Assessed against 7 GDPR modules containing 118 IT requirements and 576 compliance checklist items.
GDPR is decomposed into 7 modules of related obligations. Each module contains 118 IT requirements in total, and each requirement has 3–5 compliance checklist items (576 altogether) — the actionable items the AI coding agent searches the codebase for.
A requirement is marked implemented when the agent finds code-type evidence at high confidence (≥ 0.7); partial when it finds something less conclusive; otherwise gap. Numbers labelled active below are deduplicated to the most recent scan per requirement-and-repository, so re-scanning the same code never inflates the count. Cumulative numbers are the full audit trail across every scan session.
How the 118 requirements distribute across implemented, partial, and gap.
Distribution measured against the full GDPR requirement set in scope (n = 118). Bar segments are proportional; tick marks are at every 10%. Counts are active (deduplicated to latest evidence per requirement+repository).
36 implemented and 36 partial leave 46 in gap across the 118-requirement GDPR scope.
What was assessed, and what evidence was collected.
Left — the scope the assessment ran against. Right — the evidence the agent surfaced. The two are independent: scope is fixed by the regulation; evidence grows with every scan.
303 active evidence signals (deduplicated) — 398 cumulative across the full audit trail, gathered over 4 scan sessions across 3 repositories.
One row per GDPR module.
Implemented + Partial + Gap reconciles to the requirement count for each module. Evidence is shown as active / cumulative — re-scans never inflate the active number. Module names are clickable in the live document.
| Module | Reqs | Imp | Par | Gap | Active | Cumul. |
|---|---|---|---|---|---|---|
| 01 Controller Governance & Accountability | 32 | 9 | 11 | 12 | 78 | 79 |
| 02 Access Control & Security Measures | 19 | 18 | 1 | 0 | 86 | 181 |
| 03 International Transfer Governance | 16 | 0 | 6 | 10 | 34 | 34 |
| 04 Breach & Change Notification Pipeline | 16 | 0 | 9 | 7 | 33 | 33 |
| 05 Data Subject Rights Operations | 15 | 1 | 9 | 5 | 32 | 32 |
| 06 Lawful Basis & Consent Engineering | 11 | 8 | 0 | 3 | 37 | 37 |
| 07 Records, Retention & Minimization | 9 | 0 | 0 | 9 | 3 | 2 |
| Σ Total | 118 | 36 | 36 | 46 | 303 | 398 |
Per-requirement evidence signals, grouped by module.
Each row is one requirement. Status pill (implemented · partial · gap) reflects the current evidence verdict; risk pill is the requirement's intrinsic risk if unmet. File paths are clickable in the live document and resolve to the latest scanned commit.
dpo-qualification-assessment-gap — No formal DPO qualification assessment or selection process found in code. [email protected] is referenced as contact only.
audit-log-system-implementation — Immutable audit log system for admin/steward actions. log_admin_action helper creates entries for high-impact changes.
eu-representative-designation-gap — No formal EU representative designation. If EU-based (Azure EU deployment), Art. 27 may not apply. No formal assessment documented.
dpo-system-access-provisioning-gap — No DPO-specific access provisioning. Super Admin role has full access and could serve DPO function, but RBAC system (GlobalRole enum) does not include a DPO role.
dpo-contact-details-published — [email protected] published in breach procedure, DPA on marketing site, DPIA documents. Missing: formal SA notification of DPO appointment.
joint-controller-arrangement-gap — No joint controller arrangement system. Application operates as sole controller. Sub-processor relationships documented but no joint controller scenarios identified.
technical-organisational-measures-framework — Comprehensive TOMs: TLS 1.3, AES-256, RBAC+tenant isolation, Key Vault, Cloudflare WAF, NSG firewall, audit logging (40+ types), Secure+HttpOnly cookies, CSRF protection, input sanitization, consent management.
high-impact-settings-guard-implementation — Prevents accidental lockout and restricts high-impact settings based on tenant maturity or multi-admin consensus.
gdpr-compliance-tests-implementation — Comprehensive tests covering erasure, portability, consent management, and automated anonymization tasks.
processor-ropa-documented — Processor records partially documented in sub-processors.md. No structured electronic RoPA for processor-side records in Art. 30(2) format.
Priority gaps — sorted by risk.
All 46 gap-status requirements ranked by intrinsic risk: high-risk first, then moderate, then low. Use this list to scope the next implementation sprint.
| Requirement | Article | Risk | Description |
|---|---|---|---|
| e498d504b666 | 37 | High | Implement a DPO qualification assessment and selection process that evaluates candidates against documented criteria including expert knowledge of data protection law. |
| cddacc002544 | 37 | High | Implement an integrated DPO designation trigger assessment system within the processing activity register that evaluates all three mandatory designation criteria. |
| f6c2f4858cbe | 36 | High | Implement an integrated prior consultation management system that: (1) automatically detects when a DPIA residual risk classification remains 'high' even after mitigation review. |
| 9cf8122121f10 | 35 | High | Implement a DPIA review and reassessment process integrated with change management systems, ensuring that processing operations are reviewed against the DPIA whenever changes occur. |
| 5b8c902e534d | 49 | High | Implement technical controls on public register data export systems to prevent bulk or category-wide exports of personal data to third countries, and require derogation review. |
| 9cc372a77f39 | 15 | High | Maintain a register of all international data transfers to third countries or international organisations, including the applicable Article 46 safeguard. |
| 6649b0b81947 | 48 | High | Implement a formal intake and assessment process for foreign legal orders (court judgments) or administrative decisions from third countries) requiring transfer or disclosure. |
| c78c59dab8f2 | 49 | High | Implement an integrated third-country transfer governance platform that: (1) manages and logs all derogation-based transfers under Art. 49(1), capturing necessity assessments. |
| b875a6f6ddc1 | 45 | High | Implement a contingency and incident response capability for adequacy decision revocation events, comprising: (1) a documented contingency plan for each transfer destination. |
| 61caf1e2d8b1 | 47 | High | Implement a monitoring and reporting mechanism to detect and report to the competent supervisory authority any third-country legal requirements (laws, judgments, etc.). |
| 3c80ae6b6ea8 | 6 | High | Implement a purpose compatibility assessment workflow and register that evaluates and documents whether further processing of personal data for a new purpose is compatible. |
| 211836e9941d1 | 18 | High | Build an automated notification workflow in the data management system that triggers a communication to the data subject before a processing restriction is lifted. |
| cc4f29f6fcc1 | 14 | High | Implement a purpose-change detection and notification workflow that identifies when personal data obtained indirectly is intended to be processed for a new purpose. |
| 849da1b95698 | 13 | High | Implement a secondary purpose change detection and notification system that identifies when personal data is intended to be processed for a purpose other than originally collected. |
| 0a7502aaf868 | 14 | High | Implement automated workflows that track data acquisition timestamps from third-party sources and enforce delivery of privacy notices within the prescribed window. |
| cbb9c7ace7d6 | 14 | High | Implement and maintain a comprehensive privacy notice management system for indirect data collection scenarios that: (1) captures and delivers control points. |
| 74cc1fee843c | 22 | High | Implement a human intervention workflow system with automated decision-making applications that enables data subjects to (a) request human review of automated decisions. |
| 93f85472bb91 | 26 | High | Each joint controller must independently implement operational capability to receive, process, and respond to data subject rights requests (access, erasure, etc.). |
| a971feeb94c1 | 21 | High | Implement technical mechanisms in information society services to receive, parse, and honour automated objection signals from data subjects (e.g. Global Privacy Control). |
| 5d4cfc7d822c | 8 | High | Implement an integrated child consent management system within information society service registration and consent flows that: (1) enforces an age-gate. |