dpa-inspection-prep
>-
Install
mkdir -p .claude/skills/dpa-inspection-prep && curl -L -o skill.zip "https://agentskills.codes/api/skills/download/16147" && unzip -o skill.zip -d .claude/skills/dpa-inspection-prep && rm skill.zipInstalls to .claude/skills/dpa-inspection-prep
Activation
This is the description your AI agent reads to decide when to run this skill — the better it matches your request, the more reliably it fires.
Guides preparation for supervisory authority (DPA) inspections and investigations including document readiness checklists, interview preparation for key personnel, technical demonstration procedures, on-site logistics, response protocols, and post-inspection follow-up. Covers unannounced inspections, formal audits, and complaint-triggered investigations. Keywords: DPA inspection, supervisory authority, investigation, readiness, interview preparation, response protocol.About this skill
Supervisory Authority Inspection Preparation
Overview
Supervisory authorities (Data Protection Authorities, or DPAs) exercise investigative powers under Art. 58(1) GDPR, including the power to order controllers and processors to provide any information required for the performance of their tasks (Art. 58(1)(a)), to carry out investigations in the form of data protection audits (Art. 58(1)(b)), to carry out a review on certifications (Art. 58(1)(c)), to notify the controller or processor of an alleged infringement (Art. 58(1)(d)), to obtain access to all personal data and information necessary (Art. 58(1)(e)), and to obtain access to any premises of the controller and processor, including data processing equipment (Art. 58(1)(f)).
DPA inspections may be triggered by data subject complaints, sector-wide enforcement campaigns, data breach notifications, random selection, media reports, or whistleblower reports. The consequences of inadequate inspection performance include corrective measures under Art. 58(2), administrative fines under Art. 83, and reputational damage through enforcement action publicity.
Sentinel Compliance Group maintains a standing DPA inspection readiness program that ensures the organization can respond effectively to announced and unannounced supervisory authority contact within defined timeframes.
Types of DPA Contact
Inspection Types
| Type | Description | Notice Period | GDPR Basis |
|---|---|---|---|
| Written Inquiry | DPA sends written questions requiring documented responses | 14-30 days typically | Art. 58(1)(a) |
| Announced Audit | Formal data protection audit with advance notice | 2-8 weeks | Art. 58(1)(b) |
| Unannounced Inspection | On-site visit without prior notice | None | Art. 58(1)(f) |
| Complaint Investigation | Investigation triggered by data subject complaint | Variable; often begins with written inquiry | Art. 57(1)(f), 77 |
| Breach Investigation | Investigation following a breach notification under Art. 33 | Days to weeks following notification | Art. 58(1)(a), (e) |
| Sector Sweep | Coordinated investigation across multiple organizations in a sector | Varies by DPA | Art. 57(1)(a), 58(1)(b) |
| Prior Consultation Follow-Up | DPA follow-up on an Art. 36 prior consultation | Variable | Art. 36(2) |
Common DPA Investigation Triggers
| Trigger | Likelihood | DPA Approach |
|---|---|---|
| Data subject complaint | High | Written inquiry focused on specific processing; may escalate to audit |
| Breach notification (Art. 33) | High | Written questions; on-site audit if breach is significant |
| Media coverage | Medium | Preliminary inquiry; may escalate based on findings |
| Sector-wide campaign | Medium | Standardized questionnaire sent to multiple organizations simultaneously |
| Whistleblower report | Medium | Targeted investigation, possibly unannounced |
| Random selection | Low-Medium | Full compliance audit; common in some DPAs (e.g., CNIL, AEPD) |
| Prior consultation obligation | Low | Follow-up on DPIA consultation outcomes |
Document Readiness Checklist
Core Documents (Must Be Immediately Available)
| # | Document | GDPR Reference | Location | Owner | Last Updated |
|---|---|---|---|---|---|
| 1 | Records of Processing Activities (Controller) | Art. 30(1) | OneTrust RoPA module | DPO | Quarterly |
| 2 | Records of Processing Activities (Processor) | Art. 30(2) | OneTrust RoPA module | DPO | Quarterly |
| 3 | Privacy Policy (all versions, change history) | Art. 13-14 | Legal document repository | Legal | Per change |
| 4 | Data Protection Impact Assessments (all) | Art. 35 | DPIA register | DPO | Per assessment |
| 5 | Data Processing Agreements (all processors) | Art. 28 | Contract management system | Legal/Procurement | Per agreement |
| 6 | Legitimate Interest Assessments (all) | Art. 6(1)(f) | LIA register | Legal | Per assessment |
| 7 | International Transfer Mechanisms (SCCs, BCRs, TIAs) | Art. 44-49 | Transfer register | Legal | Per transfer |
| 8 | Breach Notification Records (all incidents) | Art. 33-34 | Incident management system | CISO/DPO | Per incident |
| 9 | DSAR Records (all requests and responses) | Art. 12-22 | DSAR management system | Privacy Ops | Per request |
| 10 | Consent Records (collection, withdrawal, preferences) | Art. 7 | CMP database | Privacy Ops | Continuous |
| 11 | DPO Appointment Documentation | Art. 37-39 | HR/Legal | Legal | Annual review |
| 12 | Privacy Training Records (all employees) | Art. 39(1)(b) | LMS | HR/Privacy | Per completion |
| 13 | Data Protection Policy and Procedures Manual | Art. 24(2) | Policy repository | DPO | Annual |
| 14 | Information Security Policy | Art. 32 | Policy repository | CISO | Annual |
| 15 | Vendor Risk Assessment Records | Art. 28(1) | Vendor management platform | Procurement | Per assessment |
Supporting Documents (Available Within 24 Hours)
| # | Document | GDPR Reference | Owner |
|---|---|---|---|
| 16 | Data flow diagrams and system architecture | Art. 30, 35(7)(a) | IT Architecture |
| 17 | Data classification inventory | Art. 5(1)(c), (e) | Data Governance |
| 18 | Retention schedule with legal basis for each period | Art. 5(1)(e) | Records Management |
| 19 | Privacy committee meeting minutes (last 24 months) | Art. 24(1) | DPO |
| 20 | Internal audit reports (privacy-related) | Art. 24(1) | Internal Audit |
| 21 | Privacy risk register | Art. 24(1), 32(1) | DPO |
| 22 | Employee privacy policy (workplace monitoring, BYOD) | Art. 13-14 | HR/Legal |
| 23 | Cookie audit results and CMP configuration | ePrivacy Directive Art. 5(3) | Marketing/IT |
| 24 | Sub-processor lists (per processor) | Art. 28(2) | Procurement |
| 25 | Privacy by design documentation for recent projects | Art. 25 | IT/Engineering |
| 26 | Supervisory authority correspondence history | Art. 31 | DPO |
| 27 | Certification and code of conduct documentation | Art. 42, 40 | DPO |
| 28 | Cross-border enforcement cooperation records | Art. 60-66 | Legal |
| 29 | EU representative appointment (if applicable) | Art. 27 | Legal |
| 30 | Binding Corporate Rules (if applicable) | Art. 47 | Legal |
Document Readiness Scoring
| Readiness Level | Criteria | Score |
|---|---|---|
| Green (Ready) | Document exists, is current (reviewed within policy cycle), easily retrievable, and in presentable format | 3 |
| Yellow (Partially Ready) | Document exists but is overdue for review, incomplete, or requires compilation from multiple sources | 2 |
| Red (Not Ready) | Document does not exist, is significantly outdated, or cannot be located | 1 |
| N/A | Document is not applicable to the organization | — |
Readiness Score: Sum of all applicable document scores / (3 × number of applicable documents) × 100
Target: >90% Green readiness at all times
Interview Preparation
Key Personnel Interview Readiness
DPAs typically interview the following roles during inspections:
DPO / CPO Interview Preparation
Topics to be prepared for:
| Topic | Key Points to Communicate | Evidence to Have Ready |
|---|---|---|
| DPO Role and Independence | DPO reports to highest management level; no instructions regarding exercise of tasks; not dismissed for performing tasks; provided adequate resources | DPO appointment letter, organizational chart, budget records, board reporting schedule |
| Privacy Program Overview | Structured program with governance, policies, training, monitoring, and continuous improvement | Privacy program charter, annual plan, maturity assessment |
| Risk Management | Systematic risk identification, DPIA program, risk register, residual risk management | DPIA register, risk assessment methodology, risk register extract |
| Regulatory Compliance | Multi-jurisdictional compliance framework, regulatory change management, gap analysis | Compliance matrix, regulatory tracker, gap remediation status |
| Data Subject Rights | Established DSAR procedures with SLA tracking, quality review, and escalation | DSAR metrics, sample responses (redacted), process documentation |
| International Transfers | Transfer mapping, appropriate safeguards, TIA methodology | Transfer register, TIAs, SCC execution records |
DPO Interview Principles:
- Answer questions factually and precisely; do not volunteer information beyond what is asked
- If uncertain about a specific detail, state that you will verify and provide a documented response
- Refer to documented policies and procedures rather than describing informal practices
- Demonstrate accountability: acknowledge gaps honestly and describe remediation plans
- Keep a contemporaneous record of all questions asked and answers provided
IT/CISO Interview Preparation
Topics to be prepared for:
| Topic | Key Points | Evidence |
|---|---|---|
| Security Measures (Art. 32) | Encryption (at rest, in transit), access controls, logging, patch management, vulnerability management | Security architecture diagram, encryption configuration, RBAC matrix, pen test results |
| Breach Detection and Response | SIEM configuration, detection rules, incident response plan, notification procedures | SIEM dashboard, incident response plan, tabletop exercise records |
| Data Deletion and Retention | Technical enforcement of retention periods, secure deletion methods, backup deletion | Deletion job logs, NIST SP 800-88 compliance, retention automation configuration |
| Access Management | Identity and access management, privileged access controls, access reviews, deprovisioning | IAM configuration, access review records, deprovisioning SOP |
| Pseudonymisation and Anonymisation | Techniques used, reversibility assessments, key management | Technical documentation, anonymisation risk assessments |
Business Process Owner
Content truncated.