Skill Security →

GDPR Data Handling

Implement GDPR-compliant data handling with consent management, data subject rights, and…

A practical implementation guide for GDPR-compliant data handling built on privacy-by-design, data minimization, and a full data-subject-rights workflow. It covers consent lifecycle management, access and erasure request handling, retention policy enforcement, and 72-hour breach notification with working code patterns. Designed to make compliance structural, so a leak or violation is caught at every layer rather than discovered after a fine.

$15 one-time
Add to a kit →

Prices include 20% VAT. · Forged on real agency work · one-time, no lock-in

  • Type Skill
  • Category Security
  • Delivery Email · instant
  • License One-time
Run preview
forgehouse, gdpr-data-handling

Inside the run · no black box

See the actual work before you buy it.

Compliance here is machinery, not a policy PDF. Every processing activity maps to an Article 6 basis, consent lives as a full lifecycle with proof, erasure stays honest about legal retention, and the 72-hour breach clock comes pre-coded.

  1. Classifies every processing activity against the six Article 6 lawful bases first and records it (account is contract, tax records are legal obligation, marketing email is consent, security logs are legitimate interest), because consent chosen means a withdrawal right must exist.
  2. Builds consent as a lifecycle, not a checkbox: each record stores purpose, granted flag, timestamp, source, policy version and IP as proof; withdrawal emits an event downstream so marketing stops and analytics tags drop, and pre-checked boxes are banned outright.
  3. Implements data subject request handling against the 30 day legal clock: access requests collect from every data source into one structured export, portability ships machine readable JSON, and the deadline plus audit trail live on the request record itself.
  4. Runs erasure the honest way: every data source is asked can_delete first; what can be deleted is deleted, what cannot (a 7 year tax retention, for example) is kept with the legal reason documented instead of silently skipped.
  5. Enforces retention per data category: defined periods with a basis and a trigger date, archive-then-delete where required, and anonymization instead of deletion for analytics (user id, IP and device id nulled in place).
  6. Keeps the 72 hour breach machinery pre-coded: detection starts the countdown, DPO and security are notified immediately, the authority report generator is ready, and HIGH/CRITICAL severity triggers individual user notification in parallel.
Use cases · what happens when you plug it in

One power source. 6 lines out.

gdpr-data-handling · core

core active · 6 lines

  1. Building systems that process EU personal data with a lawful basis per activity

    ✓ building systems that pr…

  2. Implementing opt-in consent management with full audit trails

    ✓ implementing opt-in cons…

  3. Handling data subject access, erasure, and portability requests within deadline

    ✓ handling data subject ac…

  4. Enforcing retention policies with anonymization or deletion at expiry

    ✓ enforcing retention poli…

  5. Designing a privacy-first data model that separates and encrypts PII

    ✓ designing a privacy-first

  6. Running a 72-hour breach notification process for the authority and affected users

    ✓ running a 72-hour breach
Benefits · what you walk away with

Yours to keep.

Drag time forward. Watch what stays.

Forever

That's what owning means.

The rented stack

ai writing tool: subscription

expired · access lost

analytics suite: subscription

expired · access lost

design platform: subscription

expired · access lost

(nothing left)

Your forge

  1. Avoid fines of up to 4% of global revenue with structural, documented compliance

    license: perpetual

  2. Build user trust through transparent consent and fast response to deletion requests

    license: perpetual

  3. Respond to data subject requests inside the legal one-month window every time

    license: perpetual

  4. Limit breach exposure by minimizing data collected and encrypting what you keep

    license: perpetual

subscriptions expire · deeds don't

What's included · the full manifest

Everything in the box.

Pick a piece up. Watch it work.

Consent management data model and service with audit log and downstream events

part 01 of 06 · in the box

6 parts · one working system · ships instantly by email

Who it's for

This wasn't forged for everyone.

  • Not for you if you'd rather rent a tool than own one.
  • Not for you if you want someone else to run your stack.
  • Not for you if you're happy guessing.
Still here? Good.

Engineers and compliance owners building systems that process EU personal data and need GDPR compliance baked into the architecture, not bolted on.

then this was forged for you.

Works with

Universal by design: these run in any AI. Delivered in the open Agent Skills + MCP format (native in Claude); ChatGPT, Gemini, Cursor and Copilot adapt the same files their own way.

  • Claude Native format
  • ChatGPT Adapts via open standards
  • Gemini Adapts via open standards
  • Cursor Adapts via open standards
  • Copilot Adapts via open standards
Questions · still in the air

Catch what's on your mind.

the air is clear. nothing between you and the forge.
catch a spark: the forge will answer

  1. We're based outside the EU, does this still apply to us?

    If you process personal data of people in the EU, GDPR applies regardless of where your company sits. The guide helps you meet those obligations structurally, from consent lifecycle to data-subject request handling.

  2. How does it handle erasure requests in practice?

    It ships request handlers for access, erasure, and portability with legal-exception checks, plus a retention engine that anonymizes or deletes expired data per category. Every consent change and request lands in an audit log.

  3. Does implementing this make us certified GDPR-compliant?

    No. It gives you working code patterns and documented, structural compliance, but it isn't legal advice or a certification. The final compliance review still belongs with your legal counsel.

  4. How is it delivered?

    By email right after purchase: ready to run, downloaded instantly, no setup wait.

  5. One-time or subscription?

    A one-time purchase; no subscription or hidden fees. VAT (20%) is included.

  6. Can I get a refund?

    As a digital product, it can’t be refunded once downloaded. That’s why we show exactly what’s inside and who it’s for, right here.

Related products

All skills →