Stats
Actions
Tags
From privacy-legal
Diffs new or changed regulations against current privacy policy and practice to output a gap list and remediation plan with owners and dates.
How this skill is triggered — by the user, by Claude, or both
Slash command
/privacy-legal:reg-gap-analysis [regulation name, or paste reg text/summary][regulation name, or paste reg text/summary]The summary Claude sees in its skill listing — used to decide when to auto-load this skill
1. Load `~/.claude/plugins/config/claude-for-legal/privacy-legal/CLAUDE.md` → privacy policy commitments, regulatory footprint, DSAR systems.
~/.claude/plugins/config/claude-for-legal/privacy-legal/CLAUDE.md → privacy policy commitments, regulatory footprint, DSAR systems./privacy-legal:reg-gap-analysis "Colorado Privacy Act"
/privacy-legal:reg-gap-analysis
[paste guidance / reg text]
A state passes a new privacy law. The ICO issues new guidance. The CPPA finalizes regulations. Something moves — and now you need to know what, if anything, you have to change.
This skill diffs the new requirement against what you currently do (per ~/.claude/plugins/config/claude-for-legal/privacy-legal/CLAUDE.md → Privacy policy commitments + the practices documented in PIAs) and produces a gap list with a remediation plan.
Read ~/.claude/plugins/config/claude-for-legal/privacy-legal/CLAUDE.md:
## Privacy policy commitments — what you've publicly promised## Regulatory footprint — what already applies## DSAR process → systems list — what you actually do operationallyIf the regulation doesn't apply to you (wrong jurisdiction, below threshold, different sector), the gap analysis is one line: "Doesn't apply. Here's why: [reason]. No action needed."
Before diffing, answer:
Read the regulation (or summary/guidance). List every substantive requirement as a discrete item:
| # | Requirement | Citation | Category |
|---|---|---|---|
| 1 | [requirement as stated] | [section] | [Notice / Rights / Security / Vendor / Other] |
Categories:
For each requirement:
### [Requirement #N]: [short name]
**Regulation says:** [requirement, quoted or paraphrased]
**We currently:** [what the config CLAUDE.md / privacy policy / practice shows]
**Gap:** [None | Partial | Full]
**If partial/full gap — what's missing:** [specific]
**Effort to close:** [Policy update only | Product change | Vendor renegotiation |
New process]
**Risk of non-compliance:** [regulatory penalty range, enforcement likelihood,
reputational]
Not every gap is equal. Sort by:
Prepend the work-product header from ~/.claude/plugins/config/claude-for-legal/privacy-legal/CLAUDE.md ## Outputs (it differs by user role — see ## Who's using this).
Research-connector pre-flight. Before emitting the remediation plan, check whether a legal research connector is reachable for this session — Lexis+, Westlaw, an EUR-Lex / regulator-site connector, or any firm-configured research MCP. Collect this into the reviewer note per CLAUDE.md
## Outputs: if no connector returns results in Step 2 or the Common regulation categories research step (or none is configured at run time), record it in the Sources: line of the reviewer note — e.g.,not connected — cites from training knowledge; the highest-fabrication items in privacy gap analyses are new state-law effective dates, enforcement-begins dates, and article/section pinpoints — spot-check those first. Per-citation[model knowledge — verify]tags remain inline. Do not emit a standalone banner above the output.
[WORK-PRODUCT HEADER — per plugin config ## Outputs]
## Remediation Plan: [Regulation name]
**Effective date:** [date]
**Enforcement begins:** [date]
### Must-do before enforcement
| Gap | Fix | Owner | Due | Status |
|---|---|---|---|---|
| [gap] | [specific fix] | [name] | [date] | [ ] |
### Should-do (lower risk, not blocking)
[same table]
### Already compliant
[list of requirements where gap = None — useful for the "we're mostly fine" message]
### Accepted gaps (risk-accepted, not fixing)
[if any — with documented rationale and who accepted the risk]
When scoping the delta, it helps to place the new regulation into a rough category and then research the specifics:
For each category relevant to the new regulation, research the currently operative requirements before drafting the gap analysis. Cite primary sources. Verify currency — new state laws come online each legislative session, and regulators issue interpretive guidance that shifts what "compliance" means for a given control. Flag uncertainty for attorney verification rather than assert a rule you haven't confirmed.
No silent supplement. If a research query to the configured legal research tool (Lexis+, Westlaw, regulator databases, or firm platform) returns few or no results for a regulation, guidance document, or enforcement action, report what was found and stop. Do NOT fill the gap from web search or model knowledge without asking. Say: "The search returned [N] results from [tool]. Coverage appears thin for [regime / topic]. Options: (1) broaden the search query, (2) try a different research tool, (3) search the web — results will be tagged
[web search — verify]and should be checked against the issuing authority before relying, or (4) flag as unverified and stop. Which would you like?" A lawyer decides whether to accept lower-confidence sources.Source attribution tiering. Tag every citation in the gap analysis with its source. For model-knowledge citations, use one of three tiers rather than a single blanket "verify" tag:
[settled]— stable, well-known statutory and regulatory references unlikely to have changed (e.g., GDPR Art. 33, CCPA § 1798.100, FTC Act § 5). Still verify before filing, but lower priority.[verify]— model-knowledge citations that are real but should be verified: specific implementing regulations, agency guidance, case holdings, thresholds, effective dates, newly enacted state statutes.[verify-pinpoint]— pinpoint citations (specific subsection letters, volume/page numbers, paragraph numbers, regulatory subpart references) carry the highest fabrication risk and should ALWAYS be verified against a primary source.Tool-retrieved citations keep their source tag (
[Lexis+],[Westlaw],[issuing authority site], or the MCP tool name); web-search citations remain[web search — verify]; user-supplied citations remain[user provided]. The tiering surfaces the real verification work — a reader who verifies everything verifies nothing. Never strip or collapse the tags.
From PIA generation: PIAs flag privacy policy inconsistencies → those feed here as known gaps.
To the regulatory-legal plugin (if installed): This skill is the manual version. The monitor plugin watches feeds and triggers this analysis automatically when something changes.
Save as a dated markdown doc. The remediation plan table becomes a tracker — update status as items close.
If the gap analysis concludes "no gaps, we're compliant," still write the doc — it's useful evidence later that you looked.
Close with a citation-verification note:
Citations in this output were generated by an AI model and have not been verified against a primary source. Before relying on any regulation, statute, guidance, or enforcement action, check it against a legal research tool (Lexis+, Westlaw, your firm's research platform, or the issuing authority's website) for accuracy and current status. AI-generated citations are sometimes fabricated or misquoted. Source tags on each citation (e.g.,
[Lexis+],[web search — verify]) show where it came from;verifytags carry higher fabrication risk and should be checked first.
End with the next-steps decision tree per CLAUDE.md ## Outputs. Customize the options to what this skill just produced — the five default branches (draft the X, escalate, get more facts, watch and wait, something else) are a starting point, not a lock-in. The tree is the output; the lawyer picks.
npx claudepluginhub anthropics/claude-for-legal --plugin privacy-legalDiffs a new AI regulation or guidance against current governance posture to surface gaps, priorities, and a remediation plan with owners and deadlines. Use when a regulation changes or a compliance check is needed.
Compares new or amended regulations against current personal information processing rules to produce a gap list and a remediation plan with owners and deadlines. Activates when asking about regulatory compliance impact or pasting regulation text.
Diffs a regulatory change against an indexed policy library to identify gaps and required policy updates. Use when a regulation changes or for gap analysis.