Claude Privacy-Legal Plugin
Run Anthropic's privacy-legal plugin: 7 skills for DPA review (bi-directional), DSAR response, PIA generation, use-case triage, regulation gap analysis, and policy drift monitoring. GDPR + CCPA + state law coverage. 8 lessons + certificate.
Anthropic shipped a privacy counsel plugin on May 12, 2026 — and it knows controller vs processor out of the box
The privacy-legal plugin covers in-house privacy counsel workflows: DPA review (bi-directional — customer-side defends operational flex, vendor-side protects data), DSAR response drafting under GDPR + CCPA + state laws, PIA generation in house format, use-case triage for new processing activities, regulation gap analysis when new privacy laws emerge, and policy drift monitoring against actual practice.
The plugin learns from your seed documents: your privacy policy URL, your standard DPA template, and one reference PIA you’re happy with. From these, it captures your actual positions and house style. Subsequent skills apply your positions automatically — DPA reviews flag where the counterparty’s terms deviate from your playbook; PIA generation produces output in your house format; use-case triage applies your firm’s risk thresholds.
This course walks the 7 skills: cold-start-interview, use-case-triage, dpa-review, dsar-response, pia-generation, reg-gap-analysis, policy-monitor. You’ll learn GDPR’s Article 35 DPIA criteria, CCPA’s DSAR identity verification requirements, the controller-vs-processor flip across DPAs, Schrems II and SCC (Standard Contractual Clauses) compliance, state law variations (CCPA / CPRA / VA / CO / CT / UT / NJ / KY / NE / TX), and the policy-monitor drift detection that catches when your practice has diverged from your stated policy.
You’ll come out with a CLAUDE.md profile at ~/.claude/plugins/config/claude-for-legal/privacy-legal/CLAUDE.md, a sample DSAR response file demonstrating GDPR + CCPA workflow, sample PIA in your house format, and a credential (PRIV-XXXXXX) documenting the work. The plugin costs nothing beyond your Claude Pro subscription. The operating discipline this course teaches is the difference between AI that helps with privacy work and AI that you’d actually deploy on a regulator inquiry.
What You'll Learn
- Install and cold-start the privacy-legal plugin with your privacy policy + DPA template + reference PIA as seed documents
- Run `dpa-review` bi-directionally (customer DPA vs vendor DPA) and produce playbook-aligned redlines
- Operate `dsar-response` workflow (verify identity → walk systems → apply exemptions → draft response) under GDPR + CCPA + state law
- Generate PIAs via `pia-generation` with house format + policy consistency check; classify PIA vs DPIA requirements
- Apply `use-case-triage` for PROCEED / PIA REQUIRED / DPIA MANDATORY / STOP decisions on new processing activities
After This Course, You Can
What You'll Build
Course Syllabus
Prerequisites
- Active privacy counsel or program manager role
- Recommended: The Hallucination Defense Playbook (HDP) for verification rail
- Claude Cowork or Claude Code installed; ability to install plugins from the Anthropic marketplace
Who Is This For?
- Privacy counsel (in-house + outside)
- Privacy program managers handling DPAs, DSARs, vendor reviews
- Product counsel for PIA on new features and launches
- Support / CS leads handling DSAR first-line response
- DPOs (EU + UK)
- Compliance officers tracking multi-jurisdiction privacy regulation
Frequently Asked Questions
Does the plugin replace OneTrust, TrustArc, BigID, or similar privacy platforms?
Partially. The plugin's strength is the lawyer-facing analysis: DPA review, DSAR drafting, PIA generation, use-case triage. Platform vendors provide the operational layer (system inventory, automated DSAR routing, consent management). They complement: the plugin produces lawyer-quality analysis; the platforms automate the rest of the workflow.
Controller vs processor — how does the plugin handle the role flip?
Cold-start captures whether you're typically controller (you decide purposes and means), processor (you process for someone else), or both depending on activity. DPA review auto-detects direction (customer DPA = you defending operational flex as processor for them; vendor DPA = you protecting data as controller engaging them as processor).
How does the plugin handle multi-jurisdiction DSARs (e.g., a request from someone covered by both GDPR and CCPA)?
The dsar-response workflow handles the most-protective standard — typically GDPR if EU resident; CCPA if CA resident; both apply if data was collected before residence changes. The skill walks each applicable framework's identity verification, exemption analysis, and response requirements separately, then composes the response.
PIA vs DPIA — when does each apply?
PIA is your internal process for any new processing activity. DPIA is the GDPR Article 35 requirement for high-risk processing (large-scale special category data, systematic monitoring, etc.). The use-case-triage skill classifies — PIA REQUIRED for moderate-risk activities; DPIA MANDATORY when GDPR Article 35 criteria apply.
How does this work with other practice-area plugins?
Privacy-legal pairs with: Commercial-Legal (DPAs are commercial contracts), Employment-Legal (employee data privacy), Corporate-Legal (M&A privacy diligence), and HDP for the verification rail. Many firms run all of these as the practice-area plugin stack.
