💼 ビジネスコミュニティ

compliance-check

Run a compliance check on a proposed action, product feature, or business initiative, surfacing applicable regulations, required approvals, and risk areas. Use when launching a feature that touches personal data, when marketing or product proposes something with regulatory implications, or when you need to know which approvals and jurisdictional requirements apply before proceeding.

⚡ おすすめ: コマンド1行でインストール(60秒)

下記のコマンドをコピーしてターミナル(Mac/Linux)または PowerShell(Windows)に貼り付けてください。ダウンロード → 解凍 → 配置まで全自動。

🍎 Mac / 🐧 Linux

mkdir -p ~/.claude/skills && cd ~/.claude/skills && curl -L -o compliance-check.zip https://jpskill.com/download/22632.zip && unzip -o compliance-check.zip && rm compliance-check.zip

🪟 Windows (PowerShell)

$d = "$env:USERPROFILE\.claude\skills"; ni -Force -ItemType Directory $d | Out-Null; iwr https://jpskill.com/download/22632.zip -OutFile "$d\compliance-check.zip"; Expand-Archive "$d\compliance-check.zip" -DestinationPath $d -Force; ri "$d\compliance-check.zip"

完了後、Claude Code を再起動 → 普通に「動画プロンプト作って」のように話しかけるだけで自動発動します。

💾 手動でダウンロードしたい(コマンドが難しい人向け)

1. 下の青いボタンを押して compliance-check.zip をダウンロード
2. ZIPファイルをダブルクリックで解凍 → compliance-check フォルダができる
3. そのフォルダを C:\Users\あなたの名前\.claude\skills\(Win)または ~/.claude/skills/(Mac)へ移動
4. Claude Code を再起動

⬇ .zip でダウンロード(推奨) ⬇ .skill 形式(上級者用) 元のソース ↗

⚠️ ダウンロード・利用は自己責任でお願いします。当サイトは内容・動作・安全性について責任を負いません。

🎯 このSkillでできること

下記の説明文を読むと、このSkillがあなたに何をしてくれるかが分かります。Claudeにこの分野の依頼をすると、自動で発動します。

📦 インストール方法 (3ステップ)

1. 上の「ダウンロード」ボタンを押して .skill ファイルを取得
2. ファイル名の拡張子を .skill から .zip に変えて展開(macは自動展開可)
3. 展開してできたフォルダを、ホームフォルダの .claude/skills/ に置く
- · macOS / Linux: ~/.claude/skills/
- · Windows: %USERPROFILE%\.claude\skills\

Claude Code を再起動すれば完了。「このSkillを使って…」と話しかけなくても、関連する依頼で自動的に呼び出されます。

詳しい使い方ガイドを見る →

最終更新: 2026-05-18
取得日時: 2026-05-18
同梱ファイル: 1

📖 Skill本文(日本語訳)

※ 原文(英語/中国語)を Gemini で日本語化したものです。Claude 自身は原文を読みます。誤訳がある場合は原文をご確認ください。

[Skill 名] compliance-check

/compliance-check -- コンプライアンスレビュー

見慣れないプレースホルダーが表示された場合や、どのツールが接続されているかを確認する必要がある場合は、CONNECTORS.md を参照してください。

提案された行動、製品機能、マーケティングキャンペーン、またはビジネスイニシアチブについてコンプライアンスチェックを実行します。

重要: このコマンドは法務ワークフローを支援しますが、法的助言を提供するものではありません。コンプライアンス評価は、資格のある法務専門家によってレビューされる必要があります。規制要件は頻繁に変更されます。常に権威ある情報源で現在の要件を確認してください。

使用法

/compliance-check $ARGUMENTS

私が必要とする情報

あなたが何を計画しているか説明してください。例：

「現金報酬付きの紹介プログラムを開始したいと考えています」
「モバイルアプリに生体認証を追加しています」
「EUの顧客データを米国のデータセンターで処理する必要があります」
「マーケティング部門が顧客の推薦文を広告に使用したいと考えています」

出力

## コンプライアンスチェック: [イニシアチブ]

### 概要
[迅速な評価: 続行 / 条件付きで続行 / さらなるレビューが必要]

### 適用される規制およびポリシー
| 規制/ポリシー | 関連性 | 主要な要件 |
|-------------------|-----------|-----------------|
| [GDPR / CCPA / HIPAA / など] | [どのように適用されるか] | [何をする必要があるか] |

### 要件
| # | 要件 | ステータス | 必要なアクション |
|---|-------------|--------|---------------|
| 1 | [要件] | [満たされている / 満たされていない / 不明] | [何をすべきか] |

### リスク領域
| リスク | 重大度 | 軽減策 |
|------|----------|------------|
| [リスク] | [高/中/低] | [どのように対処するか] |

### 推奨されるアクション
1. [最も重要なアクション]
2. [2番目の優先事項]
3. [3番目の優先事項]

### 必要な承認
| 承認者 | 理由 | ステータス |
|----------|-----|--------|
| [人物/チーム] | [理由] | [保留中] |

### さらなるレビューの推奨
[外部弁護士または専門家によるレビューが推奨される領域]

プライバシー規制の概要

GDPR (一般データ保護規則)

適用範囲: 処理組織の所在地に関わらず、EU/EEA内の個人の個人データの処理に適用されます。

社内法務チームの主要な義務:

適法な根拠: 各処理活動の適法な根拠（同意、契約、正当な利益、法的義務、生命の利益、公衆の利益）を特定し、文書化する
データ主体の権利: アクセス、訂正、消去、データポータビリティ、処理の制限、異議申し立ての要求に30日以内（複雑な要求の場合は60日延長可能）に対応する
データ保護影響評価 (DPIA): 個人に高いリスクをもたらす可能性のある処理に必要
侵害通知: 個人データ侵害を認識してから72時間以内に監督機関に通知する。高いリスクがある場合は、不当な遅延なく影響を受ける個人に通知する
処理記録: 第30条の処理活動の記録を維持する
国際転送: EEA外への転送に対して適切な保護措置（SCCs、十分性認定、BCRs）を確保する
DPO要件: 必要に応じてデータ保護責任者（DPO）を任命する（公的機関、特別カテゴリの大規模な処理、大規模な体系的監視）

社内法務の一般的な接点:

GDPR準拠のためのベンダーDPAのレビュー
プライバシーバイデザイン要件に関する製品チームへの助言
監督機関からの問い合わせへの対応
国境を越えたデータ転送メカニズムの管理
同意メカニズムとプライバシー通知のレビュー

CCPA / CPRA (カリフォルニア州消費者プライバシー法 / カリフォルニア州プライバシー権法)

適用範囲: カリフォルニア州居住者の個人情報を収集し、収益、データ量、またはデータ販売のしきい値を満たす事業に適用されます。

主要な義務:

知る権利: 消費者は、収集、使用、共有された個人情報の開示を要求できる
削除する権利: 消費者は、個人情報の削除を要求できる
オプトアウトする権利: 消費者は、個人情報の販売または共有をオプトアウトできる
訂正する権利: 消費者は、不正確な個人情報の訂正を要求できる（CPRAによる追加）
機微な個人情報の使用を制限する権利: 消費者は、機微な個人情報の使用を特定の目的に制限できる（CPRAによる追加）
非差別: 権利を行使する消費者を差別してはならない
プライバシー通知: 収集される個人情報のカテゴリと目的を記述したプライバシー通知を、収集時またはそれ以前に提供しなければならない
サービスプロバイダー契約: サービスプロバイダーとの契約は、個人情報の使用を特定の事業目的に制限しなければならない

対応期間:

10営業日以内に受領を確認
45暦日以内に実質的な回答（通知により45日延長可能）

監視すべきその他の主要な規制

規制	管轄区域	主要な差別化要因
LGPD (ブラジル)	ブラジル	GDPRに類似。DPOの任命が必要。国家データ保護機関 (ANPD) による執行
POPIA (南アフリカ)	南アフリカ	情報規制当局による監督。処理の登録が必要
PIPEDA (カナダ)	カナダ (連邦)	同意に基づく枠組み。OPCによる監督。現代化が進められている
PDPA (シンガポール)	シンガポール	Do Not Call登録。義務的な侵害通知。PDPCによる執行
Privacy Act (オーストラリア)	オーストラリア	オーストラリアプライバシー原則 (APPs)。通知義務のあるデータ侵害制度
PIPL (中国)	中国	厳格な越境転送規則。データローカライゼーション要件。CACによる監督
UK GDPR	イギリス	Brexit後のイギリス版。ICOによる監督。EU GDPRに類似し、イギリス固有の十分性認定がある

DPAレビューチェックリスト

データ処理契約またはデータ処理補遺をレビューする際には、以下を確認してください。

必須要素 (GDPR第28条)

[ ] 主題と期間: 処理の範囲と期間が明確に定義されていること
[ ] 性質と目的: どのような処理が行われ、その目的が具体的に記述されていること
[ ] **Ty

(原文がここで切り詰められています)

📜 原文 SKILL.md(Claudeが読む英語/中国語)を展開

/compliance-check -- Compliance Review

If you see unfamiliar placeholders or need to check which tools are connected, see CONNECTORS.md.

Run a compliance check on a proposed action, product feature, marketing campaign, or business initiative.

Important: This command assists with legal workflows but does not provide legal advice. Compliance assessments should be reviewed by qualified legal professionals. Regulatory requirements change frequently; always verify current requirements with authoritative sources.

Usage

/compliance-check $ARGUMENTS

What I Need From You

Describe what you're planning to do. Examples:

"We want to launch a referral program with cash rewards"
"We're adding biometric authentication to our mobile app"
"We need to process EU customer data in our US data center"
"Marketing wants to use customer testimonials in ads"

Output

## Compliance Check: [Initiative]

### Summary
[Quick assessment: Proceed / Proceed with conditions / Requires further review]

### Applicable Regulations and Policies
| Regulation/Policy | Relevance | Key Requirements |
|-------------------|-----------|-----------------|
| [GDPR / CCPA / HIPAA / etc.] | [How it applies] | [What you need to do] |

### Requirements
| # | Requirement | Status | Action Needed |
|---|-------------|--------|---------------|
| 1 | [Requirement] | [Met / Not Met / Unknown] | [What to do] |

### Risk Areas
| Risk | Severity | Mitigation |
|------|----------|------------|
| [Risk] | [High/Med/Low] | [How to address] |

### Recommended Actions
1. [Most important action]
2. [Second priority]
3. [Third priority]

### Approvals Needed
| Approver | Why | Status |
|----------|-----|--------|
| [Person/Team] | [Reason] | [Pending] |

### Further Review Recommended
[Areas where outside counsel or specialist review is advised]

Privacy Regulation Overview

GDPR (General Data Protection Regulation)

Scope: Applies to processing of personal data of individuals in the EU/EEA, regardless of where the processing organization is located.

Key Obligations for In-House Legal Teams:

Lawful basis: Identify and document lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation, vital interest, public task)
Data subject rights: Respond to access, rectification, erasure, portability, restriction, and objection requests within 30 days (extendable by 60 days for complex requests)
Data protection impact assessments (DPIAs): Required for processing likely to result in high risk to individuals
Breach notification: Notify supervisory authority within 72 hours of becoming aware of a personal data breach; notify affected individuals without undue delay if high risk
Records of processing: Maintain Article 30 records of processing activities
International transfers: Ensure appropriate safeguards for transfers outside EEA (SCCs, adequacy decisions, BCRs)
DPO requirement: Appoint a Data Protection Officer if required (public authority, large-scale processing of special categories, large-scale systematic monitoring)

Common In-House Legal Touchpoints:

Reviewing vendor DPAs for GDPR compliance
Advising product teams on privacy by design requirements
Responding to supervisory authority inquiries
Managing cross-border data transfer mechanisms
Reviewing consent mechanisms and privacy notices

CCPA / CPRA (California Consumer Privacy Act / California Privacy Rights Act)

Scope: Applies to businesses that collect personal information of California residents and meet revenue, data volume, or data sale thresholds.

Key Obligations:

Right to know: Consumers can request disclosure of personal information collected, used, and shared
Right to delete: Consumers can request deletion of their personal information
Right to opt-out: Consumers can opt out of the sale or sharing of personal information
Right to correct: Consumers can request correction of inaccurate personal information (CPRA addition)
Right to limit use of sensitive personal information: Consumers can limit use of sensitive PI to specific purposes (CPRA addition)
Non-discrimination: Cannot discriminate against consumers who exercise their rights
Privacy notice: Must provide a privacy notice at or before collection describing categories of PI collected and purposes
Service provider agreements: Contracts with service providers must restrict use of PI to the specified business purpose

Response Timelines:

Acknowledge receipt within 10 business days
Respond substantively within 45 calendar days (extendable by 45 days with notice)

Other Key Regulations to Monitor

Regulation	Jurisdiction	Key Differentiators
LGPD (Brazil)	Brazil	Similar to GDPR; requires DPO appointment; National Data Protection Authority (ANPD) enforcement
POPIA (South Africa)	South Africa	Information Regulator oversight; required registration of processing
PIPEDA (Canada)	Canada (federal)	Consent-based framework; OPC oversight; being modernized
PDPA (Singapore)	Singapore	Do Not Call registry; mandatory breach notification; PDPC enforcement
Privacy Act (Australia)	Australia	Australian Privacy Principles (APPs); notifiable data breaches scheme
PIPL (China)	China	Strict cross-border transfer rules; data localization requirements; CAC oversight
UK GDPR	United Kingdom	Post-Brexit UK version; ICO oversight; similar to EU GDPR with UK-specific adequacy

DPA Review Checklist

When reviewing a Data Processing Agreement or Data Processing Addendum, verify the following:

Required Elements (GDPR Article 28)

[ ] Subject matter and duration: Clearly defined scope and term of processing
[ ] Nature and purpose: Specific description of what processing will occur and why
[ ] Type of personal data: Categories of personal data being processed
[ ] Categories of data subjects: Whose personal data is being processed
[ ] Controller obligations and rights: Controller's instructions and oversight rights

Processor Obligations

[ ] Process only on documented instructions: Processor commits to process only per controller's instructions (with exception for legal requirements)
[ ] Confidentiality: Personnel authorized to process have committed to confidentiality
[ ] Security measures: Appropriate technical and organizational measures described (Article 32 reference)
[ ] Sub-processor requirements:
- [ ] Written authorization requirement (general or specific)
- [ ] If general authorization: notification of changes with opportunity to object
- [ ] Sub-processors bound by same obligations via written agreement
- [ ] Processor remains liable for sub-processor performance
[ ] Data subject rights assistance: Processor will assist controller in responding to data subject requests
[ ] Security and breach assistance: Processor will assist with security obligations, breach notification, DPIAs, and prior consultation
[ ] Deletion or return: On termination, delete or return all personal data (at controller's choice) and delete existing copies unless legal retention required
[ ] Audit rights: Controller has right to conduct audits and inspections (or accept third-party audit reports)
[ ] Breach notification: Processor will notify controller of personal data breaches without undue delay (ideally within 24-48 hours; must enable controller to meet 72-hour regulatory deadline)

International Transfers

[ ] Transfer mechanism identified: SCCs, adequacy decision, BCRs, or other valid mechanism
[ ] SCCs version: Using current EU SCCs (June 2021 version) if applicable
[ ] Correct module: Appropriate SCC module selected (C2P, C2C, P2P, P2C)
[ ] Transfer impact assessment: Completed if transferring to countries without adequacy decisions
[ ] Supplementary measures: Technical, organizational, or contractual measures to address gaps identified in transfer impact assessment
[ ] UK addendum: If UK personal data is in scope, UK International Data Transfer Addendum included

Practical Considerations

[ ] Liability: DPA liability provisions align with (or don't conflict with) the main services agreement
[ ] Termination alignment: DPA term aligns with the services agreement
[ ] Data locations: Processing locations specified and acceptable
[ ] Security standards: Specific security standards or certifications required (SOC 2, ISO 27001, etc.)
[ ] Insurance: Adequate insurance coverage for data processing activities

Common DPA Issues

Issue	Risk	Standard Position
Blanket sub-processor authorization without notification	Loss of control over processing chain	Require notification with right to object
Breach notification timeline > 72 hours	May prevent timely regulatory notification	Require notification within 24-48 hours
No audit rights (or audit rights only via third-party reports)	Cannot verify compliance	Accept SOC 2 Type II + right to audit upon cause
Data deletion timeline not specified	Data retained indefinitely	Require deletion within 30-90 days of termination
No data processing locations specified	Data could be processed anywhere	Require disclosure of processing locations
Outdated SCCs	Invalid transfer mechanism	Require current EU SCCs (2021 version)

Data Subject Request Handling

Request Intake

When a data subject request is received:

Identify the request type:
- Access (copy of personal data)
- Rectification (correction of inaccurate data)
- Erasure / deletion ("right to be forgotten")
- Restriction of processing
- Data portability (structured, machine-readable format)
- Objection to processing
- Opt-out of sale/sharing (CCPA/CPRA)
- Limit use of sensitive personal information (CPRA)
Identify applicable regulation(s):
- Where is the data subject located?
- Which laws apply based on your organization's presence and activities?
- What are the specific requirements and timelines?
Verify identity:
- Confirm the requester is who they claim to be
- Use reasonable verification measures proportionate to the sensitivity of the data
- Do not require excessive documentation
Log the request:
- Date received
- Request type
- Requester identity
- Applicable regulation
- Response deadline
- Assigned handler

Response Timelines

Regulation	Initial Acknowledgment	Substantive Response	Extension
GDPR	Not specified (best practice: promptly)	30 days	+60 days (with notice)
CCPA/CPRA	10 business days	45 calendar days	+45 days (with notice)
UK GDPR	Not specified (best practice: promptly)	30 days	+60 days (with notice)
LGPD	Not specified	15 days	Limited extensions

Exemptions and Exceptions

Before fulfilling a request, check whether any exemptions apply:

Common exemptions across regulations:

Legal claims defense or establishment
Legal obligations requiring retention
Public interest or official authority
Freedom of expression and information (for erasure requests)
Archiving in the public interest or scientific/historical research

Organization-specific considerations:

Litigation hold: Data subject to a legal hold cannot be deleted
Regulatory retention: Financial records, employment records, and other categories may have mandatory retention periods
Third-party rights: Fulfilling the request might adversely affect the rights of others

Response Process

Gather all personal data of the requester across systems
Apply any exemptions and document the basis
Prepare response: fulfill the request or explain why (in whole or part) it cannot be fulfilled
If denying (in whole or part): cite the specific legal basis for denial
Inform the requester of their right to lodge a complaint with the supervisory authority
Document the response and retain records of the request and response

Regulatory Monitoring Basics

What to Monitor

Maintain awareness of developments in:

Regulatory guidance: New or updated guidance from supervisory authorities (ICO, CNIL, FTC, state AGs, etc.)
Enforcement actions: Fines, orders, and settlements that signal regulatory priorities
Legislative changes: New privacy laws, amendments to existing laws, implementing regulations
Industry standards: Updates to ISO 27001, SOC 2, NIST frameworks, and sector-specific requirements
Cross-border transfer developments: Adequacy decisions, SCC updates, data localization requirements

Monitoring Approach

Subscribe to regulatory authority communications (newsletters, RSS feeds, official announcements)
Track relevant legal publications for analysis of new developments
Review industry association updates for sector-specific guidance
Maintain a regulatory calendar of known upcoming deadlines, effective dates, and compliance milestones
Brief the legal team on material developments that affect the organization's processing activities

Escalation Criteria

Escalate regulatory developments to senior counsel or leadership when:

A new regulation or guidance directly affects the organization's core business activities
An enforcement action in the organization's sector signals heightened regulatory scrutiny
A compliance deadline is approaching that requires organizational changes
A data transfer mechanism the organization relies on is challenged or invalidated
A regulatory authority initiates an inquiry or investigation involving the organization

Tips

Be specific — "We want to email all our users" is better than "marketing campaign."
Include the geography — Compliance requirements vary by jurisdiction.
Mention the data — What personal data is involved? This drives most compliance requirements.