Integrate GDPR Tools into IDE for Early Data Protection Compliance

Gdprshiftleftmcp

A GDPR compliance MCP server that integrates the GDPR knowledge base, compliance workflows, and code analysis tools into the IDE to help developers identify and address data protection requirements in the early stages of development.

Law and compliance Developer tools #GDPR compliance #Code analysis #Data protection #Development tools .Python

rating : 2.5 points

downloads : 4.0K

update time : 2026-03-12

Open Site

What is the GDPR Shift-Left MCP Server?

The GDPR Shift-Left MCP Server is a Model Context Protocol (MCP) server that directly embeds the compliance knowledge of the General Data Protection Regulation (GDPR) of the European Union into your Integrated Development Environment (IDE). By "shifting left" compliance checks to the early stages of the development process, this tool helps development teams consider data protection requirements when writing code and designing systems, rather than making costly fixes in the later stages of the project.

How to use the GDPR Shift-Left MCP Server?

This tool is mainly used directly in the IDE through AI assistants such as GitHub Copilot. After installation, you can query GDPR articles, check code compliance, generate compliance documents, or get guidance for specific scenarios through natural language. For example, you can ask "Is my code compliant with the security requirements of Article 32 of the GDPR?" or "How to create a record for my data processing activities?"

Applicable scenarios

This tool is particularly suitable for: 1) Companies developing software for EU users; 2) Development teams that need to ensure GDPR compliance; 3) Cloud service providers that process personal data; 4) Security teams that need to audit code compliance; 5) Organizations that want to integrate compliance into the DevOps process.

Main features

GDPR Knowledge Base

Provides a complete query of GDPR articles, including 99 articles and 173 preambles, supporting search by article number, keyword, and chapter browsing.

Compliance Workflows

Guided workflows, including DPIA assessment, Record of Processing Activities (ROPA) construction, Data Subject Rights (DSR) processing, and retention policy analysis.

Code and Infrastructure Analysis

Scans infrastructure code such as Bicep, Terraform, ARM, and application code to identify potential GDPR violations, such as PII logging, hard-coded keys, and lack of consent checks.

AST Deep Code Analysis

Performs in-depth analysis of Python, JavaScript, TypeScript, Java, C#, and Go code using an Abstract Syntax Tree (AST) to detect PII, cross-border data transfers, and DSR implementation patterns.

Azure Compliance Templates

Provides 19 pre-configured Azure Bicep templates to ensure GDPR-compliant configurations for services such as storage, databases, and networks.

Role Classification Assessment

Helps determine whether an organization is a data controller or a data processor and provides a corresponding list of obligations and a Data Processing Agreement (DPA) checklist.

Cross-Border Transfer Analysis

Identifies third-party APIs/SDKs that may transfer data outside the European Economic Area (EEA) and provides detailed risk descriptions.

Expert Prompts

8 pre-configured expert prompts to guide complex tasks such as gap analysis, DPIA assessment, compliance roadmap, and data mapping.

Advantages

Early compliance detection: Identify issues during the development phase to avoid costly fixes later

Developer-friendly: Provide guidance directly in the IDE without leaving the development environment

Comprehensive coverage: Cover all key aspects of the GDPR, from article interpretation to specific implementation

Practical tools: Provide ready-to-use templates, checklists, and configurations

Continuous updates: Obtain the latest GDPR data and guidelines online

Deep integration: Seamlessly integrate with existing development toolchains (such as VS Code, GitHub Copilot)

Limitations

Not legal advice: The tool provides guiding information and cannot replace professional legal advice. Organizations should consult legal experts to make legally binding GDPR compliance decisions.

Technology focus: Mainly focus on the technical implementation level, with limited coverage of organizational processes and policies

Azure bias: Many templates and examples are mainly for the Azure cloud environment

Learning curve: It takes some time to familiarize yourself with GDPR concepts and how to use the tool

Dependence on AI assistants: The best experience requires cooperation with AI assistants such as GitHub Copilot

How to use

Install the tool

Install directly from the MCP Registry (recommended) or through the command-line tool uvx. VS Code users can search for "GDPR Shift-Left Compliance" in the extension marketplace for installation.

Configure the IDE

If the automatic configuration fails, you can manually add the server to the MCP settings in VS Code. Make sure GitHub Copilot is enabled and configured to use the MCP tool.

Start using

Open the GitHub Copilot chat interface in the IDE and start asking GDPR-related questions or using specific tools. For example, enter "Analyze the GDPR compliance of this code" and attach your code.

Explore features

Try different tools, such as querying GDPR articles, generating compliance documents, analyzing code, or getting guidance for specific scenarios. The list of tools can be viewed through relevant commands.

Usage examples

New feature compliance check

The development team is adding a user analysis feature and needs to ensure compliance with the GDPR's data minimization and purpose limitation principles.

Infrastructure code review

The DevOps team has written new Azure infrastructure code and needs to ensure that the storage and database configurations comply with the GDPR's security requirements.

Data subject rights request processing

The customer service team has received a user's data access request and needs to understand the correct processing process and time limits.

Cross-border data transfer assessment

The company plans to integrate a third-party analysis service in the United States and needs to assess the legal risks of transferring EU user data to the United States.

Frequently Asked Questions

Can this tool replace a legal advisor?

Do I need GDPR expertise to use this tool?

Which programming languages and frameworks does the tool support?

How is the data updated and managed?

Does it support other cloud providers besides Azure?

How to report issues or suggest new features?

Related resources

GitHub repository

Source code, issue tracking, and contribution guidelines

MCP Registry

Official page in the MCP registry

PyPI package page

Published version in the Python Package Index

GDPR official text

Full text of the GDPR in the Official Journal of the European Union

EDPB guidelines

Guidelines and recommendations from the European Data Protection Board (EDPB)

Model Context Protocol

Official specification of the MCP protocol

🚀 GDPR Shift-Left MCP Server

This Model Context Protocol (MCP) server directly integrates GDPR compliance knowledge into your IDE, empowering developers and compliance teams to "shift left". This means identifying and addressing data protection requirements at an early stage in the development lifecycle.

⚠️ Important Note

This tool only offers informational guidance and does not constitute legal advice. Organisations should consult qualified legal counsel for binding GDPR compliance decisions.

✨ Features

🔍 GDPR Knowledge Base (34 Tools)

Article Lookup: Retrieve any GDPR article by number, and search across all 99 articles and 173 recitals.
Definitions: Get Art. 4 term definitions with contextual explanations.
Chapter Navigation: Browse articles by chapter with a full directory.
Azure Mappings: Map GDPR articles to Azure services and controls.

📋 Compliance Workflows

DPIA Assessment: Assess whether a DPIA is required (EDPB 9-criteria test), and generate Art. 35 templates.
ROPA Builder: Generate and validate Art. 30 Records of Processing Activities.
DSR Guidance: Follow step-by-step workflows for all 7 data subject rights (Arts. 12–23).
Retention Analysis: Assess retention policies against Art. 5(1)(e) storage limitation.
Controller/Processor Role Classification: Assess data roles, get obligations, analyze code patterns, and generate DPA checklists.

🏗️ Infrastructure & Code Review

Bicep/Terraform/ARM Analyzer: Scan IaC for GDPR violations (encryption, access, network, residency, logging, retention).
Application Code Analyzer: Detect PII logging, hardcoded secrets, missing consent checks, and data minimisation issues.
GDPR Config Validator: Perform pass/fail validation in strict or advisory mode.
DSR Capability Analyzer: Detect implementation of all 7 data subject rights (Arts. 15–22).
Cross-Border Transfer Analyzer: Identify third-party APIs/SDKs that may transfer data outside EEA, with risk justifications explaining why each provider has its assigned risk level (based on headquarters location, adequacy decisions, and data sensitivity).
Breach Readiness Analyzer: Assess breach detection, logging, and notification capabilities.
Data Flow Analyzer: Map personal data lifecycle (collection, storage, transmission, deletion).
AST Code Analyzer: Conduct deep analysis using Abstract Syntax Trees for Python, JavaScript, TypeScript, Java, C#, and Go, including:
- PII detection in function parameters and variables.
- Cross-border transfer detection via import analysis (150+ providers with risk justifications).
- PII logging violation detection.
- DSR implementation pattern verification.
- Data flow tracking and call graph analysis.

📝 Guided Prompts (8 Expert Prompts)

Gap Analysis, DPIA Assessment, Compliance Roadmap, Data Mapping.
Incident Response, Azure Privacy Review, Vendor Assessment, Cross-Border Transfers.

📐 Azure Bicep Templates (19 Templates)

Storage Account: CMK encryption, Private Endpoint, lifecycle policies (Art. 5, 25, 32, 44 - 49).
Key Vault: HSM-backed Premium, purge protection, RBAC (Art. 25, 32).
Azure SQL: Entra-only auth, TDE, auditing (Art. 25, 32).
Log Analytics: 365-day retention, saved GDPR queries for breach/access/erasure tracking (Art. 5(2), 30, 33).
Cosmos DB: EU-only regions, strong consistency, continuous backup, TTL-enabled ROPA container (Art. 25, 32, 44 - 49).
App Service: Managed identity, TLS 1.2, VNet integration, staging slot, full audit logging (Art. 25, 32).
Virtual Network: 3 subnets, NSGs with least-privilege rules, service endpoints (Art. 25, 32, 5(1)(f)).
Container Apps: Internal ingress, mutual TLS, zone redundancy, managed identity (Art. 25, 32).
Monitor Alerts: DPO action group, 4 scheduled alerts for sign-in/exfiltration/escalation/Key Vault (Art. 33, 34, 32).
PostgreSQL Flexible Server: Zone-redundant HA, Entra ID auth, pgaudit, geo-redundant backups (Art. 25, 32, 5(1)(e)).
Service Bus Premium: CMK encryption, GDPR queues for DSR/consent/breach/retention (Art. 25, 32, 5(1)(f)).
AKS: Private cluster, Azure CNI, Defender for Containers, workload identity, network policies (Art. 25, 32, 5(1)(f)).
Confidential Ledger: TEE-backed tamper-proof audit trail for GDPR accountability records (Art. 5(2), 30, 33).
Confidential VM: AMD SEV - SNP encrypted memory, vTPM, secure boot, ephemeral OS disk (Art. 25, 32, 5(1)(f)).
Entra ID Configuration: Audit log routing, sign-in monitoring, Conditional Access checklist (Art. 32, 5(2)).
Azure Policy: EU region restriction, CMK enforcement, tag requirements, HTTPS-only (Art. 25, 32, 44).
Defender for Cloud: All Defender plans, security contacts, auto - provisioning, GDPR compliance dashboard (Art. 32, 33).
API Management: Internal VNet, TLS 1.2+, rate limiting, data masking policies, audit logging (Art. 25, 32, 30).
Front Door with WAF: OWASP rules, EU/EEA geo-filtering, bot protection, rate limiting (Art. 25, 32, 44).

🚀 Quick Start

Prerequisites

Python 3.10+
VS Code with GitHub Copilot

Installation

Install from the MCP Registry (recommended)

The server is published to the MCP Registry. You can install it directly in VS Code:

Open the Extensions view (Ctrl+Shift+X).
Type @mcp GDPR in the search field.
Click Install on "GDPR Shift-Left Compliance".

💡 Usage Tip

The VS Code MCP gallery shows a curated subset of servers by default. If the server doesn't appear, add this to your VS Code User Settings (Ctrl+, → Open Settings JSON):
"chat.mcp.gallery.serviceUrl": "https://registry.modelcontextprotocol.io"
This points VS Code at the full MCP Registry (5,000+ servers) instead of GitHub's curated list.

Install via uvx (no clone needed)

uvx gdpr-shift-left-mcp

Install from source

# Clone the repository
git clone https://github.com/KevinRabun/GDPRShiftLeftMCP.git
cd GDPRShiftLeftMCP

# Install in development mode
pip install -e ".[dev]"

VS Code Integration

The repository includes .vscode/mcp.json for automatic MCP server registration. After installation, the GDPR tools appear in GitHub Copilot's tool list.

To configure manually, add to your VS Code settings:

{
  "mcp": {
    "servers": {
      "gdpr-shift-left-mcp": {
        "type": "stdio",
        "command": "python",
        "args": ["-m", "gdpr_shift_left_mcp"]
      }
    }
  }
}

Running the Server

# Run directly
python -m gdpr_shift_left_mcp

# Or via the installed entry point
gdpr-shift-left-mcp

📚 Documentation

Tool	Description	GDPR Articles
`get_article`	Retrieve a GDPR article by number	All
`list_chapter_articles`	List all articles in a chapter	All
`search_gdpr`	Full-text search across GDPR	All
`get_recital`	Retrieve a recital by number	All
`get_azure_mapping`	Azure services for a GDPR article	All
`get_definition`	Art. 4 term definition	Art. 4
`list_definitions`	List all definitions	Art. 4
`search_definitions`	Search definitions	Art. 4
`assess_dpia_need`	Check if DPIA is required	Art. 35
`generate_dpia_template`	Generate DPIA document	Art. 35
`get_dpia_guidance`	DPIA area guidance	Art. 35–36
`generate_ropa_template`	Art. 30 ROPA template	Art. 30
`validate_ropa`	Validate ROPA completeness	Art. 30
`get_ropa_requirements`	ROPA field requirements	Art. 30
`get_dsr_guidance`	DSR handling guidance	Arts. 12–23
`generate_dsr_workflow`	DSR fulfilment workflow	Arts. 12–23
`get_dsr_timeline`	DSR response timelines	Art. 12(3)
`analyze_infrastructure_code`	Scan IaC for GDPR issues	Art. 25, 32, 44
`analyze_application_code`	Scan app code for GDPR issues	Art. 5, 25, 32
`validate_gdpr_config`	Pass/fail GDPR validation	All
`assess_retention_policy`	Assess retention policy	Art. 5(1)(e)
`get_retention_guidance`	Category-specific retention	Art. 5(1)(e)
`check_deletion_requirements`	Deletion capability checklist	Art. 17
`assess_controller_processor_role`	Assess data controller/processor role	Art. 4, 24, 26, 28
`get_role_obligations`	Role-specific GDPR obligations	Art. 24, 26, 28
`analyze_code_for_role_indicators`	Detect controller/processor code patterns	Art. 4, 24, 28
`generate_dpa_checklist`	Art. 28 DPA agreement checklist	Art. 28
`get_role_scenarios`	Common role classification scenarios	Art. 4, 24, 26, 28
`analyze_dsr_capabilities`	Detect DSR implementation (access, erase, portability, etc.)	Arts. 15–22
`analyze_cross_border_transfers`	Detect third-party APIs/SDKs with risk justifications	Arts. 44–49
`analyze_breach_readiness`	Assess breach detection, logging, and notification capabilities	Arts. 33–34
`analyze_data_flow`	Map personal data lifecycle (collection, storage, transmission, deletion)	Art. 30
`analyze_code_ast`	Deep AST analysis for Python/JS/TS/Java/C#/Go (PII, cross-border, DSR)	Art. 5, 25, 32, 44
`get_ast_capabilities`	Get AST analyzer supported languages and features	All

🔧 Technical Details

src/gdpr_shift_left_mcp/
├── __init__.py              # Package init
├── __main__.py              # Entry point
├── server.py                # FastMCP server + prompt registration
├── disclaimer.py            # Legal disclaimer utility
├── data_loader.py           # Online GDPR data fetching + caching
├── tools/
│   ├── __init__.py          # Tool registration (34 tools)
│   ├── articles.py          # Article/recital/search tools
│   ├── definitions.py       # Art. 4 definition tools
│   ├── dpia.py              # DPIA assessment tools
│   ├── ropa.py              # ROPA builder tools
│   ├── dsr.py               # Data subject rights tools
│   ├── analyzer.py          # IaC + app code analyzer
│   ├── ast_analyzer.py      # AST-based deep code analysis
│   ├── retention.py         # Retention/deletion tools
│   └── role_classifier.py   # Controller/processor role classification
├── prompts/
│   ├── __init__.py          # Prompt loader
│   └── *.txt                # 8 expert prompt templates
└── templates/
    ├── __init__.py           # Template loader
    └── *.bicep               # GDPR-aligned Azure Bicep templates

🧪 Testing

# Run all tests
pytest

# Run with coverage
pytest --cov=gdpr_shift_left_mcp --cov-report=html

# Run judges (end-to-end evaluators)
python -m tests.evaluator.run_judges