gdpr-data-handling
Implement GDPR-compliant data handling with consent management, data subject rights, and privacy by design. Use when building systems that process EU personal data, implementing privacy controls, or conducting GDPR compliance reviews.
71
57%
Does it follow best practices?
Impact
98%
1.38xAverage score across 3 eval scenarios
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./plugins/hr-legal-compliance/skills/gdpr-data-handling/SKILL.mdQuality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong skill description that clearly defines its domain (GDPR compliance), lists specific capabilities (consent management, data subject rights, privacy by design), and includes an explicit 'Use when' clause with natural trigger terms. It uses proper third-person voice and is concise without being vague. The description would effectively help Claude distinguish this skill from others in a large skill library.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'consent management', 'data subject rights', 'privacy by design', 'implementing privacy controls', and 'conducting GDPR compliance reviews'. These are distinct, identifiable capabilities. | 3 / 3 |
Completeness | Clearly answers both 'what' (GDPR-compliant data handling with consent management, data subject rights, privacy by design) and 'when' (explicit 'Use when' clause covering building systems processing EU personal data, implementing privacy controls, or conducting GDPR compliance reviews). | 3 / 3 |
Trigger Term Quality | Includes strong natural keywords users would say: 'GDPR', 'consent management', 'data subject rights', 'privacy by design', 'EU personal data', 'privacy controls', 'compliance reviews'. These cover the main terms someone working on GDPR compliance would naturally use. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive with a clear niche around GDPR and EU data privacy. The specific regulatory domain (GDPR), combined with concrete triggers like 'EU personal data' and 'consent management', makes it unlikely to conflict with other skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
14%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill is excessively verbose, spending significant tokens on GDPR concepts Claude already knows while embedding hundreds of lines of illustrative code inline. It lacks workflow sequencing and validation checkpoints critical for a domain involving legally mandated deadlines and destructive operations like data erasure. The content would benefit enormously from being restructured into a concise overview with references to separate pattern files.
Suggestions
Remove the 'Core Concepts' section entirely (personal data categories, legal bases, data subject rights) — Claude already knows GDPR fundamentals. Replace with a brief note on which categories require special handling in code.
Add a clear sequenced workflow for GDPR implementation (e.g., 1. Audit data flows → 2. Implement consent → 3. Build DSAR handling → 4. Set retention policies → 5. Validate with checklist) with explicit validation checkpoints at each stage.
Split the five code patterns into separate referenced files (e.g., CONSENT.md, DSAR.md, RETENTION.md, BREACH.md) and keep only a brief summary with links in the main skill file.
Add validation/verification steps for destructive operations like erasure requests (e.g., verify identity before processing, confirm deletion across all sources, generate audit proof).
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Extremely verbose at ~400+ lines. Includes extensive tables explaining GDPR concepts Claude already knows (personal data categories, legal bases, data subject rights), and provides massive code blocks that are more reference material than actionable skill guidance. The core concepts section is entirely unnecessary context that Claude would already have. | 1 / 3 |
Actionability | The code examples are relatively concrete and near-executable (JavaScript consent manager, Python DSAR handler, retention policies), but they rely on undefined infrastructure (self.db, self.eventBus, DataSource classes) making them more like illustrative patterns than copy-paste ready code. The checklist is actionable but generic. | 2 / 3 |
Workflow Clarity | There is no clear sequenced workflow for implementing GDPR compliance. The patterns are presented as isolated code blocks without guidance on ordering, dependencies, or validation checkpoints. For a domain involving destructive operations (data erasure) and legally mandated deadlines, there are no verification steps or feedback loops described. | 1 / 3 |
Progressive Disclosure | This is a monolithic wall of text with no references to external files. All five patterns with full code implementations are inlined, making the skill extremely long. Content like the breach notification handler, retention policies, and DSAR handler should be split into separate referenced files. | 1 / 3 |
Total | 5 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
skill_md_line_count | SKILL.md is long (625 lines); consider splitting into references/ and linking | Warning |
Total | 10 / 11 Passed | |
- Repository
- wshobson/agents
- Commit
27a7ed9
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.