Regulatory Compliance Skill

合规监管Skill

Overview

概述

Assess systems, processes, and artifacts against major regulatory frameworks:

GDPR/CCPA — Data privacy compliance for EU and California/US state laws
Privacy-by-Design — Proactive privacy embedding following Ann Cavoukian's 7 principles
ADA/WCAG — Web and software accessibility under ADA and WCAG 2.1/2.2 AA standards
DPA Validation — Data Processing Agreement completeness and correctness checks
Regulatory Monitoring — Guidance on tracking regulatory changes across jurisdictions

Output is structured as PASS / CONDITIONAL / FAIL with severity-rated findings and actionable remediation tasks.

针对主要监管框架评估系统、流程和相关工件：

GDPR/CCPA — 针对欧盟及美国加州/各州法律的数据隐私合规
Privacy-by-Design — 遵循Ann Cavoukian的7项原则，主动嵌入隐私保护机制
ADA/WCAG — 符合ADA及WCAG 2.1/2.2 AA标准的网页与软件无障碍性
DPA验证 — 数据处理协议（DPA）的完整性与正确性检查
监管变化监控 — 跨司法管辖区追踪监管变化的指南

输出结果分为PASS（通过）/ CONDITIONAL（有条件通过）/ FAIL（不通过），包含分级严重程度的问题发现及可执行的整改任务。

When to Use

适用场景

Before deploying any feature that collects, processes, or stores personal data
During architecture review for systems touching PII or user data
When validating third-party vendor agreements and DPAs
Before launching products in EU, California, or any jurisdiction with active privacy law
When auditing accessibility compliance for public-facing interfaces
As part of CI compliance gates for data pipelines and APIs

在部署任何收集、处理或存储个人数据的功能之前
在涉及个人身份信息（PII）或用户数据的系统架构评审期间
在验证第三方供应商协议及DPA时
在欧盟、加州或任何实施隐私法的司法管辖区推出产品之前
在对面向公众的界面进行无障碍合规性审计时
作为数据管道与API的CI合规检查环节的一部分

Iron Laws

核心准则

NEVER report PASS on partial compliance — if any item fails, the result is CONDITIONAL or FAIL; partial compliance masks violations.
ALWAYS include remediation tasks with specific owning agents — vague findings don't produce fixes; every FAIL/CONDITIONAL must specify who fixes it and how.
NEVER skip multi-jurisdiction check — GDPR, CCPA, and 20+ US state laws may all apply; document scope clearly.
ALWAYS verify privacy-by-design at design time — retrofitting privacy after deployment is significantly more costly and less effective.
NEVER treat accessibility as optional — ADA/WCAG compliance carries active litigation risk (ADA lawsuits up 37% H1 2025); all public interfaces must be validated.
ALWAYS document regulation version and date assessed — regulatory guidance evolves; stamp every report with the regulation version and assessment date.

绝不能在部分合规时报告PASS — 若有任何一项不通过，结果即为CONDITIONAL或FAIL；部分合规会掩盖违规问题。
必须包含明确责任人的整改任务 — 模糊的问题发现无法推动修复；每一项FAIL/CONDITIONAL结果都必须明确整改责任人及整改方式。
绝不能跳过跨司法管辖区检查 — GDPR、CCPA及20余项美国州级法律可能同时适用；需明确记录检查范围。
必须在设计阶段验证Privacy-by-Design — 部署后再补加隐私保护成本更高且效果更差。
绝不能将无障碍性视为可选要求 — 不符合ADA/WCAG合规性会带来实际诉讼风险（2025年上半年ADA诉讼量增长37%）；所有面向公众的界面必须经过验证。
必须记录所依据的法规版本及评估日期 — 监管指南会不断更新；每份报告都需标注所依据的法规版本及评估日期。

Workflow

工作流程

Step 1: Scope Definition

步骤1：范围定义

Define which regulations apply to the subject of the assessment:

markdown

undefined

确定评估对象适用的法规：

markdown

undefined

Compliance Scope

合规范围

Subject: [System / Feature / DPA / Interface being assessed]
Jurisdictions: [EU / California / Virginia / Colorado / Other states]
Applicable Regulations:
- GDPR (EU General Data Protection Regulation)
- CCPA/CPRA (California Consumer Privacy Act / California Privacy Rights Act)
- US State Laws (VCDPA, CPA, CTDPA, etc.)
- ADA / Section 508 (US accessibility)
- WCAG 2.1/2.2 AA (Web Content Accessibility Guidelines)
- DPA Review (vendor data processing agreement)
Personal Data Categories Involved: [list data types]
Assessment Date: [YYYY-MM-DD]
Regulation Versions Referenced: [e.g., GDPR as amended 2024, CPRA effective 2023]

undefined

评估对象: [待评估的系统/功能/DPA/界面]
司法管辖区: [欧盟/加州/弗吉尼亚州/科罗拉多州/其他州]
适用法规:
- GDPR (欧盟通用数据保护条例)
- CCPA/CPRA (加州消费者隐私法案/加州隐私权利法案)
- 美国州级法律 (VCDPA, CPA, CTDPA, etc.)
- ADA / 第508条 (美国无障碍标准)
- WCAG 2.1/2.2 AA (网页内容无障碍指南)
- DPA评审 (供应商数据处理协议)
涉及的个人数据类别: [列出数据类型]
评估日期: [YYYY-MM-DD]
参考的法规版本: [例如: 2024年修订版GDPR, 2023年生效的CPRA]

undefined

Step 2: GDPR/CCPA Compliance Checklist

步骤2：GDPR/CCPA合规性检查清单

Execute checklist items relevant to the assessed subject:

执行与评估对象相关的检查清单项：

Data Inventory & Mapping

数据清单与映射

All personal data types cataloged (name, email, IP, behavioral data, biometrics, etc.)
Data flows documented: collection → processing → storage → sharing → deletion
Purpose for each data type explicitly defined and limited
Legal basis for processing documented (consent, legitimate interest, contract, legal obligation)
Data retention periods defined per data type

已分类所有个人数据类型（姓名、邮箱、IP地址、行为数据、生物识别数据等）
已记录数据流：收集→处理→存储→共享→删除
已明确界定并限制每种数据类型的使用目的
已记录数据处理的法律依据（同意、合法利益、合同、法定义务）
已为每种数据类型定义保留期限

Consent Management

同意管理

GDPR: Granular consent obtained per processing purpose (not blanket acceptance)
GDPR: Consent as easy to withdraw as to give (one-click unsubscribe)
CCPA: Opt-out mechanism present for data sale/sharing ("Do Not Sell or Share My Personal Information")
Consent records maintained (who consented, when, to what)
Cookie consent implemented for tracking cookies (GDPR only)

GDPR：针对每项处理目的获取精细化同意（而非一次性全盘接受）
GDPR：撤回同意与给予同意同样便捷（一键取消订阅）
CCPA：提供数据销售/共享的退出机制（"请勿销售或共享我的个人信息"）
已留存同意记录（谁、何时、对什么内容表示同意）
已为追踪Cookie实现Cookie同意机制（仅适用于GDPR）

Consumer Rights Processing

消费者权利处理

Right of access request mechanism exists (DSR/DSAR portal or process)
Right to deletion honored within required timeframe (GDPR: 30 days, CCPA: 45 days)
Right to portability supported (GDPR: structured, machine-readable format)
Right to correct/rectify inaccurate data supported
DSR records maintained for 24+ months (audit trail)

存在访问请求机制（DSR/DSAR门户或流程）
在规定时限内履行删除权（GDPR：30天，CCPA：45天）
支持数据可携权（GDPR：结构化、机器可读格式）
支持更正/修正不准确数据的权利
DSR记录留存24个月以上（审计追踪）

Third-Party & Vendor Management

第三方与供应商管理

DPAs in place with all vendors processing personal data
Vendor list maintained and reviewed annually
Standard Contractual Clauses (SCCs) present for international data transfers
Sub-processor notifications in DPAs

与所有处理个人数据的供应商签订DPA
维护供应商列表并每年评审
国际数据传输包含标准合同条款（SCC）
DPA中包含子处理器通知条款

Security Requirements

安全要求

Reasonable security measures implemented (encryption at rest and in transit)
Access controls and principle of least privilege enforced
Breach notification procedure documented (GDPR: 72 hours to supervisory authority)
Security risk assessment conducted for processing activities

已实施合理的安全措施（静态数据与传输数据加密）
实施访问控制与最小权限原则
已记录数据泄露通知流程（GDPR：72小时内通知监管机构）
已针对处理活动开展安全风险评估

Step 3: Privacy-by-Design Review

步骤3：Privacy-by-Design评审

Evaluate against Ann Cavoukian's 7 Foundational Principles:

Principle	Assessment
1. Proactive, not reactive	Is privacy built in from design stage, not added after?
2. Privacy as default	Is the most privacy-protective setting the default?
3. Privacy embedded in design	Is privacy integral to system architecture, not a bolt-on?
4. Full functionality	Does privacy coexist with legitimate business objectives?
5. End-to-end security	Is full lifecycle security ensured from collection to deletion?
6. Visibility & transparency	Are policies and practices open and verifiable?
7. Respect for user privacy	Is user-centricity maintained in all design decisions?

Record each principle as: Implemented / Partial / Missing / Not Applicable

依据Ann Cavoukian的7项基础原则进行评估：

原则	评估内容
1. 主动防护而非被动补救	隐私保护是否从设计阶段就内置其中，而非事后添加？
2. 隐私默认保护	最具隐私保护性的设置是否为默认设置？
3. 隐私嵌入设计	隐私保护是否是系统架构的组成部分，而非附加组件？
4. 功能完整性	隐私保护是否与合法业务目标共存？
5. 端到端安全	是否确保从数据收集到删除的全生命周期安全？
6. 可见性与透明度	政策与实践是否公开且可验证？
7. 尊重用户隐私	所有设计决策是否始终以用户为中心？

每项原则的记录状态为：已实现/部分实现/未实现/不适用

Step 4: ADA/WCAG Accessibility Audit

步骤4：ADA/WCAG无障碍性审计

Evaluate against WCAG 2.1 AA (minimum standard) / WCAG 2.2 AA (current standard):

依据WCAG 2.1 AA（最低标准）/ WCAG 2.2 AA（当前标准）进行评估：

POUR Principles

POUR原则

Perceivable: All non-text content has text alternatives; audio/video has captions/transcripts; content is not restricted to color alone; minimum 4.5:1 contrast ratio for normal text
Operable: All functionality available via keyboard; no keyboard traps; skip navigation links present; sufficient time to interact; no content that seizures (no flashing >3Hz)
Understandable: Language of page set in HTML; error messages are descriptive and helpful; consistent navigation across pages; form labels and instructions clear
Robust: Valid HTML/ARIA; compatible with current assistive technologies; ARIA labels and roles correctly applied

可感知: 所有非文本内容配有文本替代方案；音频/视频配有字幕/文字记录；内容不单纯依赖颜色区分；普通文本的对比度至少为4.5:1
可操作: 所有功能可通过键盘访问；无键盘陷阱；提供跳过导航链接；有足够的交互时间；无引发癫痫的内容（闪烁频率不超过3Hz）
可理解: 页面语言在HTML中设置；错误消息描述性强且有帮助；跨页面导航一致；表单标签与说明清晰
健壮性: HTML/ARIA代码有效；与当前辅助技术兼容；正确应用ARIA标签与角色

AI Interface Specific (2025+)

AI界面专项要求（2025+）

Chatbot interfaces keyboard accessible and screen reader compatible
AI-generated content has proper semantic structure
Alt text provided for AI-generated images
Voice interfaces have visual alternatives

聊天机器人界面可通过键盘访问且兼容屏幕阅读器
AI生成内容具有恰当的语义结构
AI生成图片配有替代文本
语音界面配有视觉替代方案

Severity Classification for Accessibility

无障碍问题严重程度分类

CRITICAL: Completely blocks access for users with disabilities (missing keyboard navigation, no screen reader support)
HIGH: Significantly impedes usage (poor contrast, missing alt text on key images)
MEDIUM: Creates friction but workarounds exist (missing skip links, inconsistent labels)
LOW: Best practice improvement (decorative image has non-empty alt text)

严重: 完全阻碍残障用户访问（缺少键盘导航、不支持屏幕阅读器）
高: 严重阻碍使用（对比度差、关键图片缺少替代文本）
中: 造成使用障碍但存在替代方案（缺少跳过导航链接、标签不一致）
低: 最佳实践优化（装饰性图片的替代文本非空）

Step 5: DPA Validation Checklist

步骤5：DPA验证检查清单

If reviewing a Data Processing Agreement:

若评审数据处理协议：

Required DPA Elements (GDPR Article 28)

DPA必备要素（GDPR第28条）

DPA Quality Flags

DPA质量标识

No vague processing descriptions ("process data as needed") — specificity required
Security measures described with appropriate detail (encryption, access controls, staff training)
Sub-processor list available and maintained
Transfer Impact Assessment (TIA) conducted for high-risk countries

无模糊的处理描述（如"按需处理数据"）——需明确具体
安全措施描述详细恰当（加密、访问控制、员工培训）
可获取并维护子处理器列表
针对高风险国家开展传输影响评估（TIA）

Step 6: Regulatory Monitoring Guidance

步骤6：监管变化监控指南

Provide guidance on maintaining ongoing compliance:

提供持续合规性维护指南：

Monitoring Sources

监控来源

GDPR: European Data Protection Board (EDPB) — https://edpb.europa.eu/
CCPA/CPRA: California Privacy Protection Agency — https://cppa.ca.gov/
US State Laws: IAPP State Privacy Legislation Tracker — https://iapp.org/resources/article/us-state-privacy-legislation-tracker/
WCAG: W3C WAI — https://www.w3.org/WAI/
ADA: US DOJ ADA.gov — https://www.ada.gov/

GDPR: 欧洲数据保护委员会（EDPB）— https://edpb.europa.eu/
CCPA/CPRA: 加州隐私保护局— https://cppa.ca.gov/
美国州级法律: IAPP美国州级隐私立法追踪器— https://iapp.org/resources/article/us-state-privacy-legislation-tracker/
WCAG: W3C无障碍倡议（WAI）— https://www.w3.org/WAI/
ADA: 美国司法部ADA.gov— https://www.ada.gov/

Monitoring Cadence

监控频率

Monthly: Review enforcement actions from supervisory authorities
Quarterly: Check for new or amended state privacy laws
Annually: Full DPA review with all processors; full accessibility audit
On Change: Re-assess whenever data processing activities, vendors, or interfaces change materially

每月: 评审监管机构的执法行动
每季度: 检查新出台或修订的州级隐私法律
每年: 与所有处理方开展全面DPA评审；开展全面无障碍性审计
变更时: 当数据处理活动、供应商或界面发生重大变更时重新评估

Step 7: Produce Compliance Decision

步骤7：生成合规性决策

Output one of three decisions:

json

{
  "decision": "PASS | CONDITIONAL | FAIL",
  "regulationsAssessed": ["GDPR", "CCPA", "WCAG 2.1 AA", "DPA"],
  "assessmentDate": "YYYY-MM-DD",
  "findings": [
    {
      "id": "RC-001",
      "regulation": "GDPR",
      "severity": "CRITICAL | HIGH | MEDIUM | LOW",
      "category": "Consent Management",
      "description": "Cookie consent banner missing for analytics tracking cookies",
      "status": "FAIL",
      "remediation": "Implement cookie consent platform with granular purpose-based opt-in",
      "owner": "developer",
      "deadline": "Before next deployment"
    }
  ],
  "requiredMitigations": [],
  "evidencePaths": [".claude/context/reports/compliance/"],
  "regulatoryLinks": [
    "https://edpb.europa.eu/our-work-tools/documents/public-consultations/2023/guidelines-032023-deceptive-design-patterns_en"
  ],
  "nextReviewDate": "YYYY-MM-DD",
  "recommendedNextStep": "Assign RC-001 to developer agent; re-assess after remediation"
}

Decision Rules:

```
PASS
```
: All applicable checklist items verified, no open findings
```
CONDITIONAL
```
: Minor or medium findings present; allowed to proceed with documented remediation plan
```
FAIL
```
: Critical or high findings present; must remediate before deployment

输出以下三种决策之一：

json

{
  "decision": "PASS | CONDITIONAL | FAIL",
  "regulationsAssessed": ["GDPR", "CCPA", "WCAG 2.1 AA", "DPA"],
  "assessmentDate": "YYYY-MM-DD",
  "findings": [
    {
      "id": "RC-001",
      "regulation": "GDPR",
      "severity": "CRITICAL | HIGH | MEDIUM | LOW",
      "category": "Consent Management",
      "description": "Cookie consent banner missing for analytics tracking cookies",
      "status": "FAIL",
      "remediation": "Implement cookie consent platform with granular purpose-based opt-in",
      "owner": "developer",
      "deadline": "Before next deployment"
    }
  ],
  "requiredMitigations": [],
  "evidencePaths": [".claude/context/reports/compliance/"],
  "regulatoryLinks": [
    "https://edpb.europa.eu/our-work-tools/documents/public-consultations/2023/guidelines-032023-deceptive-design-patterns_en"
  ],
  "nextReviewDate": "YYYY-MM-DD",
  "recommendedNextStep": "Assign RC-001 to developer agent; re-assess after remediation"
}

决策规则：

```
PASS
```
: 所有适用的检查项均通过验证，无未解决问题
```
CONDITIONAL
```
: 存在轻微或中等问题；可在记录整改计划后继续推进
```
FAIL
```
: 存在严重或高风险问题；必须在部署前完成整改

Output Protocol

输出协议

Report Location

报告存储位置

Save compliance reports to:

.claude/context/reports/compliance/

Naming:

{subject}-compliance-{YYYY-MM-DD}.md

合规报告保存至：

.claude/context/reports/compliance/

命名规则:

{评估对象}-compliance-{YYYY-MM-DD}.md

Report Sections (Required)

报告必备章节

Scope definition (Step 1 output)
GDPR/CCPA checklist results (Step 2)
Privacy-by-design assessment (Step 3)
Accessibility audit results (Step 4, if applicable)
DPA validation (Step 5, if applicable)
Structured decision JSON (Step 7)
Remediation task list with owners and deadlines
Regulatory monitoring recommendations

范围定义（步骤1输出）
GDPR/CCPA检查清单结果（步骤2）
Privacy-by-Design评估（步骤3）
无障碍性审计结果（步骤4，如适用）
DPA验证结果（步骤5，如适用）
结构化决策JSON（步骤7）
包含责任人与截止日期的整改任务列表
监管变化监控建议

Anti-Patterns

反模式

Anti-Pattern	Why It Fails	Correct Approach
Checking GDPR only, ignoring CCPA/state laws	Multi-jurisdiction exposure missed	Always assess all applicable jurisdictions
Reporting PASS when most items pass	Partial compliance is non-compliance	CONDITIONAL/FAIL for any open finding
Generic "implement encryption" remediation	Developer cannot act on vague guidance	Specific: "AES-256 encryption for PII fields in users table"
One-time audit treated as ongoing compliance	Regulations change quarterly	Establish continuous monitoring cadence
Treating accessibility as a nice-to-have	ADA lawsuits are an active legal risk	WCAG 2.1 AA compliance is non-negotiable for public interfaces
DPA with vague processing description	Regulators reject vague DPAs	Specify exact data types, processing purpose, retention periods

反模式	失败原因	正确做法
仅检查GDPR，忽略CCPA/州级法律	遗漏跨司法管辖区合规风险	始终评估所有适用的司法管辖区
多数项通过即报告PASS	部分合规仍属违规	存在任何未解决问题均标记为CONDITIONAL/FAIL
泛泛的"实施加密"整改建议	开发人员无法依据模糊指导采取行动	具体明确："对用户表中的PII字段采用AES-256加密"
将一次性审计视为持续合规	法规每季度都会变化	建立持续监控机制
将无障碍性视为可选功能	ADA诉讼是实际存在的法律风险	面向公众的界面必须符合WCAG 2.1 AA合规要求
DPA中包含模糊的处理描述	监管机构不接受模糊的DPA	明确指定确切的数据类型、处理目的与保留期限

Enforcement Hooks

执行钩子

Input validated against

schemas/input.schema.json

before execution. Output contract defined in

schemas/output.schema.json

. Pre-execution hook:

hooks/pre-execute.cjs

Post-execution hook:

hooks/post-execute.cjs

(emits observability event)

执行前依据

schemas/input.schema.json

验证输入。输出契约定义于

schemas/output.schema.json

。执行前钩子：

hooks/pre-execute.cjs

执行后钩子：

hooks/post-execute.cjs

（发送可观测事件）

Memory Protocol

内存协议

Before starting:

bash

cat .claude/context/memory/learnings.md

Check for:

Previous compliance assessments on similar systems
Known regulatory patterns and documented decisions
Outstanding compliance blockers in issues.md

After completing:

New compliance findings → Append to
```
.claude/context/memory/issues.md
```
Regulatory decisions → Append to
```
.claude/context/memory/decisions.md
```
Successful compliance patterns → Append to
```
.claude/context/memory/learnings.md
```

ASSUME INTERRUPTION: Your context may reset. If it's not in memory, it didn't happen.

开始前：