A Model Context Protocol (MCP) server that brings GDPR compliance knowledge directly into your IDE, enabling developers and compliance teams to "shift left" — identifying and addressing data protection requirements early in the development lifecycle.
⚠️ Disclaimer: This tool provides informational guidance only and does not constitute legal advice. Organisations should consult qualified legal counsel for binding GDPR compliance decisions.
- Article Lookup — Retrieve any GDPR article by number, search across all 99 articles and 173 recitals
- Definitions — Art. 4 term definitions with contextual explanations
- Chapter Navigation — Browse articles by chapter with full directory
- Azure Mappings — Map GDPR articles to Azure services and controls
- DPIA Assessment — Assess whether a DPIA is required (EDPB 9-criteria test), generate Art. 35 templates
- ROPA Builder — Generate and validate Art. 30 Records of Processing Activities
- DSR Guidance — Step-by-step workflows for all 7 data subject rights (Arts. 12–23)
- Retention Analysis — Assess retention policies against Art. 5(1)(e) storage limitation
- Controller/Processor Role Classification — Assess data roles, get obligations, analyze code patterns, generate DPA checklists
- Bicep/Terraform/ARM Analyzer — Scan IaC for GDPR violations (encryption, access, network, residency, logging, retention)
- Application Code Analyzer — Detect PII logging, hardcoded secrets, missing consent checks, data minimisation issues
- GDPR Config Validator — Pass/fail validation in strict or advisory mode
- DSR Capability Analyzer — Detect implementation of all 7 data subject rights (Arts. 15–22)
- Cross-Border Transfer Analyzer — Identify third-party APIs/SDKs that may transfer data outside EEA, with risk justifications explaining why each provider has its assigned risk level (based on headquarters location, adequacy decisions, and data sensitivity)
- Breach Readiness Analyzer — Assess breach detection, logging, and notification capabilities
- Data Flow Analyzer — Map personal data lifecycle (collection, storage, transmission, deletion)
- AST Code Analyzer — Deep analysis using Abstract Syntax Trees for Python, JavaScript, TypeScript, Java, C#, and Go with:
- PII detection in function parameters and variables
- Cross-border transfer detection via import analysis (150+ providers with risk justifications)
- PII logging violation detection
- DSR implementation pattern verification
- Data flow tracking and call graph analysis
- Gap Analysis, DPIA Assessment, Compliance Roadmap, Data Mapping
- Incident Response, Azure Privacy Review, Vendor Assessment, Cross-Border Transfers
- Storage Account — CMK encryption, Private Endpoint, lifecycle policies (Art. 5, 25, 32, 44-49)
- Key Vault — HSM-backed Premium, purge protection, RBAC (Art. 25, 32)
- Azure SQL — Entra-only auth, TDE, auditing (Art. 25, 32)
- Log Analytics — 365-day retention, saved GDPR queries for breach/access/erasure tracking (Art. 5(2), 30, 33)
- Cosmos DB — EU-only regions, strong consistency, continuous backup, TTL-enabled ROPA container (Art. 25, 32, 44-49)
- App Service — Managed identity, TLS 1.2, VNet integration, staging slot, full audit logging (Art. 25, 32)
- Virtual Network — 3 subnets, NSGs with least-privilege rules, service endpoints (Art. 25, 32, 5(1)(f))
- Container Apps — Internal ingress, mutual TLS, zone redundancy, managed identity (Art. 25, 32)
- Monitor Alerts — DPO action group, 4 scheduled alerts for sign-in/exfiltration/escalation/Key Vault (Art. 33, 34, 32)
- PostgreSQL Flexible Server — Zone-redundant HA, Entra ID auth, pgaudit, geo-redundant backups (Art. 25, 32, 5(1)(e))
- Service Bus Premium — CMK encryption, GDPR queues for DSR/consent/breach/retention (Art. 25, 32, 5(1)(f))
- AKS — Private cluster, Azure CNI, Defender for Containers, workload identity, network policies (Art. 25, 32, 5(1)(f))
- Confidential Ledger — TEE-backed tamper-proof audit trail for GDPR accountability records (Art. 5(2), 30, 33)
- Confidential VM — AMD SEV-SNP encrypted memory, vTPM, secure boot, ephemeral OS disk (Art. 25, 32, 5(1)(f))
- Entra ID Configuration — Audit log routing, sign-in monitoring, Conditional Access checklist (Art. 32, 5(2))
- Azure Policy — EU region restriction, CMK enforcement, tag requirements, HTTPS-only (Art. 25, 32, 44)
- Defender for Cloud — All Defender plans, security contacts, auto-provisioning, GDPR compliance dashboard (Art. 32, 33)
- API Management — Internal VNet, TLS 1.2+, rate limiting, data masking policies, audit logging (Art. 25, 32, 30)
- Front Door with WAF — OWASP rules, EU/EEA geo-filtering, bot protection, rate limiting (Art. 25, 32, 44)
- Python 3.10+
- VS Code with GitHub Copilot
The server is published to the MCP Registry. You can install it directly in VS Code:
- Open the Extensions view (
Ctrl+Shift+X) - Type
@mcp GDPRin the search field - Click Install on "GDPR Shift-Left Compliance"
Note: The VS Code MCP gallery shows a curated subset of servers by default. If the server doesn't appear, add this to your VS Code User Settings (
Ctrl+,→ Open Settings JSON):"chat.mcp.gallery.serviceUrl": "https://registry.modelcontextprotocol.io"This points VS Code at the full MCP Registry (5,000+ servers) instead of GitHub's curated list.
uvx gdpr-shift-left-mcp# Clone the repository
git clone https://github.com/KevinRabun/GDPRShiftLeftMCP.git
cd GDPRShiftLeftMCP
# Install in development mode
pip install -e ".[dev]"The repository includes .vscode/mcp.json for automatic MCP server registration. After installation, the GDPR tools appear in GitHub Copilot's tool list.
To configure manually, add to your VS Code settings:
{
"mcp": {
"servers": {
"gdpr-shift-left-mcp": {
"type": "stdio",
"command": "python",
"args": ["-m", "gdpr_shift_left_mcp"]
}
}
}
}# Run directly
python -m gdpr_shift_left_mcp
# Or via the installed entry point
gdpr-shift-left-mcp| Tool | Description | GDPR Articles |
|---|---|---|
get_article |
Retrieve a GDPR article by number | All |
list_chapter_articles |
List all articles in a chapter | All |
search_gdpr |
Full-text search across GDPR | All |
get_recital |
Retrieve a recital by number | All |
get_azure_mapping |
Azure services for a GDPR article | All |
get_definition |
Art. 4 term definition | Art. 4 |
list_definitions |
List all definitions | Art. 4 |
search_definitions |
Search definitions | Art. 4 |
assess_dpia_need |
Check if DPIA is required | Art. 35 |
generate_dpia_template |
Generate DPIA document | Art. 35 |
get_dpia_guidance |
DPIA area guidance | Art. 35–36 |
generate_ropa_template |
Art. 30 ROPA template | Art. 30 |
validate_ropa |
Validate ROPA completeness | Art. 30 |
get_ropa_requirements |
ROPA field requirements | Art. 30 |
get_dsr_guidance |
DSR handling guidance | Arts. 12–23 |
generate_dsr_workflow |
DSR fulfilment workflow | Arts. 12–23 |
get_dsr_timeline |
DSR response timelines | Art. 12(3) |
analyze_infrastructure_code |
Scan IaC for GDPR issues | Art. 25, 32, 44 |
analyze_application_code |
Scan app code for GDPR issues | Art. 5, 25, 32 |
validate_gdpr_config |
Pass/fail GDPR validation | All |
assess_retention_policy |
Assess retention policy | Art. 5(1)(e) |
get_retention_guidance |
Category-specific retention | Art. 5(1)(e) |
check_deletion_requirements |
Deletion capability checklist | Art. 17 |
assess_controller_processor_role |
Assess data controller/processor role | Art. 4, 24, 26, 28 |
get_role_obligations |
Role-specific GDPR obligations | Art. 24, 26, 28 |
analyze_code_for_role_indicators |
Detect controller/processor code patterns | Art. 4, 24, 28 |
generate_dpa_checklist |
Art. 28 DPA agreement checklist | Art. 28 |
get_role_scenarios |
Common role classification scenarios | Art. 4, 24, 26, 28 |
analyze_dsr_capabilities |
Detect DSR implementation (access, erase, portability, etc.) | Arts. 15–22 |
analyze_cross_border_transfers |
Detect third-party APIs/SDKs with risk justifications | Arts. 44–49 |
analyze_breach_readiness |
Assess breach detection, logging, and notification capabilities | Arts. 33–34 |
analyze_data_flow |
Map personal data lifecycle (collection, storage, transmission, deletion) | Art. 30 |
analyze_code_ast |
Deep AST analysis for Python/JS/TS/Java/C#/Go (PII, cross-border, DSR) | Art. 5, 25, 32, 44 |
get_ast_capabilities |
Get AST analyzer supported languages and features | All |
src/gdpr_shift_left_mcp/
├── __init__.py # Package init
├── __main__.py # Entry point
├── server.py # FastMCP server + prompt registration
├── disclaimer.py # Legal disclaimer utility
├── data_loader.py # Online GDPR data fetching + caching
├── tools/
│ ├── __init__.py # Tool registration (34 tools)
│ ├── articles.py # Article/recital/search tools
│ ├── definitions.py # Art. 4 definition tools
│ ├── dpia.py # DPIA assessment tools
│ ├── ropa.py # ROPA builder tools
│ ├── dsr.py # Data subject rights tools
│ ├── analyzer.py # IaC + app code analyzer
│ ├── ast_analyzer.py # AST-based deep code analysis
│ ├── retention.py # Retention/deletion tools
│ └── role_classifier.py # Controller/processor role classification
├── prompts/
│ ├── __init__.py # Prompt loader
│ └── *.txt # 8 expert prompt templates
└── templates/
├── __init__.py # Template loader
└── *.bicep # GDPR-aligned Azure Bicep templates
# Run all tests
pytest
# Run with coverage
pytest --cov=gdpr_shift_left_mcp --cov-report=html
# Run judges (end-to-end evaluators)
python -m tests.evaluator.run_judgesThe server fetches GDPR data from a configurable online source, with local caching:
- Source URL: Set via
GDPR_SOURCE_URLenvironment variable - Cache TTL: Default 1 hour (configurable via
GDPR_CACHE_TTL) - Cache directory:
__gdpr_cache__/(configurable viaGDPR_CACHE_DIR) - Fallback: Built-in data if online fetch fails
See CONTRIBUTING.md for guidelines. This project follows Git Flow branching:
feature/<name>for new featuresbugfix/<name>for fixesrelease/<version>for releaseshotfix/<name>for production fixes
All PRs must pass automated tests and judges before merging.
MIT — see LICENSE for details.
- Architecture inspired by FedRAMP20xMCP
- GDPR text from EUR-Lex
- EDPB guidelines from edpb.europa.eu