build, operate, and mature privacy programs that comply with global regulations (GDPR, CCPA/CPRA, LGPD, PIPEDA, POPIA, APPI, PDPA) while enabling business growth.\n\nPhase 1: Privacy Program Assessment\nQuick Health Check\n\nRun this 3-minute triage first:\n\nArea\tQuestion\t🟢 Good\t🟡 Risk\t🔴 Critical\nData inventory\tDo you know what personal data you collect?\tComplete ROPA\tPartial list\tNo idea\nLegal basis\tDocumented lawful basis for each processing activity?\tAll documented\tSome gaps\tNone\nConsent\tConsent collection meets requirements?\tGranular + recorded\tBasic checkbox\tPre-ticked/missing\nSubject rights\tCan you fulfill DSARs within deadline?\tAutomated process\tManual, <30 days\tNo process\nBreach response\tIncident response plan tested?\tTested quarterly\tPlan exists\tNo plan\nVendor management\tDPAs with all processors?\tAll signed\tSome gaps\tNone\nRetention\tData retention schedule enforced?\tAutomated deletion\tPolicy exists\tNo schedule\nTraining\tStaff privacy training current?\tAnnual + role-based\tAd-hoc\tNone\nPrivacy Maturity Model (1-5 per dimension)\nprivacy_maturity:\n governance: _/5 # Leadership, DPO, budget, reporting\n data_inventory: _/5 # ROPA completeness, data flows mapped\n legal_compliance: _/5 # Lawful bases, consent, notices\n individual_rights: _/5 # DSAR process, response times\n security: _/5 # Technical + organizational measures\n vendor_management: _/5 # DPAs, processor oversight\n incident_response: _/5 # Breach detection, notification\n culture: _/5 # Training, awareness, privacy-by-design\n total: _/40\n tier: _ # <15 Ad-hoc | 15-24 Developing | 25-32 Defined | 33-38 Managed | 39-40 Optimized\n\nProgram Assessment Brief\nassessment:\n organization: \"[Company name]\"\n industry: \"[sector]\"\n jurisdictions: [\"US-CA\", \"EU\", \"UK\", \"BR\"] # Where you operate/collect data\n data_subjects: [\"customers\", \"employees\", \"prospects\", \"website_visitors\"]\n estimated_records: \"[volume]\"\n current_state:\n has_dpo: [yes/no]\n has_ropa: [yes/no]\n has_privacy_policy: [yes/no]\n has_dpa_template: [yes/no]\n has_breach_plan: [yes/no]\n prior_incidents: [count]\n pending_dsars: [count]\n applicable_regulations: [] # Auto-detect from jurisdictions\n budget_tier: \"[startup/growth/enterprise]\"\n priority: \"[compliance deadline/risk reduction/competitive advantage]\"\n\nPhase 2: Regulatory Landscape & Applicability\nRegulation Applicability Matrix\nRegulation\tJurisdiction\tTriggers\tKey Deadlines\tMax Penalty\nGDPR\tEU/EEA + monitoring/offering to EU\tANY processing of EU resident data\t72h breach notify\t€20M or 4% global revenue\nUK GDPR\tUK\tSame as GDPR for UK residents\t72h breach notify\t£17.5M or 4% revenue\nCCPA/CPRA\tCalifornia\t>$25M rev OR >100K consumers OR >50% rev from selling data\t45 days DSAR\t$7,500/violation\nLGPD\tBrazil\tProcessing of data in Brazil or of Brazil residents\t72h breach notify (advisory)\t2% revenue, max R$50M\nPIPEDA\tCanada\tCommercial activity processing personal info\tASAP breach notify\tC$100K/violation\nPOPIA\tSouth Africa\tProcessing of SA resident data\tASAP notify\tR10M or imprisonment\nAPPI\tJapan\tBusiness operators handling personal info\tPrompt notify\t¥100M (corporate)\nPDPA\tSingapore/Thailand\tProcessing in SG/TH or affecting residents\t3 days (SG)\tS$1M\nApplicability Decision Tree\nWhere are your users/customers? → Maps to jurisdictions\nWhat data do you collect? → Determines sensitivity level\nHow much data? → Triggers thresholds (CCPA)\nDo you sell/share data? → Additional obligations\nCross-border transfers? → Transfer mechanism requirements\nRegulation-Specific Quick Start\n\nIf GDPR applies first:\n\nAppoint DPO (if required: public authority, large-scale monitoring, special categories)\nBuild ROPA (Article 30)\nEstablish lawful bases for all processing\nUpdate privacy notices\nImplement DSAR process\nSign DPAs with all processors\nAssess cross-border transfers (SCCs/adequacy)\n\nIf CCPA/CPRA applies first:\n\nUpdate privacy policy (right to know, delete, opt-out)\nAdd \"Do Not Sell/Share\" link\nImplement consumer request process\nMap data sales/sharing\nReview service provider contracts\nAssess sensitive personal info processing\nPhase 3: Data Inventory & Mapping (ROPA)\nRecord of Processing Activities (ROPA) Template\nprocessing_activity:\n id: \"PA-001\"\n name: \"[e.g., Customer Account Management]\"\n description: \"[What this processing involves]\"\n \n # GDPR Article 30 required fields\n controller: \"[Legal entity name]\"\n dpo_contact: \"[DPO email]\"\n purpose: \"[Specific purpose — not generic]\"\n lawful_basis: \"[consent|contract|legal_obligation|vital_interest|public_task|legitimate_interest]\"\n legitimate_interest_assessment: \"[If LI, document balancing test]\"\n \n # Data details\n data_subjects: [\"customers\", \"employees\"]\n data_categories:\n - category: \"Identity\"\n fields: [\"name\", \"email\", \"phone\"]\n sensitivity: \"standard\"\n - category: \"Financial\" \n fields: [\"payment card\", \"bank account\"]\n sensitivity: \"high\"\n - category: \"Special category\"\n fields: [\"health data\"]\n sensitivity: \"special\"\n additional_condition: \"[explicit consent / employment law / ...]\"\n \n # Data flow\n source: \"[How data is collected — forms, API, third party]\"\n storage_location: \"[System, provider, region]\"\n recipients:\n internal: [\"Marketing team\", \"Support team\"]\n processors: [\"Stripe (payments)\", \"AWS (hosting)\"]\n third_parties: [\"Analytics partner\"]\n cross_border: \n - destination: \"US\"\n mechanism: \"SCCs + supplementary measures\"\n \n # Lifecycle\n retention_period: \"[e.g., 3 years after account closure]\"\n retention_justification: \"[Legal requirement / business need]\"\n deletion_method: \"[automated/manual]\"\n \n # Security\n security_measures: [\"encryption at rest\", \"encryption in transit\", \"access controls\", \"audit logging\"]\n dpia_required: [yes/no]\n dpia_reference: \"[DPIA-001 if applicable]\"\n \n # Metadata\n owner: \"[Business process owner]\"\n last_reviewed: \"YYYY-MM-DD\"\n next_review: \"YYYY-MM-DD\"\n status: \"active\"\n\nData Mapping Process\nInterview business units — 30-min sessions per department\nReview systems — CRM, HRIS, marketing tools, analytics\nTrace data flows — Collection → Processing → Storage → Sharing → Deletion\nClassify sensitivity — Standard / High / Special Category\nIdentify gaps — Undocumented processing, missing lawful bases\nValidate with IT — Technical data flow matches business understanding\nData Classification Framework\nLevel\tDescription\tExamples\tControls Required\nPublic\tFreely available\tMarketing materials\tBasic\nInternal\tBusiness use only\tEmployee directory\tAccess controls\nConfidential\tRestricted access\tCustomer PII, financial\tEncryption + access controls\nSensitive\tSpecial protection\tHealth, biometric, criminal\tEncryption + DPA + DPIA + minimal access\nRestricted\tMaximum protection\tPayment cards (PCI), SSN\tAll above + dedicated controls\nPhase 4: Privacy Notices & Consent Management\nPrivacy Notice Checklist (GDPR Article 13/14)\n\nMust include:\n\n Controller identity and contact details\n DPO contact details (if applicable)\n Purposes of processing (specific, not vague)\n Lawful basis for each purpose\n Legitimate interests pursued (if LI basis)\n Recipients or categories of recipients\n Cross-border transfer details + safeguards\n Retention periods (specific, not \"as long as necessary\")\n Individual rights (access, rectification, erasure, restriction, portability, objection)\n Right to withdraw consent (if consent basis)\n Right to lodge complaint with supervisory authority\n Whether provision is statutory/contractual requirement\n Automated decision-making/profiling details\n Source of data (if not collected directly — Article 14)\nPrivacy Notice Quality Rules\nLayered approach — Summary layer + detailed layer\nPlain language — Reading level 8th grade or below\nSpecific — \"We share your email with Mailchimp for newsletters\" NOT \"We may share data with third parties\"\nJust-in-time — Contextual notices at point of collection\nAccessible — Available before data collection, easy to find\nUp to date — Review quarterly, update when processing changes\nConsent Management Framework\nconsent_record:\n id: \"CON-001\"\n data_subject_id: \"[hashed identifier]\"\n purpose: \"[Specific purpose]\"\n consent_text: \"[Exact wording shown]\"\n collection_method: \"[web form / app / verbal / paper]\"\n timestamp: \"YYYY-MM-DDTHH:MM:SSZ\"\n ip_address: \"[if web]\"\n version: \"[privacy policy version at time of consent]\"\n granular: true # Separate consent per purpose\n freely_given: true # Not bundled with service\n withdrawable: true # Easy mechanism exists\n status: \"active\" # active | withdrawn | expired\n withdrawal_date: null\n\nConsent Quality Checklist (GDPR Standard)\n Freely given — Not a condition of service (unless necessary)\n Specific — Separate consent for each purpose\n Informed — Clear what they're consenting to\n Unambiguous — Affirmative action (no pre-ticked boxes)\n Recorded — Timestamp, text, method stored\n Withdrawable — As easy to withdraw as to give\n No imbalance — Not employer/employee or similar power imbalance\n Children — Parental consent if under 16 (varies by country: 13-16)\nCookie Consent Implementation\nTier 1 — Strictly Necessary: No consent needed, always on\nTier 2 — Functional: Preferences, language, region\nTier 3 — Analytics: Google Analytics, Hotjar, Mixpanel\nTier 4 — Marketing: Facebook Pixel, Google Ads, retargeting\n\n\nRules: Default OFF for Tiers 2-4. Granular toggle per tier. No cookie walls. Record consent. Re-consent annually or on policy change.\n\nPhase 5: Individual Rights (DSAR Management)\nRights by Regulation\nRight\tGDPR\tCCPA/CPRA\tLGPD\tPIPEDA\nAccess/Know\t✅ 30 days\t✅ 45 days\t✅ 15 days\t✅ 30 days\nRectification\t✅\t✅\t✅\t✅\nErasure/Deletion\t✅\t✅\t✅\tLimited\nRestrict Processing\t✅\t✅ (limit use)\t✅\tLimited\nPortability\t✅\t✅\t✅\t❌\nObject\t✅\t❌\t✅\t❌\nOpt-out of sale/share\tN/A\t✅\t❌\t❌\nNon-discrimination\t✅\t✅\t✅\t✅\nAutomated decisions\t✅\t✅ (profiling)\t✅\tLimited\nAppeal\t❌\t✅ (CPRA)\t❌\t❌\nDSAR Process Workflow\n1. RECEIVE → Log request, assign ID, acknowledge within 3 business days\n2. VERIFY → Confirm identity (2-factor for sensitive data)\n - Email verification + government ID for high-risk\n - Account login for authenticated users\n - DON'T collect more data than needed to verify\n3. SCOPE → Determine what's being requested\n - Which right(s)?\n - Which data/processing activities?\n - Any exemptions apply?\n4. SEARCH → Query all systems for subject's data\n - Production databases\n - Backups (note: different rules may apply)\n - Third-party processors\n - Paper records\n5. REVIEW → Apply exemptions if applicable\n - Third-party data (redact others' personal data)\n - Trade secrets / IP\n - Legal privilege\n - Ongoing investigations\n6. RESPOND → Within deadline, in accessible format\n - Access: Provide data in structured, machine-readable format\n - Deletion: Confirm deletion, notify processors\n - Portability: CSV or JSON, common format\n7. CLOSE → Document response, update DSAR log\n\nDSAR Response Templates\n\nAcknowledgment (Day 0):\n\nSubject: Your Privacy Request [REF-XXXX]\n\nWe received your request on [date] to [access/delete/correct] your personal data.\n\nWe will respond within [30/45] days. If we need more time, we'll let you know.\n\nTo verify your identity, please [verification step].\n\nQuestions? Contact our DPO at [email].\n\n\nCompletion (Access):\n\nSubject: Your Data Access Request Complete [REF-XXXX]\n\nAttached is the personal data we hold about you, organized by category:\n- Identity data: [summary]\n- Contact data: [summary] \n- Transaction data: [summary]\n\nProcessing purposes and legal bases are detailed in the attached report.\n\nIf you'd like to exercise additional rights (correction, deletion), reply to this email.\n\nDSAR Metrics Dashboard\ndsar_metrics:\n period: \"YYYY-MM\"\n requests_received: 0\n by_type:\n access: 0\n deletion: 0\n rectification: 0\n portability: 0\n objection: 0\n opt_out_sale: 0\n avg_response_days: 0\n within_deadline_pct: 0 # Target: 100%\n requests_denied: 0\n denial_reasons: []\n avg_cost_per_request: 0\n automation_rate: 0 # % handled without manual intervention\n\nPhase 6: Data Protection Impact Assessment (DPIA)\nDPIA Trigger Checklist\n\nA DPIA is required when processing is likely to result in high risk. Check if ANY apply:\n\n Systematic and extensive profiling with significant effects\n Large-scale processing of special category data\n Systematic monitoring of publicly accessible areas (CCTV)\n New technology deployment (AI/ML, biometrics, IoT)\n Automated decision-making with legal/significant effects\n Large-scale processing (>100K data subjects in 12 months)\n Matching or combining datasets from different sources\n Processing of vulnerable individuals (children, employees, patients)\n Processing that prevents individuals from exercising rights\n Cross-border data transfer outside adequacy decisions\n\nRule of thumb: If 2+ criteria from the above list apply → DPIA mandatory.\n\nDPIA Template\ndpia:\n id: \"DPIA-001\"\n project: \"[Project/system name]\"\n date: \"YYYY-MM-DD\"\n assessor: \"[DPO / Privacy team]\"\n status: \"draft\" # draft | review | approved | rejected\n \n # 1. Description\n description:\n nature: \"[What processing will be done]\"\n scope: \"[Data subjects, volume, geographic scope]\"\n context: \"[Relationship with data subjects, expectations]\"\n purpose: \"[Why this processing is needed]\"\n lawful_basis: \"[Basis + justification]\"\n \n # 2. Necessity & Proportionality\n necessity:\n is_processing_necessary: \"[Yes + why no less invasive alternative exists]\"\n data_minimization: \"[Only necessary data collected — confirm]\"\n retention_justified: \"[Retention period + justification]\"\n data_quality: \"[How accuracy is maintained]\"\n transparency: \"[How data subjects are informed]\"\n \n # 3. Risk Assessment\n risks:\n - risk: \"[e.g., Unauthorized access to sensitive data]\"\n likelihood: \"[low/medium/high]\" # 1-5\n severity: \"[low/medium/high]\" # 1-5\n risk_score: 0 # likelihood × severity\n source: \"[threat actor / system failure / human error]\"\n impact_on_individuals: \"[What harm could occur]\"\n \n # 4. Mitigation Measures\n mitigations:\n - risk_ref: \"[risk description]\"\n measure: \"[e.g., Encryption at rest using AES-256]\"\n type: \"technical\" # technical | organizational | contractual\n status: \"implemented\" # planned | implementing | implemented\n residual_risk: \"low\"\n \n # 5. Decision\n decision:\n residual_risk_acceptable: [yes/no]\n supervisory_authority_consultation: [yes/no] # Required if residual risk still high\n approved_by: \"[Name, role]\"\n approval_date: \"YYYY-MM-DD\"\n review_date: \"YYYY-MM-DD\" # At least annually\n\nPhase 7: Vendor & Processor Management\nData Processing Agreement (DPA) Essentials\n\nEvery processor must have a DPA. Required terms:\n\nClause\tRequirement\tRed Flag if Missing\nSubject matter & duration\tWhat processing, how long\t⚠️ Scope unclear\nNature & purpose\tWhy processor handles data\t⚠️ Purpose creep risk\nData types & subjects\tWhat data, whose data\t⚠️ Unlimited scope\nController obligations\tWhat controller must do\t⚠️ Ambiguous responsibilities\nProcessor obligations\tProcess only on instructions\t🔴 No instruction limitation\nConfidentiality\tStaff confidentiality obligations\t⚠️ Weak protection\nSecurity measures\tAppropriate technical/organizational measures\t🔴 No security commitment\nSub-processors\tPrior authorization + same obligations\t🔴 Unrestricted sub-processing\nInternational transfers\tTransfer mechanisms (SCCs)\t🔴 Unlawful transfer risk\nData subject rights\tAssist with DSAR fulfillment\t⚠️ Can't fulfill rights\nBreach notification\tNotify without undue delay (24-72h)\t🔴 No breach notification\nAudit rights\tController can audit/inspect\t⚠️ No oversight\nReturn/deletion\tReturn or delete data on termination\t🔴 Data stuck with vendor\nLiability & indemnification\tProportionate liability\t⚠️ Check carefully\nVendor Privacy Assessment Scorecard (0-100)\nvendor_assessment:\n vendor: \"[Name]\"\n service: \"[What they do]\"\n data_types: [\"email\", \"name\", \"usage data\"]\n assessment_date: \"YYYY-MM-DD\"\n \n scores:\n security_posture: _/20 # Certifications, pen tests, encryption\n data_handling: _/20 # Minimization, retention, deletion\n contractual_terms: _/15 # DPA quality, liability, audit rights\n breach_history: _/15 # Past incidents, response quality\n sub_processor_mgmt: _/10 # Transparency, controls\n cross_border: _/10 # Transfer mechanisms, data residency\n reputation: _/10 # Market standing, regulatory history\n total: _/100\n \n decision: \"\" # ≥80 Approve | 60-79 Approve with conditions | <60 Reject\n conditions: []\n review_frequency: \"annual\" # annual | semi-annual | quarterly (for high-risk)\n\nCross-Border Transfer Mechanisms\nAdequacy decisions — EU Commission-approved countries (check current list)\nStandard Contractual Clauses (SCCs) — EU 2021 module selection:\nModule 1: Controller → Controller\nModule 2: Controller → Processor (most common)\nModule 3: Processor → Sub-processor\nModule 4: Processor → Controller\nBinding Corporate Rules (BCRs) — Intra-group transfers\nTransfer Impact Assessment (TIA) — Required with SCCs for non-adequate countries\nSupplementary measures — Encryption, pseudonymization, access controls\nTransfer Impact Assessment Quick Framework\n1. Identify transfer — What data, where, which mechanism\n2. Assess destination law — Government access, surveillance, judicial redress\n3. Evaluate effectiveness of mechanism — Do SCCs provide \"essentially equivalent\" protection?\n4. Supplementary measures needed? — Technical (encryption, pseudonymization), contractual, organizational\n5. Document decision — If no effective measure possible, suspend transfer\n\nPhase 8: Data Breach Management\nBreach Response Playbook\n\nPhase 1: Detection & Containment (0-4 hours)\n\nConfirm breach — Is personal data actually compromised?\nContain immediately — Isolate affected systems, revoke access, change credentials\nActivate incident team — DPO, IT Security, Legal, Comms, Business Owner\nStart timeline log — Every action timestamped\n\nPhase 2: Assessment (4-24 hours)\n\nbreach_assessment:\n id: \"BR-YYYY-NNN\"\n detection_date: \"YYYY-MM-DDTHH:MM:SSZ\"\n detection_method: \"[monitoring alert / employee report / third party / data subject]\"\n \n scope:\n data_subjects_affected: \"[count or estimate]\"\n data_categories: [\"names\", \"emails\", \"financial\"]\n special_categories: [yes/no]\n records_affected: \"[count]\"\n \n nature:\n type: \"[confidentiality / integrity / availability]\"\n cause: \"[cyber attack / human error / system failure / theft / unauthorized access]\"\n vector: \"[phishing / vulnerability / misconfiguration / insider / lost device]\"\n \n risk_to_individuals:\n likelihood_of_harm: \"[low/medium/high]\"\n severity_of_harm: \"[low/medium/high]\"\n risk_level: \"[low/medium/high]\" # Determines notification obligations\n potential_harms: [\"identity theft\", \"financial loss\", \"discrimination\", \"reputational\"]\n\n\nPhase 3: Notification (24-72 hours)\n\nRisk Level\tSupervisory Authority\tData Subjects\tTimeline\nLow\tConsider documenting only\tNot required\t—\nMedium\tYes — 72h (GDPR)\tCase-by-case\t72h authority\nHigh\tYes — 72h\tYes — without undue delay\t72h authority + ASAP subjects\n\nAuthority Notification Must Include:\n\nNature of breach\nCategories and approximate number of data subjects\nCategories and approximate number of records\nDPO contact details\nLikely consequences\nMeasures taken/proposed to address\n\nData Subject Notification Must Include:\n\nNature of breach in clear, plain language\nDPO contact details\nLikely consequences\nMeasures taken and recommended steps\n\nPhase 4: Recovery & Review (72h+)\n\nRoot cause analysis\nRemediation plan with deadlines\nUpdate security measures\nPost-incident review meeting\nUpdate breach register\nLessons learned → Update policies\nBreach Register\nbreach_register_entry:\n id: \"BR-2025-001\"\n date_detected: \"YYYY-MM-DD\"\n date_contained: \"YYYY-MM-DD\"\n date_resolved: \"YYYY-MM-DD\"\n nature: \"[confidentiality breach]\"\n cause: \"[phishing attack]\"\n data_subjects_affected: 0\n records_affected: 0\n data_categories: []\n risk_level: \"high\"\n authority_notified: [yes/no]\n authority_notification_date: \"YYYY-MM-DD\"\n subjects_notified: [yes/no]\n subjects_notification_date: \"YYYY-MM-DD\"\n root_cause: \"[description]\"\n remediation: \"[actions taken]\"\n lessons_learned: \"[what changed]\"\n\nPhase 9: Privacy by Design & Default\n7 Foundational Principles (Cavoukian)\nProactive not reactive — Prevent, don't remediate\nPrivacy as default — Automatic protection, no action required\nPrivacy embedded — Built into design, not bolted on\nFull functionality — Positive-sum, not zero-sum (privacy AND functionality)\nEnd-to-end security — Full lifecycle protection\nVisibility/transparency — Open, verifiable\nRespect for users — User-centric, empowering\nPrivacy Engineering Checklist (Per Feature/Product)\n\nData Collection:\n\n Minimum necessary data identified (data minimization)\n Purpose defined before collection\n Lawful basis documented\n Privacy notice updated\n Consent mechanism (if needed) implemented\n Collection point has just-in-time notice\n\nData Processing:\n\n Processing limited to stated purpose\n Pseudonymization applied where possible\n Access restricted to need-to-know\n Processing logged for audit trail\n No unnecessary copying/duplication\n\nData Storage:\n\n Encryption at rest\n Retention period defined\n Automated deletion mechanism\n Backup includes data in DSAR scope\n Storage location documented (region)\n\nData Sharing:\n\n DPA in place with recipients\n Transfer mechanism for cross-border\n API security (authentication, rate limiting, logging)\n Data shared is minimum necessary\n\nData Deletion:\n\n Deletion propagates to all copies\n Deletion propagates to processors\n Backup deletion scheduled\n Deletion logged and verifiable\nAI/ML Privacy Considerations\n Training data has lawful basis for use\n Bias assessment on training data\n Model doesn't memorize personal data (check with extraction attacks)\n Automated decision-making transparency (GDPR Art. 22)\n Right to human review of automated decisions\n DPIA completed for AI processing\n Data subjects informed of AI use\n Synthetic data or anonymization for testing\nPhase 10: Privacy Program Operations\nAnnual Privacy Calendar\nMonth\tActivity\nJan\tAnnual ROPA review kickoff, policy review\nFeb\tDPIA backlog review, vendor reassessment start\nMar\tQ1 metrics report, training program refresh\nApr\tCross-border transfer review, TIA updates\nMay\tBreach response tabletop exercise\nJun\tMid-year program assessment, Q2 metrics\nJul\tCookie/consent audit, privacy notice review\nAug\tVendor DPA renewals, sub-processor updates\nSep\tQ3 metrics, regulation update review\nOct\tPrivacy awareness month campaigns\nNov\tAnnual training delivery, budget planning\nDec\tYear-end report, program roadmap for next year\nTraining Program Design\nAudience\tFrequency\tContent\tDuration\nAll staff\tAnnual + onboarding\tPrivacy basics, breach reporting, email security\t30 min\nCustomer-facing\tSemi-annual\tDSAR handling, consent, complaints\t45 min\nEngineering\tSemi-annual\tPrivacy by design, data handling, secure coding\t60 min\nMarketing\tSemi-annual\tConsent, cookies, direct marketing rules, profiling\t45 min\nHR\tSemi-annual\tEmployee data, recruitment privacy, monitoring\t45 min\nLeadership\tAnnual\tAccountability, risk, regulatory trends\t30 min\nDPO/Privacy team\tContinuous\tRegulatory updates, case law, emerging issues\tOngoing\nPrivacy Metrics Dashboard\nprivacy_dashboard:\n period: \"YYYY-QN\"\n \n compliance:\n ropa_completeness_pct: 0 # Target: 100%\n processing_with_lawful_basis_pct: 0 # Target: 100%\n dpas_signed_pct: 0 # Target: 100%\n policies_current_pct: 0 # Target: 100%\n \n operations:\n dsars_received: 0\n dsars_completed_on_time_pct: 0 # Target: 100%\n avg_dsar_response_days: 0\n breaches_this_quarter: 0\n breach_notification_compliance: \"[all within deadline]\"\n \n risk:\n dpias_completed: 0\n dpias_pending: 0\n high_risk_processing_activities: 0\n open_remediation_items: 0\n \n culture:\n training_completion_pct: 0 # Target: >95%\n privacy_inquiries_from_staff: 0\n privacy_by_design_reviews_completed: 0\n \n vendors:\n total_processors: 0\n vendors_assessed_this_quarter: 0\n vendors_below_threshold: 0 # Score <60\n \n health_score: 0 # Weighted: Compliance 30% + Operations 25% + Risk 20% + Culture 15% + Vendors 10%\n\nPolicy Document Inventory\nPolicy\tOwner\tReview Frequency\tRequired For\nPrivacy Policy (external)\tDPO\tQuarterly\tAll regulations\nInternal Privacy Policy\tDPO\tAnnual\tGDPR accountability\nCookie Policy\tDPO + Marketing\tQuarterly\tePrivacy / GDPR\nData Retention Schedule\tDPO + IT\tAnnual\tAll regulations\nBreach Notification Policy\tDPO + Security\tAnnual\tGDPR / CCPA\nDSAR Procedure\tDPO + Operations\tAnnual\tAll regulations\nDPA Template\tDPO + Legal\tAnnual\tGDPR / CCPA\nAcceptable Use Policy\tIT + DPO\tAnnual\tInternal governance\nBYOD Policy\tIT + DPO\tAnnual\tIf BYOD allowed\nRemote Working Policy\tHR + DPO\tAnnual\tIf remote work\nData Classification Policy\tDPO + IT\tAnnual\tInternal governance\nCross-Border Transfer Policy\tDPO + Legal\tSemi-annual\tGDPR\nPhase 11: Advanced Privacy Topics\nPrivacy-Enhancing Technologies (PETs)\nTechnology\tUse Case\tPrivacy Benefit\tComplexity\nAnonymization\tAnalytics, research\tIrreversible de-identification\tMedium\nPseudonymization\tProcessing with reduced risk\tReversible, reduces exposure\tLow\nDifferential privacy\tStatistical queries, ML\tMathematical privacy guarantee\tHigh\nHomomorphic encryption\tComputing on encrypted data\tData never decrypted\tVery High\nSecure multi-party computation\tJoint analysis without sharing\tNo party sees other's data\tHigh\nFederated learning\tML without centralizing data\tData stays on device\tHigh\nSynthetic data\tTesting, development\tNo real personal data\tMedium\nData masking\tNon-production environments\tRealistic but not real\tLow\nTokenization\tPayment processing\tSensitive data replaced\tLow\nZero-knowledge proofs\tAge verification, credentials\tProve without revealing\tHigh\nAnonymization vs Pseudonymization Decision\nIs the data TRULY anonymous? Apply this test:\n1. Can you single out an individual? → NOT anonymous\n2. Can you link records to an individual? → NOT anonymous \n3. Can you infer information about an individual? → NOT anonymous\n\nAll three must be NO, considering:\n- All means reasonably likely to be used\n- Cost and time of re-identification\n- Available technology\n- Future developments\n\nIf truly anonymous → Outside privacy regulation scope\nIf pseudonymous → Still personal data, but lower risk\n\nChildren's Data (Extra Protections)\nJurisdiction\tAge of Consent\tParental Consent Required\nGDPR (default)\t16\tUnder 16\nUK\t13\tUnder 13\nUS (COPPA)\t13\tUnder 13\nFrance\t15\tUnder 15\nGermany\t16\tUnder 16\nSpain\t14\tUnder 14\nBrazil (LGPD)\t18\tUnder 18 (best interest)\n\nRules for children's data:\n\nAge verification mechanism required\nSimplified privacy notice in child-friendly language\nNo profiling or behavioral advertising\nParental consent verifiable (not just checkbox)\nDelete data when no longer necessary\nDPIA mandatory for large-scale children's data\nEmployee Privacy\nProcessing\tLawful Basis\tKey Rules\nPayroll & benefits\tContract / Legal obligation\tMinimum necessary\nPerformance monitoring\tLegitimate interest (with LIA)\tTransparent, proportionate\nEmail/internet monitoring\tLegitimate interest (with LIA)\tPrivacy notice, not excessive\nCCTV\tLegitimate interest\tDPIA, signage, retention limits\nBackground checks\tConsent / Legal obligation\tProportionate to role\nHealth data\tEmployment law exception\tStrict access controls\nBiometric (access)\tConsent / Legitimate interest + DPIA\tAlternative must exist\nPhase 12: Program Quality & Continuous Improvement\n100-Point Privacy Program Scoring Rubric\nDimension\tWeight\tScore 0-10\tWeighted\nGovernance & accountability\t15%\t_/10\t_\nData inventory (ROPA)\t15%\t_/10\t_\nLegal compliance (bases, notices)\t15%\t_/10\t_\nIndividual rights (DSAR)\t12%\t_/10\t_\nSecurity & breach management\t12%\t_/10\t_\nVendor management (DPAs)\t10%\t_/10\t_\nPrivacy by design\t10%\t_/10\t_\nCulture & training\t11%\t_/10\t_\nTotal\t100%\t\t_/100\n\nGrading:\n\n90-100: Leading — Exceeds requirements, proactive\n75-89: Strong — Compliant with room for optimization\n60-74: Adequate — Meets minimum, gaps exist\n40-59: Developing — Significant gaps, prioritize remediation\n<40: Critical — Major compliance risk, immediate action\nQuarterly Review Template\nquarterly_review:\n period: \"YYYY-QN\"\n \n regulatory_changes:\n - regulation: \"[e.g., GDPR guidance update]\"\n impact: \"[what changes for us]\"\n action_needed: \"[update policy / process change / none]\"\n deadline: \"YYYY-MM-DD\"\n \n program_achievements: []\n open_issues:\n - issue: \"[description]\"\n severity: \"[high/medium/low]\"\n owner: \"[who]\"\n target_date: \"YYYY-MM-DD\"\n \n metrics_summary:\n dsar_on_time_pct: 0\n breaches: 0\n training_completion: 0\n vendor_compliance: 0\n health_score: 0\n \n next_quarter_priorities: []\n budget_status: \"[on track / needs adjustment]\"\n\nCommon Mistakes\n#\tMistake\tFix\n1\tGeneric privacy notices (\"we may collect data\")\tSpecific purposes, specific data, specific recipients\n2\tConsent as default lawful basis\tUse contract/legitimate interest where appropriate — consent has withdrawal risk\n3\tNo retention schedule\tDefine and automate — \"we keep everything forever\" is non-compliant\n4\tDPAs missing for processors\tAudit all vendors processing personal data, sign DPAs\n5\tDSAR process untested\tRun mock DSARs quarterly to verify you can fulfill within deadline\n6\tTreating pseudonymization as anonymization\tPseudonymized data is still personal data under GDPR\n7\tIgnoring cross-border transfers\tMap all data flows, implement transfer mechanisms\n8\tOne-time compliance effort\tPrivacy is ongoing — review quarterly, update continuously\n9\tNo breach response plan\tDocument and test before you need it\n10\tPrivacy team works in isolation\tEmbed privacy in product, engineering, marketing, HR\nEdge Cases\n\nStartup with no privacy program: Start with: Privacy notice → ROPA (top 5 processing activities) → DSAR process → DPA template. Takes ~2 weeks for basics.\n\nPost-acquisition integration: Run assessment on acquired entity within 30 days. Gap analysis against your standards. DPA review for all their vendors. Data mapping of combined entity. Timeline: 90 days for integration.\n\nRegulatory investigation: Cooperate fully. Engage privacy counsel immediately. Preserve all evidence. Document everything. Don't delete anything.\n\nMulti-jurisdiction company: Build to highest standard (GDPR), then adapt down. Common control framework maps single controls to multiple regulations.\n\nAI/ML heavy organization: DPIA for every ML model processing personal data. Transparency about automated decisions. Bias audits. Model cards. Right to human review.\n\nNatural Language Commands\n\nRespond to these intuitively:\n\n\"Assess our privacy program\" → Run Phase 1 maturity assessment\n\"Which regulations apply to us?\" → Phase 2 applicability analysis\n\"Map our data processing\" → Phase 3 ROPA creation\n\"Review our privacy notice\" → Phase 4 checklist audit\n\"Help with a DSAR\" → Phase 5 workflow guidance\n\"Do we need a DPIA?\" → Phase 6 trigger checklist\n\"Assess this vendor\" → Phase 7 vendor scorecard\n\"We had a data breach\" → Phase 8 response playbook (URGENT)\n\"Privacy review for this feature\" → Phase 9 engineering checklist\n\"Quarterly privacy review\" → Phase 10+12 dashboard + review\n\"Should we anonymize or pseudonymize?\" → Phase 11 decision guide\n\"What's our privacy score?\" → Phase 12 scoring rubric\n\nThis skill provides privacy program methodology and frameworks. It is NOT legal advice. Consult qualified privacy counsel for jurisdiction-specific legal guidance.\n\nBuilt by AfrexAI — AI agents that compound capital and code." }, "trust": { "sourceLabel": "tencent", "provenanceUrl": "https://clawhub.ai/1kalin/afrexai-data-privacy", "publisherUrl": "https://clawhub.ai/1kalin/afrexai-data-privacy", "owner": "1kalin", "version": "1.1.0", "license": null, "verificationStatus": "Indexed source record" }, "links": { "detailUrl": "https://openagent3.xyz/skills/afrexai-data-privacy", "downloadUrl": "https://openagent3.xyz/downloads/afrexai-data-privacy", "agentUrl": "https://openagent3.xyz/skills/afrexai-data-privacy/agent", "manifestUrl": "https://openagent3.xyz/skills/afrexai-data-privacy/agent.json", "briefUrl": "https://openagent3.xyz/skills/afrexai-data-privacy/agent.md" } }