MCP Hub
Back to servers

GDPR Shift-Left Compliance

GDPR compliance MCP server - article lookup, DPIA, ROPA, DSR, IaC analysis, Bicep templates.

Registry
Other
Updated
Feb 6, 2026
View Source
Claim this server

Quick Install

uvx gdpr-shift-left-mcp

GDPR Shift-Left MCP Server

Tests & Judges PyPI version Python versions License: MIT

A Model Context Protocol (MCP) server that brings GDPR compliance knowledge directly into your IDE, enabling developers and compliance teams to "shift left" — identifying and addressing data protection requirements early in the development lifecycle.

⚠️ Disclaimer: This tool provides informational guidance only and does not constitute legal advice. Organisations should consult qualified legal counsel for binding GDPR compliance decisions.

Features

🔍 GDPR Knowledge Base (24 Tools)

  • Article Lookup — Retrieve any GDPR article by number, search across all 99 articles and 173 recitals
  • Definitions — Art. 4 term definitions with contextual explanations
  • Chapter Navigation — Browse articles by chapter with full directory
  • Azure Mappings — Map GDPR articles to Azure services and controls

📋 Compliance Workflows

  • DPIA Assessment — Assess whether a DPIA is required (EDPB 9-criteria test), generate Art. 35 templates
  • ROPA Builder — Generate and validate Art. 30 Records of Processing Activities
  • DSR Guidance — Step-by-step workflows for all 7 data subject rights (Arts. 12–23)
  • Retention Analysis — Assess retention policies against Art. 5(1)(e) storage limitation

🏗️ Infrastructure & Code Review

  • Bicep/Terraform/ARM Analyzer — Scan IaC for GDPR violations (encryption, access, network, residency, logging, retention)
  • Application Code Analyzer — Detect PII logging, hardcoded secrets, missing consent checks, data minimisation issues
  • GDPR Config Validator — Pass/fail validation in strict or advisory mode

📝 Guided Prompts (8 Expert Prompts)

  • Gap Analysis, DPIA Assessment, Compliance Roadmap, Data Mapping
  • Incident Response, Azure Privacy Review, Vendor Assessment, Cross-Border Transfers

📐 Azure Bicep Templates (11 Templates)

  • Storage Account — CMK encryption, Private Endpoint, lifecycle policies (Art. 5, 25, 32, 44-49)
  • Key Vault — HSM-backed Premium, purge protection, RBAC (Art. 25, 32)
  • Azure SQL — Entra-only auth, TDE, auditing (Art. 25, 32)
  • Log Analytics — 365-day retention, saved GDPR queries for breach/access/erasure tracking (Art. 5(2), 30, 33)
  • Cosmos DB — EU-only regions, strong consistency, continuous backup, TTL-enabled ROPA container (Art. 25, 32, 44-49)
  • App Service — Managed identity, TLS 1.2, VNet integration, staging slot, full audit logging (Art. 25, 32)
  • Virtual Network — 3 subnets, NSGs with least-privilege rules, service endpoints (Art. 25, 32, 5(1)(f))
  • Container Apps — Internal ingress, mutual TLS, zone redundancy, managed identity (Art. 25, 32)
  • Monitor Alerts — DPO action group, 4 scheduled alerts for sign-in/exfiltration/escalation/Key Vault (Art. 33, 34, 32)
  • PostgreSQL Flexible Server — Zone-redundant HA, Entra ID auth, pgaudit, geo-redundant backups (Art. 25, 32, 5(1)(e))
  • Service Bus Premium — CMK encryption, GDPR queues for DSR/consent/breach/retention (Art. 25, 32, 5(1)(f))

Quick Start

Prerequisites

  • Python 3.11+
  • VS Code with GitHub Copilot

Installation

# Clone the repository
git clone https://github.com/KevinRabun/GDPRShiftLeftMCP.git
cd GDPRShiftLeftMCP

# Install in development mode
pip install -e ".[dev]"

VS Code Integration

The repository includes .vscode/mcp.json for automatic MCP server registration. After installation, the GDPR tools appear in GitHub Copilot's tool list.

To configure manually, add to your VS Code settings:

{
  "mcp": {
    "servers": {
      "gdpr-shift-left": {
        "type": "stdio",
        "command": "python",
        "args": ["-m", "gdpr_shift_left_mcp"]
      }
    }
  }
}

Running the Server

# Run directly
python -m gdpr_shift_left_mcp

# Or via the installed entry point
gdpr-shift-left-mcp

Tool Reference

ToolDescriptionGDPR Articles
get_gdpr_articleRetrieve a GDPR article by numberAll
list_chapter_articlesList all articles in a chapterAll
search_gdprFull-text search across GDPRAll
get_gdpr_recitalRetrieve a recital by numberAll
get_azure_mappingAzure services for a GDPR articleAll
get_gdpr_definitionArt. 4 term definitionArt. 4
list_gdpr_definitionsList all definitionsArt. 4
search_gdpr_definitionsSearch definitionsArt. 4
assess_dpia_needCheck if DPIA is requiredArt. 35
generate_dpia_templateGenerate DPIA documentArt. 35
get_dpia_guidanceDPIA area guidanceArt. 35–36
generate_ropa_templateArt. 30 ROPA templateArt. 30
validate_ropaValidate ROPA completenessArt. 30
get_ropa_requirementsROPA field requirementsArt. 30
get_dsr_guidanceDSR handling guidanceArts. 12–23
generate_dsr_workflowDSR fulfilment workflowArts. 12–23
get_dsr_timelineDSR response timelinesArt. 12(3)
analyze_infrastructure_codeScan IaC for GDPR issuesArt. 25, 32, 44
analyze_application_codeScan app code for GDPR issuesArt. 5, 25, 32
validate_gdpr_configPass/fail GDPR validationAll
assess_retention_policyAssess retention policyArt. 5(1)(e)
get_retention_guidanceCategory-specific retentionArt. 5(1)(e)
check_deletion_requirementsDeletion capability checklistArt. 17

Architecture

src/gdpr_shift_left_mcp/
├── __init__.py              # Package init
├── __main__.py              # Entry point
├── server.py                # FastMCP server + prompt registration
├── disclaimer.py            # Legal disclaimer utility
├── data_loader.py           # Online GDPR data fetching + caching
├── tools/
│   ├── __init__.py          # Tool registration (24 tools)
│   ├── articles.py          # Article/recital/search tools
│   ├── definitions.py       # Art. 4 definition tools
│   ├── dpia.py              # DPIA assessment tools
│   ├── ropa.py              # ROPA builder tools
│   ├── dsr.py               # Data subject rights tools
│   ├── analyzer.py          # IaC + app code analyzer
│   └── retention.py         # Retention/deletion tools
├── prompts/
│   ├── __init__.py          # Prompt loader
│   └── *.txt                # 8 expert prompt templates
└── templates/
    ├── __init__.py           # Template loader
    └── *.bicep               # GDPR-aligned Azure Bicep templates

Testing

# Run all tests
pytest

# Run with coverage
pytest --cov=gdpr_shift_left_mcp --cov-report=html

# Run judges (end-to-end evaluators)
python -m tests.evaluator.run_judges

Online Updates

The server fetches GDPR data from a configurable online source, with local caching:

  • Source URL: Set via GDPR_SOURCE_URL environment variable
  • Cache TTL: Default 1 hour (configurable via GDPR_CACHE_TTL)
  • Cache directory: __gdpr_cache__/ (configurable via GDPR_CACHE_DIR)
  • Fallback: Built-in data if online fetch fails

Contributing

See CONTRIBUTING.md for guidelines. This project follows Git Flow branching:

  • feature/<name> for new features
  • bugfix/<name> for fixes
  • release/<version> for releases
  • hotfix/<name> for production fixes

All PRs must pass automated tests and judges before merging.

License

MIT — see LICENSE for details.

Acknowledgements

Reviews

No reviews yet

Sign in to write a review