GDPR Compliance Skills for AI Agents: Portable Legal Expertise, Open Source
There is a growing gap between what AI agents can do and what they know about data protection law. General-purpose models are impressive at reasoning, drafting, and analysis, but they lack the structured legal knowledge needed for specific compliance workflows. They can write a plausible-sounding privacy notice, but they do not know the EDPB's current position on layered transparency or the specific requirements for cross-border processing disclosures.
I have been working on bridging that gap. Today, I am publishing three open-source GDPR compliance skills — self-contained packages that teach AI agents how to handle core data protection workflows with the rigor and structure that regulatory compliance demands.
What Are Skills?
Skills are an open standard originally established by Anthropic for Claude, now being adopted across the AI tool ecosystem. Think of a skill as portable legal expertise in a file: a self-contained package of prompts, templates, methodologies, and guidelines that an AI agent can load on demand.
When an agent loads a skill, it gains structured knowledge about a specific domain. It does not just get general instructions — it receives a complete framework including decision trees, regulatory references, output templates, and quality criteria. The agent then applies this knowledge within its conversation, producing outputs that follow the methodology encoded in the skill.
No coding is required. Skills are plain-text files that any practitioner can read, audit, and modify. They work with Claude and are being adopted by other AI tools as well, making them genuinely portable.
Why Skills Matter for Legal Compliance
Legal compliance work has a particular characteristic that makes it well-suited for this approach: it combines structured methodologies with context-dependent judgment.
A DPIA, for example, follows a defined framework under Art. 35 GDPR. There are required elements — systematic description of processing, necessity and proportionality assessment, risk evaluation, mitigation measures. This structure can be encoded. But the substance within that structure — whether a specific processing operation creates a high risk to individuals, what mitigation measures are proportionate — requires analysis that depends on the specific facts.
Skills encode the framework and methodology. The AI agent provides the analytical capacity. The practitioner provides the context and exercises judgment over the output. This division of labor is where I see the real value: not replacing legal expertise, but making it more accessible and consistent.
The Three Skills
Each skill is built from my experience as a practicing data protection lawyer. They encode real regulatory methodologies, not generic templates.
Breach Response Sentinel
Built around the ENISA severity assessment methodology and the requirements of Art. 33 and Art. 34 GDPR. This skill guides the agent through a structured breach assessment: identifying the type of breach, classifying the data categories and volume affected, evaluating the severity using ENISA's scoring criteria, and determining whether the notification threshold is met — both for the supervisory authority (Art. 33) and for data subjects (Art. 34).
The skill also accounts for the 72-hour notification window, structures the required notification content, and flags situations where a cross-border breach triggers lead supervisory authority obligations.
Privacy Notice Generator
Generating privacy notices that are both legally complete and practically readable is harder than it looks. This skill implements a multi-jurisdictional approach, covering the full Art. 13/14 GDPR information requirements while adapting to the specific processing context.
The skill prompts the agent to systematically work through each required disclosure — controller identity, purposes and legal bases, recipients, retention periods, data subject rights, international transfers — and produces a structured notice that follows current EDPB guidance on layered transparency. It handles the common pitfalls: ensuring legitimate interest purposes include the balancing test reference, that joint controller arrangements are properly disclosed, and that international transfer safeguards are specified with precision.
DPIA Assessment
The most complex of the three. This skill implements the Art. 35 DPIA framework, including the EDPB's criteria for determining when a DPIA is required (the "two or more" rule from the Article 29 Working Party guidelines). It guides the agent through the full assessment cycle: threshold analysis, systematic processing description, necessity and proportionality evaluation, risk identification and scoring, and mitigation measure development.
The skill produces a structured DPIA document that can serve as the basis for the controller's compliance record, with clear risk ratings and documented decision rationale.
Lawyer-Built, Open, and Practical
A few principles guided the design of these skills:
Methodology over templates. The skills do not just fill in forms. They encode the analytical frameworks that practitioners use — ENISA severity scoring, EDPB risk criteria, Art. 6 balancing tests. The outputs are structured, but the analysis is substantive.
Transparency and auditability. Every skill is a plain-text file. You can read exactly what the agent is being instructed to do, verify the regulatory references, and modify the approach if your practice requires it. There is no black box.
Open source. The skills are freely available for download. The goal is to raise the baseline quality of compliance work across the profession, not to lock expertise behind paywalls.
Where Legal AI Is Heading
I believe this is where legal AI becomes genuinely useful: not as a general-purpose chatbot that gives approximate answers, but as a specialized tool that encodes real legal knowledge into reusable, auditable workflows. The shift from "ask the AI a question" to "give the AI a methodology and let it apply it" is fundamental.
These three skills are a starting point. More are in development, and I will continue building tools that translate regulatory expertise into practical, portable applications.
All skills are available as free downloads on our Tools page. If you are a privacy professional, data protection officer, or legal team working with AI tools, I would welcome your feedback on how they perform in practice.