evidence-signals.gdpr.posture.html doc · v0.4.2 scan #04 of session shareable link · view-only
RuleMesh
org · org_f296b4ca5f78 regulation · GDPR generated · 2026-04-29 · 18:59:10 UTC
Evidence Signals Report FIG. 00 — POSTURE SUMMARY compliance-as-code assessment

GDPR compliance posture: 30% of requirements implemented across 7 modules.

An evidence-led readout of where this organization stands against GDPR — grouped by obligation, scored by what the agent actually found in code, generated on demand from the live audit trail. This document is the report. Re-share the link, export a PDF, or open any module to drill in.

Organization org_f296b4ca5f78 workspace · acme
Regulation GDPR · EU 2016/679 7 modules · 118 reqs
Generated 2026-04-29 18:59:10Z build #756a5a7
Scan sessions 4 · cumulative latest · session_04
Repositories api · application · frontend 3 scanned · 0 skipped
§ 00 · Reader's note how to read this report est. 4 min

GDPR is decomposed into 7 modules of related obligations. Each module contains 118 IT requirements in total, and each requirement has 3–5 compliance checklist items (576 altogether) — the actionable items the AI coding agent searches the codebase for.

A requirement is marked implemented when the agent finds code-type evidence at high confidence (≥ 0.7); partial when it finds something less conclusive; otherwise gap. Numbers labelled active below are deduplicated to the most recent scan per requirement-and-repository, so re-scanning the same code never inflates the count. Cumulative numbers are the full audit trail across every scan session.

§ 01 / 03Compliance Posture

How the 118 requirements distribute across implemented, partial, and gap.

Distribution measured against the full GDPR requirement set in scope (n = 118). Bar segments are proportional; tick marks are at every 10%. Counts are active (deduplicated to latest evidence per requirement+repository).

posture index 30% of 118 requirements implemented at ≥0.7

36 implemented and 36 partial leave 46 in gap across the 118-requirement GDPR scope.

0% — n=0 50% — n=59 100% — n=118
imp · 30%
+ par · 61%
Implemented30.5%
36 requirements with code-type evidence ≥0.7
Partial30.5%
36 evidence found but below threshold
Gap39.0%
46 no signal · requires action
§ 02 / 03Scope & Evidence

What was assessed, and what evidence was collected.

Left — the scope the assessment ran against. Right — the evidence the agent surfaced. The two are independent: scope is fixed by the regulation; evidence grows with every scan.

fig. 02.1 / scope-of-assessment in-scope · n = 118

Assessed against 7 GDPR modules containing 118 IT requirements and 576 compliance checklist items.

7Modulesobligation groups
118IT requirements3–5 checks each
576Checklist itemsagent-actionable
fig. 02.2 / evidence-collected signals · 4 sessions

303 active evidence signals (deduplicated) — 398 cumulative across the full audit trail, gathered over 4 scan sessions across 3 repositories.

303Activededuplicated
398Cumulativeall scans
4Sessionslatest · 04
3Reposapi · app · fe
§ 03 / 03Module Breakdown

One row per GDPR module.

Implemented + Partial + Gap reconciles to the requirement count for each module. Evidence is shown as active / cumulative — re-scans never inflate the active number. Module names are clickable in the live document.

tbl. 03.1 / modules · n = 7 · sorted by requirement count
implemented partial gap
Module Distribution Reqs Imp Par Gap Active Cumul.
01 Controller Governance & Accountability
32 9 11 12 78 79
02 Access Control & Security Measures
19 18 1 0 86 181
03 International Transfer Governance
16 0 6 10 34 34
04 Breach & Change Notification Pipeline
16 0 9 7 33 33
05 Data Subject Rights Operations
15 1 9 5 32 32
06 Lawful Basis & Consent Engineering
11 8 0 3 37 37
07 Records, Retention & Minimization
9 0 0 9 3 2
Σ Total 118 36 36 46 303 398
reconciles · 36 + 36 + 46 = 118 active dedup ratio · 303 / 398 = 76.1% continues below · requirement-level breakdown ↓
§ 04 / 05Evidence List

Per-requirement evidence signals, grouped by module.

Each row is one requirement. Status pill (implemented · partial · gap) reflects the current evidence verdict; risk pill is the requirement's intrinsic risk if unmet. File paths are clickable in the live document and resolve to the latest scanned commit.

Module 01 · 32 requirements Controller Governance & Accountability
9 implemented · 11 partial · 12 gap · 78 active evidence signals
Art. 37 e498d504b666
Gap High risk

dpo-qualification-assessment-gap — No formal DPO qualification assessment or selection process found in code. [email protected] is referenced as contact only.

Art. 31 5212478857a0
Implemented Moderate risk

audit-log-system-implementation — Immutable audit log system for admin/steward actions. log_admin_action helper creates entries for high-impact changes.

Art. 27 8efef4c1c81b
Gap Moderate risk

eu-representative-designation-gap — No formal EU representative designation. If EU-based (Azure EU deployment), Art. 27 may not apply. No formal assessment documented.

Art. 38 139a52e399d9
Gap Moderate risk

dpo-system-access-provisioning-gap — No DPO-specific access provisioning. Super Admin role has full access and could serve DPO function, but RBAC system (GlobalRole enum) does not include a DPO role.

attachmentEvidence files · 1
Art. 37 719225690805
Partial Moderate risk

dpo-contact-details-published [email protected] published in breach procedure, DPA on marketing site, DPIA documents. Missing: formal SA notification of DPO appointment.

Art. 26 9908346756d1
Gap Moderate risk

joint-controller-arrangement-gap — No joint controller arrangement system. Application operates as sole controller. Sub-processor relationships documented but no joint controller scenarios identified.

Art. 24 98d57d222ca2
Implemented High risk

technical-organisational-measures-framework — Comprehensive TOMs: TLS 1.3, AES-256, RBAC+tenant isolation, Key Vault, Cloudflare WAF, NSG firewall, audit logging (40+ types), Secure+HttpOnly cookies, CSRF protection, input sanitization, consent management.

attachmentEvidence files · 2
Art. 32 8cd38925562c
Implemented High risk

high-impact-settings-guard-implementation — Prevents accidental lockout and restricts high-impact settings based on tenant maturity or multi-admin consensus.

attachmentEvidence files · 3
Art. 32 5093e12a7d88
Implemented High risk

gdpr-compliance-tests-implementation — Comprehensive tests covering erasure, portability, consent management, and automated anonymization tasks.

attachmentEvidence files · 2
Art. 30 6741a08a537
Partial High risk

processor-ropa-documented — Processor records partially documented in sub-processors.md. No structured electronic RoPA for processor-side records in Art. 30(2) format.

attachmentEvidence files · 1
showing · 10 of 32 requirements in this module expand_moreExpand all 32
Module 02 · 19 requirements Access Control & Security Measures
18 implemented · 1 partial · 0 gap · 86 active evidence signals
collapsed · 19 requirements unfold_moreExpand module
Module 03 · 16 requirements International Transfer Governance
0 implemented · 6 partial · 10 gap · 34 active evidence signals
collapsed · 16 requirements unfold_moreExpand module
§ 05 / 05Priority Gaps

Priority gaps — sorted by risk.

All 46 gap-status requirements ranked by intrinsic risk: high-risk first, then moderate, then low. Use this list to scope the next implementation sprint.

46 Priority Gaps all gap-status requirements · most-urgent first
sorted by · risk ↓ then module
Requirement Article Module Risk Description
e498d504b66637Controller Governance & AccountabilityHighImplement a DPO qualification assessment and selection process that evaluates candidates against documented criteria including expert knowledge of data protection law.
cddacc00254437Controller Governance & AccountabilityHighImplement an integrated DPO designation trigger assessment system within the processing activity register that evaluates all three mandatory designation criteria.
f6c2f4858cbe36Controller Governance & AccountabilityHighImplement an integrated prior consultation management system that: (1) automatically detects when a DPIA residual risk classification remains 'high' even after mitigation review.
9cf8122121f1035Controller Governance & AccountabilityHighImplement a DPIA review and reassessment process integrated with change management systems, ensuring that processing operations are reviewed against the DPIA whenever changes occur.
5b8c902e534d49International Transfer GovernanceHighImplement technical controls on public register data export systems to prevent bulk or category-wide exports of personal data to third countries, and require derogation review.
9cc372a77f3915International Transfer GovernanceHighMaintain a register of all international data transfers to third countries or international organisations, including the applicable Article 46 safeguard.
6649b0b8194748International Transfer GovernanceHighImplement a formal intake and assessment process for foreign legal orders (court judgments) or administrative decisions from third countries) requiring transfer or disclosure.
c78c59dab8f249International Transfer GovernanceHighImplement an integrated third-country transfer governance platform that: (1) manages and logs all derogation-based transfers under Art. 49(1), capturing necessity assessments.
b875a6f6ddc145International Transfer GovernanceHighImplement a contingency and incident response capability for adequacy decision revocation events, comprising: (1) a documented contingency plan for each transfer destination.
61caf1e2d8b147International Transfer GovernanceHighImplement a monitoring and reporting mechanism to detect and report to the competent supervisory authority any third-country legal requirements (laws, judgments, etc.).
3c80ae6b6ea86Breach & Change Notification PipelineHighImplement a purpose compatibility assessment workflow and register that evaluates and documents whether further processing of personal data for a new purpose is compatible.
211836e9941d118Breach & Change Notification PipelineHighBuild an automated notification workflow in the data management system that triggers a communication to the data subject before a processing restriction is lifted.
cc4f29f6fcc114Breach & Change Notification PipelineHighImplement a purpose-change detection and notification workflow that identifies when personal data obtained indirectly is intended to be processed for a new purpose.
849da1b9569813Breach & Change Notification PipelineHighImplement a secondary purpose change detection and notification system that identifies when personal data is intended to be processed for a purpose other than originally collected.
0a7502aaf86814Breach & Change Notification PipelineHighImplement automated workflows that track data acquisition timestamps from third-party sources and enforce delivery of privacy notices within the prescribed window.
cbb9c7ace7d614Breach & Change Notification PipelineHighImplement and maintain a comprehensive privacy notice management system for indirect data collection scenarios that: (1) captures and delivers control points.
74cc1fee843c22Data Subject Rights OperationsHighImplement a human intervention workflow system with automated decision-making applications that enables data subjects to (a) request human review of automated decisions.
93f85472bb9126Data Subject Rights OperationsHighEach joint controller must independently implement operational capability to receive, process, and respond to data subject rights requests (access, erasure, etc.).
a971feeb94c121Data Subject Rights OperationsHighImplement technical mechanisms in information society services to receive, parse, and honour automated objection signals from data subjects (e.g. Global Privacy Control).
5d4cfc7d822c8Lawful Basis & Consent EngineeringHighImplement an integrated child consent management system within information society service registration and consent flows that: (1) enforces an age-gate.
showing · 20 of 46 · 26 more · 15 high · 18 moderate · 13 low overall expand_moreShow all 46 priority gaps