A Claude skill that scans a codebase and produces draft GDPR/UK GDPR artefacts: a Record of Processing Activities (ROPA), a third party transfer register, AI/LLM processing findings, and a starting point for a privacy notice.
This is a tool for practitioners, not a replacement for one. Every output is a draft that requires review by a qualified person (DPO, privacy consultant, data protection lead). The skill cannot determine lawful basis with certainty, cannot confirm whether contracts and DPAs are in place, and cannot see the operational reality behind the code.
Scans a codebase for five things:
- Personal data categories - what fields appear in schemas, forms, API shapes, logs
- Third party data flows - what processors are integrated and what data appears to go to them
- International transfers - which third parties are in non-adequate countries, and what transfer mechanism is likely needed
- AI/LLM processing - LLM API calls, vector databases, embeddings, automated decision-making patterns
- Cross-cutting flags - PII in logs, PII in URLs, missing retention signals, children's data signals, special category data signals, DSR readiness
Produces five outputs in a gdpr-review/ directory:
summary.md- human-readable reportropa-draft.xlsx- structured draft ROPA aligned to the ICO's official Documentation for Controllers template, with green-shaded Article 30(1) mandatory columns and blue-shaded ICO-recommended useful additional columns matching the ICO original. The XLSX is the only ROPA format produced; CSV loses the colour coding that carries practitioner meaning. The ICO Documentation for Controllers template is used under the Open Government Licence v3.0.transfer-register.csv- draft international transfer registerai-processing.md- AI-specific findingsmethodology.md- what was and was not scanned
- Determine lawful basis (it suggests, with confidence indicators)
- Confirm whether DPAs / SCCs / IDTAs are in place
- Validate retention periods against business need
- Audit security controls beyond what is visible in code
- Replace a qualified person performing a data protection review
- Clone this repository into your Claude skills directory, or download the
.skillpackage from the releases page. - The skill triggers when you ask Claude to do a GDPR scan, privacy audit, ROPA draft, or similar.
In Claude Code, Claude.ai, or Claude Desktop with the skill installed:
Run a GDPR review on this repo.
Or scope it:
Run a /gdpr scan on the /api directory.
Or ask for a specific output:
Draft a ROPA for this codebase.
List the third party processors and where data flows.
What AI processing is happening in this app?
This skill is honest about what it cannot do. Read references/scanning-strategy.md in the skill itself for what is and is not in scope.
Key limitations:
- Static analysis only. Runtime behaviour is not visible. Cookies actually set in production, requests actually made, data actually sent all go beyond what the code shows.
- Purpose inference is the weakest dimension. Where naming is unclear, findings are flagged LOW confidence rather than guessed.
- The processor lookup is a snapshot. Provider data residency and transfer mechanisms change. The reference file should be refreshed periodically.
- Code does not equal contract. A processor relationship in code may be a joint controller relationship in legal reality. The reviewer determines roles.
Contributions welcome, particularly:
- Additional processors in the lookup table (with source for residency claims)
- Stack-specific scanning improvements (Rails, Java, Go, etc.)
- Detection patterns for special category data and children's data
- Test cases (anonymised example codebases)
This skill is in active development. If you spot a false negative or a misclassification, raise an issue.
Built by Gareth Downs, someone who has had to write ROPAs from scratch and would rather not do that again.
The ROPA template structure follows the ICO's Documentation for Controllers template, used under the Open Government Licence v3.0.
MIT.
This skill is a personal open-source project, unrelated to the maintainer's other professional activities. This skill produces drafts for review. It does not constitute legal or compliance advice. The author accepts no liability for outputs used without appropriate human review. If you ship a privacy notice generated by this skill without a qualified person reviewing it, that is on you.