agentskills.codes
DP

dpa-inspection-prep

>-

Install

mkdir -p .claude/skills/dpa-inspection-prep && curl -L -o skill.zip "https://agentskills.codes/api/skills/download/16147" && unzip -o skill.zip -d .claude/skills/dpa-inspection-prep && rm skill.zip

Installs to .claude/skills/dpa-inspection-prep

Activation

This is the description your AI agent reads to decide when to run this skill — the better it matches your request, the more reliably it fires.

Guides preparation for supervisory authority (DPA) inspections and investigations including document readiness checklists, interview preparation for key personnel, technical demonstration procedures, on-site logistics, response protocols, and post-inspection follow-up. Covers unannounced inspections, formal audits, and complaint-triggered investigations. Keywords: DPA inspection, supervisory authority, investigation, readiness, interview preparation, response protocol.
473 charsno explicit “when” triggerlonger than Claude Code's old 250-char listing cap (fine on current versions)

About this skill

Supervisory Authority Inspection Preparation

Overview

Supervisory authorities (Data Protection Authorities, or DPAs) exercise investigative powers under Art. 58(1) GDPR, including the power to order controllers and processors to provide any information required for the performance of their tasks (Art. 58(1)(a)), to carry out investigations in the form of data protection audits (Art. 58(1)(b)), to carry out a review on certifications (Art. 58(1)(c)), to notify the controller or processor of an alleged infringement (Art. 58(1)(d)), to obtain access to all personal data and information necessary (Art. 58(1)(e)), and to obtain access to any premises of the controller and processor, including data processing equipment (Art. 58(1)(f)).

DPA inspections may be triggered by data subject complaints, sector-wide enforcement campaigns, data breach notifications, random selection, media reports, or whistleblower reports. The consequences of inadequate inspection performance include corrective measures under Art. 58(2), administrative fines under Art. 83, and reputational damage through enforcement action publicity.

Sentinel Compliance Group maintains a standing DPA inspection readiness program that ensures the organization can respond effectively to announced and unannounced supervisory authority contact within defined timeframes.

Types of DPA Contact

Inspection Types

TypeDescriptionNotice PeriodGDPR Basis
Written InquiryDPA sends written questions requiring documented responses14-30 days typicallyArt. 58(1)(a)
Announced AuditFormal data protection audit with advance notice2-8 weeksArt. 58(1)(b)
Unannounced InspectionOn-site visit without prior noticeNoneArt. 58(1)(f)
Complaint InvestigationInvestigation triggered by data subject complaintVariable; often begins with written inquiryArt. 57(1)(f), 77
Breach InvestigationInvestigation following a breach notification under Art. 33Days to weeks following notificationArt. 58(1)(a), (e)
Sector SweepCoordinated investigation across multiple organizations in a sectorVaries by DPAArt. 57(1)(a), 58(1)(b)
Prior Consultation Follow-UpDPA follow-up on an Art. 36 prior consultationVariableArt. 36(2)

Common DPA Investigation Triggers

TriggerLikelihoodDPA Approach
Data subject complaintHighWritten inquiry focused on specific processing; may escalate to audit
Breach notification (Art. 33)HighWritten questions; on-site audit if breach is significant
Media coverageMediumPreliminary inquiry; may escalate based on findings
Sector-wide campaignMediumStandardized questionnaire sent to multiple organizations simultaneously
Whistleblower reportMediumTargeted investigation, possibly unannounced
Random selectionLow-MediumFull compliance audit; common in some DPAs (e.g., CNIL, AEPD)
Prior consultation obligationLowFollow-up on DPIA consultation outcomes

Document Readiness Checklist

Core Documents (Must Be Immediately Available)

#DocumentGDPR ReferenceLocationOwnerLast Updated
1Records of Processing Activities (Controller)Art. 30(1)OneTrust RoPA moduleDPOQuarterly
2Records of Processing Activities (Processor)Art. 30(2)OneTrust RoPA moduleDPOQuarterly
3Privacy Policy (all versions, change history)Art. 13-14Legal document repositoryLegalPer change
4Data Protection Impact Assessments (all)Art. 35DPIA registerDPOPer assessment
5Data Processing Agreements (all processors)Art. 28Contract management systemLegal/ProcurementPer agreement
6Legitimate Interest Assessments (all)Art. 6(1)(f)LIA registerLegalPer assessment
7International Transfer Mechanisms (SCCs, BCRs, TIAs)Art. 44-49Transfer registerLegalPer transfer
8Breach Notification Records (all incidents)Art. 33-34Incident management systemCISO/DPOPer incident
9DSAR Records (all requests and responses)Art. 12-22DSAR management systemPrivacy OpsPer request
10Consent Records (collection, withdrawal, preferences)Art. 7CMP databasePrivacy OpsContinuous
11DPO Appointment DocumentationArt. 37-39HR/LegalLegalAnnual review
12Privacy Training Records (all employees)Art. 39(1)(b)LMSHR/PrivacyPer completion
13Data Protection Policy and Procedures ManualArt. 24(2)Policy repositoryDPOAnnual
14Information Security PolicyArt. 32Policy repositoryCISOAnnual
15Vendor Risk Assessment RecordsArt. 28(1)Vendor management platformProcurementPer assessment

Supporting Documents (Available Within 24 Hours)

#DocumentGDPR ReferenceOwner
16Data flow diagrams and system architectureArt. 30, 35(7)(a)IT Architecture
17Data classification inventoryArt. 5(1)(c), (e)Data Governance
18Retention schedule with legal basis for each periodArt. 5(1)(e)Records Management
19Privacy committee meeting minutes (last 24 months)Art. 24(1)DPO
20Internal audit reports (privacy-related)Art. 24(1)Internal Audit
21Privacy risk registerArt. 24(1), 32(1)DPO
22Employee privacy policy (workplace monitoring, BYOD)Art. 13-14HR/Legal
23Cookie audit results and CMP configurationePrivacy Directive Art. 5(3)Marketing/IT
24Sub-processor lists (per processor)Art. 28(2)Procurement
25Privacy by design documentation for recent projectsArt. 25IT/Engineering
26Supervisory authority correspondence historyArt. 31DPO
27Certification and code of conduct documentationArt. 42, 40DPO
28Cross-border enforcement cooperation recordsArt. 60-66Legal
29EU representative appointment (if applicable)Art. 27Legal
30Binding Corporate Rules (if applicable)Art. 47Legal

Document Readiness Scoring

Readiness LevelCriteriaScore
Green (Ready)Document exists, is current (reviewed within policy cycle), easily retrievable, and in presentable format3
Yellow (Partially Ready)Document exists but is overdue for review, incomplete, or requires compilation from multiple sources2
Red (Not Ready)Document does not exist, is significantly outdated, or cannot be located1
N/ADocument is not applicable to the organization

Readiness Score: Sum of all applicable document scores / (3 × number of applicable documents) × 100

Target: >90% Green readiness at all times

Interview Preparation

Key Personnel Interview Readiness

DPAs typically interview the following roles during inspections:

DPO / CPO Interview Preparation

Topics to be prepared for:

TopicKey Points to CommunicateEvidence to Have Ready
DPO Role and IndependenceDPO reports to highest management level; no instructions regarding exercise of tasks; not dismissed for performing tasks; provided adequate resourcesDPO appointment letter, organizational chart, budget records, board reporting schedule
Privacy Program OverviewStructured program with governance, policies, training, monitoring, and continuous improvementPrivacy program charter, annual plan, maturity assessment
Risk ManagementSystematic risk identification, DPIA program, risk register, residual risk managementDPIA register, risk assessment methodology, risk register extract
Regulatory ComplianceMulti-jurisdictional compliance framework, regulatory change management, gap analysisCompliance matrix, regulatory tracker, gap remediation status
Data Subject RightsEstablished DSAR procedures with SLA tracking, quality review, and escalationDSAR metrics, sample responses (redacted), process documentation
International TransfersTransfer mapping, appropriate safeguards, TIA methodologyTransfer register, TIAs, SCC execution records

DPO Interview Principles:

  1. Answer questions factually and precisely; do not volunteer information beyond what is asked
  2. If uncertain about a specific detail, state that you will verify and provide a documented response
  3. Refer to documented policies and procedures rather than describing informal practices
  4. Demonstrate accountability: acknowledge gaps honestly and describe remediation plans
  5. Keep a contemporaneous record of all questions asked and answers provided

IT/CISO Interview Preparation

Topics to be prepared for:

TopicKey PointsEvidence
Security Measures (Art. 32)Encryption (at rest, in transit), access controls, logging, patch management, vulnerability managementSecurity architecture diagram, encryption configuration, RBAC matrix, pen test results
Breach Detection and ResponseSIEM configuration, detection rules, incident response plan, notification proceduresSIEM dashboard, incident response plan, tabletop exercise records
Data Deletion and RetentionTechnical enforcement of retention periods, secure deletion methods, backup deletionDeletion job logs, NIST SP 800-88 compliance, retention automation configuration
Access ManagementIdentity and access management, privileged access controls, access reviews, deprovisioningIAM configuration, access review records, deprovisioning SOP
Pseudonymisation and AnonymisationTechniques used, reversibility assessments, key managementTechnical documentation, anonymisation risk assessments

Business Process Owner


Content truncated.

Search skills

Search the agent skills registry