GDPR Shift-Left Compliance
行业场景by kevinrabun
GDPR compliance MCP server - article lookup, DPIA, ROPA, DSR, IaC analysis, Bicep templates.
什么是 GDPR Shift-Left Compliance?
GDPR compliance MCP server - article lookup, DPIA, ROPA, DSR, IaC analysis, Bicep templates.
README
GDPR Shift-Left MCP Server
<!-- mcp-name: io.github.KevinRabun/GDPRShiftLeftMCP -->
A Model Context Protocol (MCP) server that brings GDPR compliance knowledge directly into your IDE, enabling developers and compliance teams to "shift left" — identifying and addressing data protection requirements early in the development lifecycle.
⚠️ Disclaimer: This tool provides informational guidance only and does not constitute legal advice. Organisations should consult qualified legal counsel for binding GDPR compliance decisions.
Features
🔍 GDPR Knowledge Base (34 Tools)
- Article Lookup — Retrieve any GDPR article by number, search across all 99 articles and 173 recitals
- Definitions — Art. 4 term definitions with contextual explanations
- Chapter Navigation — Browse articles by chapter with full directory
- Azure Mappings — Map GDPR articles to Azure services and controls
📋 Compliance Workflows
- DPIA Assessment — Assess whether a DPIA is required (EDPB 9-criteria test), generate Art. 35 templates
- ROPA Builder — Generate and validate Art. 30 Records of Processing Activities
- DSR Guidance — Step-by-step workflows for all 7 data subject rights (Arts. 12–23)
- Retention Analysis — Assess retention policies against Art. 5(1)(e) storage limitation
- Controller/Processor Role Classification — Assess data roles, get obligations, analyze code patterns, generate DPA checklists
🏗️ Infrastructure & Code Review
- Bicep/Terraform/ARM Analyzer — Scan IaC for GDPR violations (encryption, access, network, residency, logging, retention)
- Application Code Analyzer — Detect PII logging, hardcoded secrets, missing consent checks, data minimisation issues
- GDPR Config Validator — Pass/fail validation in strict or advisory mode
- DSR Capability Analyzer — Detect implementation of all 7 data subject rights (Arts. 15–22)
- Cross-Border Transfer Analyzer — Identify third-party APIs/SDKs that may transfer data outside EEA, with risk justifications explaining why each provider has its assigned risk level (based on headquarters location, adequacy decisions, and data sensitivity)
- Breach Readiness Analyzer — Assess breach detection, logging, and notification capabilities
- Data Flow Analyzer — Map personal data lifecycle (collection, storage, transmission, deletion)
- AST Code Analyzer — Deep analysis using Abstract Syntax Trees for Python, JavaScript, TypeScript, Java, C#, and Go with:
- PII detection in function parameters and variables
- Cross-border transfer detection via import analysis (150+ providers with risk justifications)
- PII logging violation detection
- DSR implementation pattern verification
- Data flow tracking and call graph analysis
📝 Guided Prompts (8 Expert Prompts)
- Gap Analysis, DPIA Assessment, Compliance Roadmap, Data Mapping
- Incident Response, Azure Privacy Review, Vendor Assessment, Cross-Border Transfers
📐 Azure Bicep Templates (19 Templates)
- Storage Account — CMK encryption, Private Endpoint, lifecycle policies (Art. 5, 25, 32, 44-49)
- Key Vault — HSM-backed Premium, purge protection, RBAC (Art. 25, 32)
- Azure SQL — Entra-only auth, TDE, auditing (Art. 25, 32)
- Log Analytics — 365-day retention, saved GDPR queries for breach/access/erasure tracking (Art. 5(2), 30, 33)
- Cosmos DB — EU-only regions, strong consistency, continuous backup, TTL-enabled ROPA container (Art. 25, 32, 44-49)
- App Service — Managed identity, TLS 1.2, VNet integration, staging slot, full audit logging (Art. 25, 32)
- Virtual Network — 3 subnets, NSGs with least-privilege rules, service endpoints (Art. 25, 32, 5(1)(f))
- Container Apps — Internal ingress, mutual TLS, zone redundancy, managed identity (Art. 25, 32)
- Monitor Alerts — DPO action group, 4 scheduled alerts for sign-in/exfiltration/escalation/Key Vault (Art. 33, 34, 32)
- PostgreSQL Flexible Server — Zone-redundant HA, Entra ID auth, pgaudit, geo-redundant backups (Art. 25, 32, 5(1)(e))
- Service Bus Premium — CMK encryption, GDPR queues for DSR/consent/breach/retention (Art. 25, 32, 5(1)(f))
- AKS — Private cluster, Azure CNI, Defender for Containers, workload identity, network policies (Art. 25, 32, 5(1)(f))
- Confidential Ledger — TEE-backed tamper-proof audit trail for GDPR accountability records (Art. 5(2), 30, 33)
- Confidential VM — AMD SEV-SNP encrypted memory, vTPM, secure boot, ephemeral OS disk (Art. 25, 32, 5(1)(f))
- Entra ID Configuration — Audit log routing, sign-in monitoring, Conditional Access checklist (Art. 32, 5(2))
- Azure Policy — EU region restriction, CMK enforcement, tag requirements, HTTPS-only (Art. 25, 32, 44)
- Defender for Cloud — All Defender plans, security contacts, auto-provisioning, GDPR compliance dashboard (Art. 32, 33)
- API Management — Internal VNet, TLS 1.2+, rate limiting, data masking policies, audit logging (Art. 25, 32, 30)
- Front Door with WAF — OWASP rules, EU/EEA geo-filtering, bot protection, rate limiting (Art. 25, 32, 44)
Quick Start
Prerequisites
- Python 3.10+
- VS Code with GitHub Copilot
Installation
Install from the MCP Registry (recommended)
The server is published to the MCP Registry. You can install it directly in VS Code:
- Open the Extensions view (
Ctrl+Shift+X) - Type
@mcp GDPRin the search field - Click Install on "GDPR Shift-Left Compliance"
Note: The VS Code MCP gallery shows a curated subset of servers by default. If the server doesn't appear, add this to your VS Code User Settings (
Ctrl+,→ Open Settings JSON):json"chat.mcp.gallery.serviceUrl": "https://registry.modelcontextprotocol.io"This points VS Code at the full MCP Registry (5,000+ servers) instead of GitHub's curated list.
Install via uvx (no clone needed)
uvx gdpr-shift-left-mcp
Install from source
# Clone the repository
git clone https://github.com/KevinRabun/GDPRShiftLeftMCP.git
cd GDPRShiftLeftMCP
# Install in development mode
pip install -e ".[dev]"
VS Code Integration
The repository includes .vscode/mcp.json for automatic MCP server registration. After installation, the GDPR tools appear in GitHub Copilot's tool list.
To configure manually, add to your VS Code settings:
{
"mcp": {
"servers": {
"gdpr-shift-left-mcp": {
"type": "stdio",
"command": "python",
"args": ["-m", "gdpr_shift_left_mcp"]
}
}
}
}
Running the Server
# Run directly
python -m gdpr_shift_left_mcp
# Or via the installed entry point
gdpr-shift-left-mcp
Tool Reference
| Tool | Description | GDPR Articles |
|---|---|---|
get_article | Retrieve a GDPR article by number | All |
list_chapter_articles | List all articles in a chapter | All |
search_gdpr | Full-text search across GDPR | All |
get_recital | Retrieve a recital by number | All |
get_azure_mapping | Azure services for a GDPR article | All |
get_definition | Art. 4 term definition | Art. 4 |
list_definitions | List all definitions | Art. 4 |
search_definitions | Search definitions | Art. 4 |
assess_dpia_need | Check if DPIA is required | Art. 35 |
generate_dpia_template | Generate DPIA document | Art. 35 |
get_dpia_guidance | DPIA area guidance | Art. 35–36 |
generate_ropa_template | Art. 30 ROPA template | Art. 30 |
validate_ropa | Validate ROPA completeness | Art. 30 |
get_ropa_requirements | ROPA field requirements | Art. 30 |
get_dsr_guidance | DSR handling guidance | Arts. 12–23 |
generate_dsr_workflow | DSR fulfilment workflow | Arts. 12–23 |
get_dsr_timeline | DSR response timelines | Art. 12(3) |
analyze_infrastructure_code | Scan IaC for GDPR issues | Art. 25, 32, 44 |
analyze_application_code | Scan app code for GDPR issues | Art. 5, 25, 32 |
validate_gdpr_config | Pass/fail GDPR validation | All |
assess_retention_policy | Assess retention policy | Art. 5(1)(e) |
get_retention_guidance | Category-specific retention | Art. 5(1)(e) |
check_deletion_requirements | Deletion capability checklist | Art. 17 |
assess_controller_processor_role | Assess data controller/processor role | Art. 4, 24, 26, 28 |
get_role_obligations | Role-specific GDPR obligations | Art. 24, 26, 28 |
analyze_code_for_role_indicators | Detect controller/processor code patterns | Art. 4, 24, 28 |
generate_dpa_checklist | Art. 28 DPA agreement checklist | Art. 28 |
get_role_scenarios | Common role classification scenarios | Art. 4, 24, 26, 28 |
analyze_dsr_capabilities | Detect DSR implementation (access, erase, portability, etc.) | Arts. 15–22 |
analyze_cross_border_transfers | Detect third-party APIs/SDKs with risk justifications | Arts. 44–49 |
analyze_breach_readiness | Assess breach detection, logging, and notification capabilities | Arts. 33–34 |
analyze_data_flow | Map personal data lifecycle (collection, storage, transmission, deletion) | Art. 30 |
analyze_code_ast | Deep AST analysis for Python/JS/TS/Java/C#/Go (PII, cross-border, DSR) | Art. 5, 25, 32, 44 |
get_ast_capabilities | Get AST analyzer supported languages and features | All |
Architecture
src/gdpr_shift_left_mcp/
├── __init__.py # Package init
├── __main__.py # Entry point
├── server.py # FastMCP server + prompt registration
├── disclaimer.py # Legal disclaimer utility
├── data_loader.py # Online GDPR data fetching + caching
├── tools/
│ ├── __init__.py # Tool registration (34 tools)
│ ├── articles.py # Article/recital/search tools
│ ├── definitions.py # Art. 4 definition tools
│ ├── dpia.py # DPIA assessment tools
│ ├── ropa.py # ROPA builder tools
│ ├── dsr.py # Data subject rights tools
│ ├── analyzer.py # IaC + app code analyzer
│ ├── ast_analyzer.py # AST-based deep code analysis
│ ├── retention.py # Retention/deletion tools
│ └── role_classifier.py # Controller/processor role classification
├── prompts/
│ ├── __init__.py # Prompt loader
│ └── *.txt # 8 expert prompt templates
└── templates/
├── __init__.py # Template loader
└── *.bicep # GDPR-aligned Azure Bicep templates
Testing
# Run all tests
pytest
# Run with coverage
pytest --cov=gdpr_shift_left_mcp --cov-report=html
# Run judges (end-to-end evaluators)
python -m tests.evaluator.run_judges
Online Updates
The server fetches GDPR data from a configurable online source, with local caching:
- Source URL: Set via
GDPR_SOURCE_URLenvironment variable - Cache TTL: Default 1 hour (configurable via
GDPR_CACHE_TTL) - Cache directory:
__gdpr_cache__/(configurable viaGDPR_CACHE_DIR) - Fallback: Built-in data if online fetch fails
Contributing
See CONTRIBUTING.md for guidelines. This project follows Git Flow branching:
feature/<name>for new featuresbugfix/<name>for fixesrelease/<version>for releaseshotfix/<name>for production fixes
All PRs must pass automated tests and judges before merging.
License
MIT — see LICENSE for details.
Acknowledgements
- Architecture inspired by FedRAMP20xMCP
- GDPR text from EUR-Lex
- EDPB guidelines from edpb.europa.eu
常见问题
GDPR Shift-Left Compliance 是什么?
GDPR compliance MCP server - article lookup, DPIA, ROPA, DSR, IaC analysis, Bicep templates.
相关 Skills
面试体系设计
by alirezarezvani
按岗位、级别和团队设计面试流程,生成能力矩阵、题库与评分标准,分析面试官偏差并校准招聘门槛,适合搭建或优化企业招聘体系。
✎ 团队招人没章法时,用它快速搭建岗位化面试流程、题库与评分标准,还能兼顾校准面试偏差,招聘更稳更准。
抽认卡
by BytesAgain
Spaced repetition study tool with deck management. Use when you need flashcard.
教程文档
by anderskev
Tutorial patterns for documentation - learning-oriented guides that teach through guided doing
相关 MCP Server
by boosted-chat
Flight search & booking for AI agents. 400+ airlines, $20-50 cheaper than OTAs.
by jjlabsio
Search company disclosures and financial statements from the Korean market. Retrieve stock profiles, market classifications, and historical trading data across major exchanges. Accelerate equity research with accurate, date-specific insights for Korean securities.
✎ 做韩国股研时,用它能一站查公司披露、财报和历史行情,按日期精确追溯关键信息,比手动翻交易所高效太多。
by jjlabsio
检索韩国市场公司的披露文件与财务报表,并获取股票概况等关键信息。
✎ 想研究韩股公司时,它能一站式拉取披露、财报和股票概况,省去跨站查资料的麻烦,对跨境投研尤其省时。