GDPR Shift-Left MCP Server

A Model Context Protocol (MCP) server that brings GDPR compliance knowledge directly into your IDE, enabling developers and compliance teams to "shift left" — identifying and addressing data protection requirements early in the development lifecycle.

⚠️ Disclaimer: This tool provides informational guidance only and does not constitute legal advice. Organisations should consult qualified legal counsel for binding GDPR compliance decisions.

Features

🔍 GDPR Knowledge Base (34 Tools)

• Article Lookup — Retrieve any GDPR article by number, search across all 99 articles and 173 recitals

• Definitions — Art. 4 term definitions with contextual explanations

• Chapter Navigation — Browse articles by chapter with full directory

• Azure Mappings — Map GDPR articles to Azure services and controls

📋 Compliance Workflows

• DPIA Assessment — Assess whether a DPIA is required (EDPB 9-criteria test), generate Art. 35 templates

• ROPA Builder — Generate and validate Art. 30 Records of Processing Activities

• DSR Guidance — Step-by-step workflows for all 7 data subject rights (Arts. 12–23)

• Retention Analysis — Assess retention policies against Art. 5(1)(e) storage limitation

• Controller/Processor Role Classification — Assess data roles, get obligations, analyze code patterns, generate DPA checklists

🏗️ Infrastructure & Code Review

• Bicep/Terraform/ARM Analyzer — Scan IaC for GDPR violations (encryption, access, network, residency, logging, retention)

• Application Code Analyzer — Detect PII logging, hardcoded secrets, missing consent checks, data minimisation issues

• GDPR Config Validator — Pass/fail validation in strict or advisory mode

• DSR Capability Analyzer — Detect implementation of all 7 data subject rights (Arts. 15–22)

• Cross-Border Transfer Analyzer — Identify third-party APIs/SDKs that may transfer data outside EEA, with risk justifications explaining why each provider has its assigned risk level (based on headquarters location, adequacy decisions, and data sensitivity)

• Breach Readiness Analyzer — Assess breach detection, logging, and notification capabilities

• Data Flow Analyzer — Map personal data lifecycle (collection, storage, transmission, deletion)

• AST Code Analyzer — Deep analysis using Abstract Syntax Trees for Python, JavaScript, TypeScript, Java, C#, and Go with:

  • PII detection in function parameters and variables

  • Cross-border transfer detection via import analysis (150+ providers with risk justifications)

  • PII logging violation detection

  • DSR implementation pattern verification

  • Data flow tracking and call graph analysis

📝 Guided Prompts (8 Expert Prompts)

• Gap Analysis, DPIA Assessment, Compliance Roadmap, Data Mapping

• Incident Response, Azure Privacy Review, Vendor Assessment, Cross-Border Transfers

📐 Azure Bicep Templates (19 Templates)

• Storage Account — CMK encryption, Private Endpoint, lifecycle policies (Art. 5, 25, 32, 44-49)

• Key Vault — HSM-backed Premium, purge protection, RBAC (Art. 25, 32)

• Azure SQL — Entra-only auth, TDE, auditing (Art. 25, 32)

• Log Analytics — 365-day retention, saved GDPR queries for breach/access/erasure tracking (Art. 5(2), 30, 33)

• Cosmos DB — EU-only regions, strong consistency, continuous backup, TTL-enabled ROPA container (Art. 25, 32, 44-49)

• App Service — Managed identity, TLS 1.2, VNet integration, staging slot, full audit logging (Art. 25, 32)

• Virtual Network — 3 subnets, NSGs with least-privilege rules, service endpoints (Art. 25, 32, 5(1)(f))

• Container Apps — Internal ingress, mutual TLS, zone redundancy, managed identity (Art. 25, 32)

• Monitor Alerts — DPO action group, 4 scheduled alerts for sign-in/exfiltration/escalation/Key Vault (Art. 33, 34, 32)

• PostgreSQL Flexible Server — Zone-redundant HA, Entra ID auth, pgaudit, geo-redundant backups (Art. 25, 32, 5(1)(e))

• Service Bus Premium — CMK encryption, GDPR queues for DSR/consent/breach/retention (Art. 25, 32, 5(1)(f))

• AKS — Private cluster, Azure CNI, Defender for Containers, workload identity, network policies (Art. 25, 32, 5(1)(f))

• Confidential Ledger — TEE-backed tamper-proof audit trail for GDPR accountability records (Art. 5(2), 30, 33)

• Confidential VM — AMD SEV-SNP encrypted memory, vTPM, secure boot, ephemeral OS disk (Art. 25, 32, 5(1)(f))

• Entra ID Configuration — Audit log routing, sign-in monitoring, Conditional Access checklist (Art. 32, 5(2))

• Azure Policy — EU region restriction, CMK enforcement, tag requirements, HTTPS-only (Art. 25, 32, 44)

• Defender for Cloud — All Defender plans, security contacts, auto-provisioning, GDPR compliance dashboard (Art. 32, 33)

• API Management — Internal VNet, TLS 1.2+, rate limiting, data masking policies, audit logging (Art. 25, 32, 30)

• Front Door with WAF — OWASP rules, EU/EEA geo-filtering, bot protection, rate limiting (Art. 25, 32, 44)

Quick Start

Prerequisites

• Python 3.10+

• VS Code with GitHub Copilot

Installation

Install from the MCP Registry (recommended)

The server is published to the MCP Registry. You can install it directly in VS Code:

1. Open the Extensions view (Ctrl+Shift+X)

2. Type @mcp GDPR in the search field

3. Click Install on "GDPR Shift-Left Compliance"

Note: The VS Code MCP gallery shows a curated subset of servers by default. If the server doesn't appear, add this to your VS Code User Settings (Ctrl+, → Open Settings JSON):

"chat.mcp.gallery.serviceUrl": "https://registry.modelcontextprotocol.io"

This points VS Code at the full MCP Registry (5,000+ servers) instead of GitHub's curated list.

Install via uvx (no clone needed)

uvx gdpr-shift-left-mcp

Install from source

# Clone the repository
git clone https://github.com/KevinRabun/GDPRShiftLeftMCP.git
cd GDPRShiftLeftMCP

# Install in development mode
pip install -e ".[dev]"

VS Code Integration

The repository includes .vscode/mcp.json for automatic MCP server registration. After installation, the GDPR tools appear in GitHub Copilot's tool list.

To configure manually, add to your VS Code settings:

{
  "mcp": {
    "servers": {
      "gdpr-shift-left-mcp": {
        "type": "stdio",
        "command": "python",
        "args": ["-m", "gdpr_shift_left_mcp"]
      }
    }
  }
}

Running the Server

# Run directly
python -m gdpr_shift_left_mcp

# Or via the installed entry point
gdpr-shift-left-mcp

Tool Reference

Architecture

src/gdpr_shift_left_mcp/
├── __init__.py              # Package init
├── __main__.py              # Entry point
├── server.py                # FastMCP server + prompt registration
├── disclaimer.py            # Legal disclaimer utility
├── data_loader.py           # Online GDPR data fetching + caching
├── tools/
│   ├── __init__.py          # Tool registration (34 tools)
│   ├── articles.py          # Article/recital/search tools
│   ├── definitions.py       # Art. 4 definition tools
│   ├── dpia.py              # DPIA assessment tools
│   ├── ropa.py              # ROPA builder tools
│   ├── dsr.py               # Data subject rights tools
│   ├── analyzer.py          # IaC + app code analyzer
│   ├── ast_analyzer.py      # AST-based deep code analysis
│   ├── retention.py         # Retention/deletion tools
│   └── role_classifier.py   # Controller/processor role classification
├── prompts/
│   ├── __init__.py          # Prompt loader
│   └── *.txt                # 8 expert prompt templates
└── templates/
    ├── __init__.py           # Template loader
    └── *.bicep               # GDPR-aligned Azure Bicep templates

Testing

# Run all tests
pytest

# Run with coverage
pytest --cov=gdpr_shift_left_mcp --cov-report=html

# Run judges (end-to-end evaluators)
python -m tests.evaluator.run_judges

Online Updates

The server fetches GDPR data from a configurable online source, with local caching:

• Source URL: Set via GDPR_SOURCE_URL environment variable

• Cache TTL: Default 1 hour (configurable via GDPR_CACHE_TTL)

• Cache directory: __gdpr_cache__/ (configurable via GDPR_CACHE_DIR)

• Fallback: Built-in data if online fetch fails

Contributing

See CONTRIBUTING.md for guidelines. This project follows Git Flow branching:

• feature/<name> for new features

• bugfix/<name> for fixes

• release/<version> for releases

• hotfix/<name> for production fixes

All PRs must pass automated tests and judges before merging.

License

MIT — see LICENSE for details.

Acknowledgements

• Architecture inspired by FedRAMP20xMCP

• GDPR text from EUR-Lex

• EDPB guidelines from edpb.europa.eu