Skip to content

/cs:gdpr-audit-prep — GDPR DPO Forcing Questions

Compliance OS gdpr-audit-prep Source

Install: claude /plugin install compliance-os

Command: /cs:gdpr-audit-prep <scope>

The GDPR DPO auditor pressure-tests any privacy compliance work. Six Article-cited questions before any internal audit, breach response, DPA investigation, or acquisition due diligence.

When to Run

  • Before annual internal GDPR audit
  • Before quarterly Article 30 RoPA refresh
  • Before launching new high-risk processing (Article 35 DPIA required)
  • Post-breach (Articles 33-34)
  • Before DPA investigation response or supervisory authority engagement
  • During acquisition due diligence (target company privacy posture)
  • Quarterly during high-volume new-feature shipping

The Six DPO Questions

1. Show me the Article 30 RoPA — with last-updated date.

Most-cited finding area. - Must include all Article 30(1)(a)-(g) elements for controllers - Must include all Article 30(2)(a)-(d) elements for processors - Updated within reasonable time of changes (90 days expected) - Joint controller arrangements documented per Article 26

2. For this processing activity, what's the lawful basis under Article 6?

Article 6 is exclusive — pick ONE basis per purpose. - Six options: consent / contract / legal obligation / vital interests / public task / legitimate interests - Where "legitimate interests": LIA documented - Where "consent": records per Article 7; withdrawal mechanism - Special categories (Article 9) require an Article 9(2) exception

3. For high-risk processing, where's the DPIA per Article 35?

Required for high-risk; sample 3-5 activities. - Article 35(7)(a)-(d) required elements: - Systematic description of processing - Necessity + proportionality assessment - Risks to rights + freedoms - Measures to address risks - DPO consulted per Article 35(2) - Article 36 prior consultation triggered for residual high risk - For AI systems: integrates with EU AI Act Article 27 FRIA (cross-check with cs-ai-act-compliance)

4. Show me a DSAR from the last 30 days — and the response timing.

Articles 15-22 operational workflow. - Response within 1 month (Article 12(3)); extension up to 2 months for complex requests - Identity verification process documented - Right of access response includes all Article 15 information - Right to erasure (Article 17) workflow covers backups + processors

5. Show me Transfer Impact Assessments for the largest non-EU transfers.

Schrems II discipline. - Adequacy decision OR SCCs (Article 46) OR derogation (Article 49) - TIA per EDPB Recommendations 01/2020 + 02/2020 - Supplementary measures where TIA flagged risk - US transfers covered by EU-US Data Privacy Framework adequacy (Jul 2023) — verify list of certified entities

6. Show me the breach log per Article 33(5) — all breaches, not just notifiable ones.

Article 33(5) requires logging ALL breaches. - Internal breach detection mechanism documented - Article 33 DPA notification within 72 hours (where required) - Article 34 data subject notification (where high risk) - Root cause + corrective action via CAPA system - Cross-check with cs-ciso-iso27001 for A.5.24-27 incident management alignment

Workflow

# 1. Compliance posture
python ../../ra-qm-team/skills/gdpr-dsgvo-expert/scripts/gdpr_compliance_checker.py compliance_state.json

# 2. DPIA for high-risk activities
python ../../ra-qm-team/skills/gdpr-dsgvo-expert/scripts/dpia_generator.py processing_activity.json

# 3. DSAR workflow validation
python ../../ra-qm-team/skills/gdpr-dsgvo-expert/scripts/data_subject_rights_tracker.py dsar_log.json

# 4. Cross-framework reuse with ISO 27001 + SOC 2 + ISO 42001
python ../../skills/compliance-os/scripts/cross_framework_mapper.py program.json

Output Format

# GDPR Audit Prep: <scope>
**Date:** YYYY-MM-DD
**Article Citations:** Every finding cites Article + paragraph; no paraphrase.

## The Decision Being Made
[RoPA-refresh | DPIA-required | DSAR-workflow | transfer-risk | breach-followup | DPA-readiness]

## Article 30 RoPA Status
- Last refresh: YYYY-MM-DD
- Required elements present: yes/no per processing activity
- Joint controller arrangements: documented/missing

## Article 6 Lawful Basis Discipline
- Activities reviewed: N
- Legitimate-interests claims without LIA: <list>
- Article 9 special categories with documented exception: yes/no

## Article 35 DPIA Quality
- High-risk activities requiring DPIA: <list>
- DPIAs complete per Article 35(7): pass/fail per activity
- Article 36 prior consultation triggered: <list>

## Data Subject Rights (Articles 12-22)
- DSARs in last 90 days: N
- Average response time: X days (target: ≤ 30)
- Right to erasure backup-processor flow: complete/incomplete

## Article 28 Processor Management
- Processors reviewed: N
- Contracts with all Article 28(3)(a)-(j) clauses: % complete
- Sub-processor flow-down notification mechanism: yes/no

## Schrems II Transfer Status
- Non-EU transfers: <list>
- Mechanism per transfer: adequacy / SCCs / derogation
- TIA on file: yes/no per transfer
- Supplementary measures where needed: <list>

## Article 33-34 Breach Discipline
- Breach log last 12 months: N
- Article 33 notification timing: ≤ 72h ratio
- Article 34 data subject notification (where high risk): on-time ratio

## Cross-Framework Impact
- ISO 27001 Article 32 alignment: clean / gaps
- EU AI Act Article 27 FRIA integration: applicable / not
- SOC 2 Privacy TSC alignment (if scope): clean / gaps

## Verdict
🟢 DPA-READY | 🟡 GAPS-IDENTIFIED | 🔴 NOT-READY

## Top 3 Actions
[3 concrete next steps with owner + Article-cited timeline]

## Outside Counsel Required
[Article-level ambiguities flagged: Schrems II supplementary measure adequacy, EU AI Act ↔ GDPR interaction, sectoral derogation interpretation, novel DPA enforcement]

Routing

  • /cs:compliance-readiness — for multi-framework view
  • /cs:iso27001-audit-prep — for Article 32 organizational measures
  • /cs:ai-act-readiness — for EU AI Act Article 27 FRIA integration
  • /cs:soc2-audit-prep — for SOC 2 Privacy TSC overlap
  • /cs:gc-review — for novel-case legal review

Version: 1.0.0