v1.3.03 loop iterations

GDPR Compliance Checklist

GDPR compliance is not binary — it's a spectrum of risk reduction across dozens of obligations, and the ones that matter depend entirely on what your business actually does with data. The GDPR Compliance Checklist skips the generic 50-point list and produces a prioritised, business-specific roadmap with the gaps that genuinely create enforcement risk.

What this skill does

GDPR is not a pass/fail exam. It's a spectrum of obligations that scale with what you do with data, and the requirements that matter for a solo consultant with a mailing list are not the requirements that matter for a SaaS platform processing customer data at scale. Generic checklists waste time on items that don't apply and miss the items that actually create liability. This skill produces a checklist sized to the business.

It starts with a data profile. Business size, location (and whether GDPR reaches you under Article 3 even from outside the UK/EU), role as controller or processor, what data you collect, who from, how, why, where it's stored, who you share with, how long you keep it. Special categories (health, biometric, political, children's data) trigger heightened obligations and get flagged separately. The output marks each requirement as Compliant, Gap, Partial, or Not Applicable — and "Not Applicable" is treated as a valid and important status, not a cop-out.

The checklist is ordered by enforcement risk, not by article number. Priority 1 is the foundational layer: lawful basis documented for every processing activity, a published and accurate privacy notice, and a processing register if you cross the Article 30 threshold (250+ employees, or non-occasional processing, or special categories). Priority 2 is data subject rights — Subject Access Requests are the most common complaint trigger, and the 1-month response clock starts whether or not you have a process. Priority 3 covers security measures and the 72-hour breach notification window. Priority 4 covers DPAs with every processor (Stripe, Mailchimp, hosting providers, analytics) and international transfers under SCCs or adequacy decisions. Priority 5 is governance — DPO if required, DPIAs for high-risk processing, staff training, cookie consent. Priority 6 is review cadence so the document doesn't quietly drift out of date.

The output includes a Compliance Summary, the full tailored Checklist, a Remediation Roadmap with effort estimates, a Quick Wins list (things that can be fixed today in under two hours), and a Red Flags section for issues that create immediate enforcement risk. Processors get a different version of the checklist — the obligations shift when you're processing data on behalf of clients rather than as the controller.

This produces a checklist and remediation roadmap, not legal advice. GDPR enforcement involves real fines (up to 4% of global turnover) and the boundary between "compliant" and "non-compliant" is sometimes interpretive — especially around lawful basis assessments, transfer impact assessments, and special-category processing. Have a qualified data protection lawyer or DPO review the assessment and your remediation plan. The skill is a starting point for professional review, not a substitute for one.

When this triggers

·You're a UK or EU business and you've never had a structured GDPR review
·You're outside the UK/EU but serving UK/EU customers and you're not sure where you stand
·You're about to launch a product that processes personal data and need to know what's missing
·A client or partner has asked for evidence of GDPR compliance as part of a contract
·You've been told you 'need GDPR' and the generic checklists are 50 items of compliance theatre

Example

Trigger

User: 'Solo consultant, UK-based. Mailing list of 1,200 (Mailchimp), Stripe for payments, Google Analytics on the site, no employees, occasional EU clients. Where am I?'

Output

Compliance Summary Items assessed: 18. Compliant: 4. Gap: 7. N-A: 6. Partial: 1. Solo consultants don't need a DPO or formal processing register — that's compliance theatre at this scale. Priority 1 gaps (foundational): [ ] Lawful basis not documented for mailing list — likely consent, but you need the signup record to prove it [ ] Privacy notice missing or out of date Priority 2 gaps (data subject rights): [ ] No documented SAR process. Likelihood low at your scale but if one lands you have 1 month to respond. Priority 3 gaps (security and breach): [ ] No breach response plan. 72-hour clock to ICO is real. Priority 4 gaps (third parties): [ ] No DPAs with Mailchimp, Stripe, Google Analytics. These exist as standard terms — you need to accept/sign them. [ ] Google Analytics + EU data = international transfer. GA4 + IP anonymisation reduces risk but doesn't eliminate. Quick Wins (today, under 2 hours total): · Accept standard DPAs from Mailchimp, Stripe, Google · Update privacy notice with Privacy Policy Generator skill · Document mailing list lawful basis in a one-page register Red Flags: Google Analytics EU transfer is the highest-profile exposure given recent ICO guidance — consider Plausible or similar EU-hosted alternative if EU traffic is meaningful.

Get this skill + 6 more

Included in the The Freelancer Stack — win clients, deliver work, get paid. Save $100+ vs buying individually.

Get The Freelancer Stack — $99

Also in

The Agency Owner Stack · $149

What you get

216-line SKILL.md, ready to drop into ~/.claude/skills/
Tested through 3 Karpathy-loop iterations (versions v1.0.0 → v1.3.0)
Triggers automatically when relevant — no command to remember
Lifetime updates as the skill is refined further