privacy-legal-uk

Run the cold-start interview — learns your UK data-protection practice and writes CLAUDE.md from your privacy notice, DPA template, and a reference DPIA. Use on first run, when CLAUDE.md is missing or has placeholders, or when the user says "set up the privacy plugin", "onboard me", "configure privacy", or wants to re-run the interview or re-check integrations.

Guided customisation of your UK privacy practice profile — change one thing without re-running the whole cold-start interview. Adjust risk posture, escalation contacts, DPA playbook, privacy notice commitments, DPIA house style, DSAR process, or matter workspace paths. Use when the user says "change my [thing]", "update my profile", "edit my playbook", or "customise".

Review a Data Processing Agreement against your UK GDPR Art.28 DPA playbook — auto-detects whether you're processor or controller and applies the right half of the playbook. Checks Art.28 mandatory provisions, sub-processor chain, international transfer mechanisms (IDTA / UK Addendum / adequacy), and privacy notice consistency. Use when the user says "review this DPA", "check this data processing agreement", "customer sent their DPA", "is this DPA okay", or attaches a DPA / processor agreement.

Generate a Data Protection Impact Assessment (DPIA) under UK GDPR Art.35 in house format for a new feature, product, or processing activity. Follows the ICO DPIA template structure. Checks Art.35(3) mandatory triggers, identifies the required DPO consultation, and flags prior ICO consultation (Art.36) where residual high risk remains. Use when the user says "write a DPIA", "data protection impact assessment for", "do we need a DPIA for this", "privacy review this feature", or describes a new data processing activity requiring assessment.

Walk through a Data Subject Access Request (or erasure, portability, rectification, restriction, or objection request) and draft the response — verify identity, locate data system-by-system, assess DPA 2018 Schedule 2 exemptions, draft the acknowledgment and substantive response letters within the 1-month statutory deadline. Use when a DSAR comes in, the user pastes a data subject request, or says "DSAR came in", "access request", "right to erasure", "right to be forgotten", "someone wants their data", or a similar phrase.