GDPR Shift-Left MCP Server

A Model Context Protocol (MCP) server that brings GDPR compliance knowledge directly into your IDE, enabling developers and compliance teams to "shift left" — identifying and addressing data protection requirements early in the development lifecycle.

⚠️ Disclaimer: This tool provides informational guidance only and does not constitute legal advice. Organisations should consult qualified legal counsel for binding GDPR compliance decisions.

Features

🔍 GDPR Knowledge Base (34 Tools)

• Article Lookup — Retrieve any GDPR article by number, search across all 99 articles and 173 recitals
• Definitions — Art. 4 term definitions with contextual explanations
• Chapter Navigation — Browse articles by chapter with full directory
• Azure Mappings — Map GDPR articles to Azure services and controls

📋 Compliance Workflows

• DPIA Assessment — Assess whether a DPIA is required (EDPB 9-criteria test), generate Art. 35 templates
• ROPA Builder — Generate and validate Art. 30 Records of Processing Activities
• DSR Guidance — Step-by-step workflows for all 7 data subject rights (Arts. 12–23)
• Retention Analysis — Assess retention policies against Art. 5(1)(e) storage limitation
• Controller/Processor Role Classification — Assess data roles, get obligations, analyze code patterns, generate DPA checklists

🏗️ Infrastructure & Code Review

• Bicep/Terraform/ARM Analyzer — Scan IaC for GDPR violations (encryption, access, network, residency, logging, retention)
• Application Code Analyzer — Detect PII logging, hardcoded secrets, missing consent checks, data minimisation issues
• GDPR Config Validator — Pass/fail validation in strict or advisory mode
• DSR Capability Analyzer — Detect implementation of all 7 data subject rights (Arts. 15–22)
• Cross-Border Transfer Analyzer — Identify third-party APIs/SDKs that may transfer data outside EEA, with risk justifications explaining why each provider has its assigned risk level (based on headquarters location, adequacy decisions, and data sensitivity)
• Breach Readiness Analyzer — Assess breach detection, logging, and notification capabilities
• Data Flow Analyzer — Map personal data lifecycle (collection, storage, transmission, deletion)
• AST Code Analyzer — Deep analysis using Abstract Syntax Trees for Python, JavaScript, TypeScript, Java, C#, and Go with:
  • PII detection in function parameters and variables
  • Cross-border transfer detection via import analysis (150+ providers with risk justifications)
  • PII logging violation detection
  • DSR implementation pattern verification
  • Data flow tracking and call graph analysis

📝 Guided Prompts (8 Expert Prompts)

• Gap Analysis, DPIA Assessment, Compliance Roadmap, Data Mapping
• Incident Response, Azure Privacy Review, Vendor Assessment, Cross-Border Transfers

📐 Azure Bicep Templates (19 Templates)

• Storage Account — CMK encryption, Private Endpoint, lifecycle policies (Art. 5, 25, 32, 44-49)
• Key Vault — HSM-backed Premium, purge protection, RBAC (Art. 25, 32)
• Azure SQL — Entra-only auth, TDE, auditing (Art. 25, 32)
• Log Analytics — 365-day retention, saved GDPR queries for breach/access/erasure tracking (Art. 5(2), 30, 33)
• Cosmos DB — EU-only regions, strong consistency, continuous backup, TTL-enabl

... View full README on GitHub