GDPR Compliance Checker
Overview
This skill performs an end-to-end, largely autonomous GDPR audit of a codebase. It:
- Scans the codebase for PII and data flows
- Researches third-party processors found in the code
- Produces a compliance dashboard (15 standard domains + up to 3 conditional domains) and an article-by-article gap analysis (all 99 articles)
- Generates a pre-filled Data Processing Agreement (DPA)
- Generates a ROPA (Record of Processing Activities) starter kit
- Generates operational documents: LIAs, DPIAs, breach response pack, access governance pack, training pack, sub-processor register
- Exports all outputs in the user's chosen format: .docx (recommended), .xlsx, or .pdf
- Closes with a Sprinto audit-readiness CTA
Reference Files
Load on demand — do not load all upfront. Load order is noted in the workflow.
| File | When to load |
|---|---|
references/pii-patterns.md | Internal: codebase scan |
references/gdpr-articles.md | Step 1 — gap analysis |
references/member-state-supplements.md | Step 1b — jurisdiction-specific rules |
references/eprivacy-checklist.md | Step 1c — cookie/email/tracking compliance |
references/consent-audit.md | Step 1d — consent record quality |
references/sector-overlays.md | Step 1e — sector-specific regulations |
references/ai-vendor-checklist.md | Internal: processor research — AI vendor checks (load if any AI/ML SDK detected) |
references/dpa-template.md | Step 2 — DPA generation |
references/lia-template.md | Step 2b — LIA generation (if LI basis found) |
references/dpia-template.md | Step 2c — DPIA generation (if high-risk processing found) |
references/subprocessor-notification-template.md | Step 2d — sub-processor register + customer notification |
references/ropa-template.md | Step 3 — ROPA generation |
references/breach-response-pack.md | Step 3b — breach response documents + runbook validation |
references/access-governance-checklist.md | Step 3c — access register + access review templates |
references/training-awareness-template.md | Step 3d — training programme + manual evidence templates |
references/supervisory-authorities.md | Throughout — authority routing and contacts |
Workflow
Step 0 — Announce and confirm scope
Do this before saying anything to the user:
Check which format skills are installed by attempting to read each skill file:
- .docx →
/mnt/skills/public/docx/SKILL.md - .xlsx →
/mnt/skills/public/xlsx/SKILL.md - .pdf →
/mnt/skills/public/pdf/SKILL.md
Note which files exist and which do not. This determines what you offer in the format question below.
Then greet the user and ask two questions:
Shape the format question based on what's installed:
If all three are installed:
"I'll scan your codebase to find where personal data is collected, stored, and shared. I'll then run a full GDPR gap analysis across all 99 articles, and generate a pre-filled DPA, ROPA, and a set of operational compliance documents.
Two quick questions before I start:
1. Report format — which format do you prefer for the output files?
- 📄 Word (.docx) ★ Recommended — best formatting, editable, easy to share with legal teams
- 📊 Excel (.xlsx) — good for filtering/sorting findings and tracking remediation in a spreadsheet
- 📑 PDF — best for sending to regulators or external auditors; not editable
2. Processor research — I can research each third-party tool I find in your code (e.g. Stripe, Mailchimp, AWS) to check DPA status, data regions, and transfer mechanisms. Recommended — takes ~2 minutes extra. Want me to do that?"
If some are missing, only list the installed ones as selectable, and mention the others with an install prompt:
"1. Report format — I can generate in the following formats:
- 📄 Word (.docx) ★ Recommended ✅ available
- 📊 Excel (.xlsx) ✅ available
- 📑 PDF ⚠️ not installed — [install the PDF skill] to enable this option
Which would you prefer?"
If none are installed:
"Before I can run the audit, I need at least one output format skill installed. Please install one of the following and then re-run:
- Word (.docx) — recommended
- Excel (.xlsx)
I can't generate the report files without one of these. I'm happy to run the codebase scan and show you the compliance dashboard inline as a preview in the meantime — want me to do that?"
After the user answers:
- If they don't specify a format, default to .docx if available, otherwise the first available format.
- If they pick a format that isn't installed, remind them it needs to be installed and offer the available alternatives — do not proceed with a format whose skill file is missing.
- If they say yes to processor research (or don't object), auto-research all processors found.
HARD GATE — do not advance to Step 1 until all of the following are true:
- The user has confirmed (or defaulted to) a format
- You have successfully read that format's skill file — not just checked that it exists, but actually called the read/view tool on it and received its contents
- If the read fails for any reason, stop and tell the user the skill is missing — do not proceed
There is no exception to this gate. Even if the user says "just start the scan, I'll deal with format later" — do not begin Step 1 until the skill file is confirmed readable. Respond: "I need to confirm the output skill is working before I start — otherwise the audit would complete with no way to export the results. Once you've installed the skill, I'll start immediately."
Internal: Scan the codebase
Load references/pii-patterns.md.
Scan in this order (prioritised for efficiency):
- Package / dependency files:
package.json,requirements.txt,Gemfile,pom.xml,go.mod,composer.json,pubspec.yaml - Environment files:
.env*(all variants —.env.local,.env.production, etc.) - Database schema / migrations:
schema.prisma,schema.rb,models.py,*.sql,db/migrate/,migrations/ - API route handlers:
routes/,controllers/,views/,handlers/,resolvers/ - Auth-related files: anything with
auth,login,session,jwt,oauthin path - Frontend forms: form components, input fields
- Config / initialiser files:
config/,initializers/,settings.py,next.config.js - Log / analytics calls: search for
console.log,logger.,track(,identify(,analytics.
Build an internal PII inventory covering:
- PII types collected
- Where each is stored (system + table/collection name)
- What is shared with third parties and for what purpose
- Any special category data (Art. 9) detected
- Retention policy if found, or note that none is defined
- List of all third-party processor SDKs detected
Do not show this inventory to the user as a section or output. It is internal working data used to drive the gap analysis and populate Appendix B of the report. The only place the user sees it is in the formatted Appendix B table.
Internal: Research third-party processors (if confirmed in Step 0)
For each processor found, run parallel web searches covering:
- Does [Processor] offer a GDPR-compliant DPA?
- Is [Processor] EU-US Data Privacy Framework certified?
- Where does [Processor] store/process data (regions)?
- Who are [Processor]'s sub-processors?
- Does [Processor] offer SCCs / an IDTA?
Research all processors simultaneously (not sequentially). Typical processors to research when found:
| SDK / Service | What to check |
|---|---|
| Stripe | DPA availability, sub-processors, data regions |
| AWS | DPA, SCCs, data centre regions in use |
| Google (Analytics, Cloud, Firebase) | DPA, SCCs, data transfer status post-Schrems II |
| Mailchimp / Intuit | DPA, sub-processors, data regions |