MCP server for gdpr compliance ai. Features classify processing, lawful basis assessment, dpia generator. From MEOK AI Labs.
Project description
GDPR Compliance AI MCP
Full GDPR compliance assessment for AI/ML systems — data processing classification, lawful basis determination, DPIA generation, data subject rights handling, breach notification, and EU AI Act crosswalks.
What This Does
The General Data Protection Regulation (EU 2016/679) governs how organizations process personal data of EU residents — with fines up to €20M or 4% of global annual turnover. For AI systems, GDPR is especially demanding: Article 22 restricts purely automated decisions, Article 35 mandates DPIAs for high-risk processing, and the right to erasure (Art. 17) raises hard questions about machine unlearning.
This MCP server gives your AI assistant the ability to classify processing activities, determine lawful basis under all six Article 6 bases, generate DPIAs, guide data subject rights responses, assess breach notification obligations (the 72-hour rule), and map GDPR requirements to the EU AI Act.
Quick Start
npx meok-setup --pack governance
Tools
| Tool | Description | Parameters |
|---|---|---|
classify_processing |
Determines which GDPR articles apply to a data processing activity, whether a DPIA is required, and what obligations are triggered. Classifies risk level (LOW → VERY HIGH) based on special categories, children's data, automated decision-making, and scale. | processing_description, data_categories, data_subjects, processing_purposes, automated_decision_making, large_scale |
lawful_basis_assessment |
Evaluates all 6 lawful bases under Article 6 (consent, contract, legal obligation, vital interests, public interest, legitimate interests) and recommends the best fit with AI-specific considerations and supporting rationale. | processing_purpose, data_categories, controller_type, relationship_with_data_subject, ai_processing |
dpia_generator |
Produces a structured Data Protection Impact Assessment per Article 35. Includes necessity assessment, risk evaluation across 7 risk factors, technical/organisational mitigation measures, and consultation requirements. | system_name, system_description, processing_purposes, data_categories, data_subjects, data_volume, retention_period, third_party_sharing, international_transfers |
rights_request_handler |
Guides responses to data subject rights requests (Articles 15–22): access, rectification, erasure, restriction, portability, objection, and automated decision-making. Provides step-by-step procedures with AI-specific implications. | right_invoked, data_subject_description, processing_context, ai_system_involved, request_details |
breach_notification |
Assesses breach severity and determines notification requirements under Articles 33–34. Calculates the 72-hour deadline, decides whether supervisory authority and data subject notification is required, and generates notification content. | breach_description, data_categories_affected, number_of_records, breach_type, detection_timestamp, ai_system_involved |
crosswalk_to_eu_ai_act |
Maps GDPR requirements to EU AI Act obligations. Shows where GDPR compliance satisfies, complements, or creates tension with EU AI Act requirements. Essential for dual-compliance programmes. | gdpr_articles, focus_area |
Usage Examples
Classify an AI system's data processing
Use the classify_processing tool with:
processing_description: "ML-based credit scoring system that analyzes transaction history, employment data, and social media activity to generate credit risk scores"
data_categories: ["financial transactions", "employment history", "social media activity", "name", "address"]
data_subjects: ["loan applicants", "customers"]
processing_purposes: ["credit risk assessment", "automated lending decisions"]
automated_decision_making: true
large_scale: true
Expected output: Risk level HIGH/VERY HIGH, DPIA required (Art. 35 triggered by automated decision-making + large scale), Art. 22 obligations apply, Art. 9 may apply if social media reveals political opinions or religious beliefs.
Determine lawful basis for AI training
Use the lawful_basis_assessment tool with:
processing_purpose: "Training a fraud detection ML model on historical transaction data"
data_categories: ["transaction amounts", "merchant IDs", "timestamps", "IP addresses"]
controller_type: "private"
relationship_with_data_subject: "customer"
ai_processing: true
Expected output: Legitimate interests (Art. 6(1)(f)) recommended with score ~60. Consent scored lower due to AI training complexity. Requires Legitimate Interest Assessment (LIA) with enhanced scrutiny for AI profiling.
Handle an erasure request for AI training data
Use the rights_request_handler tool with:
right_invoked: "erasure"
data_subject_description: "Former customer who closed account 6 months ago"
processing_context: "Customer data used to train recommendation engine model"
ai_system_involved: true
request_details: "Requesting complete deletion of all personal data including from ML model training data"
Expected output: 6-step response procedure including verification, checking Art. 17(3) exceptions, machine unlearning considerations, model retraining assessment, and notification to downstream recipients.
Assess a data breach involving an AI system
Use the breach_notification tool with:
breach_description: "Unauthorized access to training data repository containing patient health records used for diagnostic AI model"
data_categories_affected: ["health records", "diagnostic data", "patient IDs", "biometric data"]
number_of_records: 50000
breach_type: "confidentiality"
detection_timestamp: "now"
ai_system_involved: true
Expected output: Severity CRITICAL, notify supervisory authority within 72 hours (Art. 33), notify affected data subjects (Art. 34), assess model compromise risk, consider EU AI Act Art. 62 serious incident reporting.
Installation
Claude Desktop
Add to claude_desktop_config.json:
{
"mcpServers": {
"gdpr-compliance-ai": {
"command": "npx",
"args": ["-y", "meok-gdpr-compliance-ai-mcp"]
}
}
}
Or install via Smithery:
npx smithery mcp add nicholastempleman/gdpr-compliance-ai-mcp
Cursor
Add to .cursor/mcp.json:
{
"mcpServers": {
"gdpr-compliance-ai": {
"command": "npx",
"args": ["-y", "meok-gdpr-compliance-ai-mcp"]
}
}
}
VS Code
Add to .vscode/mcp.json:
{
"servers": {
"gdpr-compliance-ai": {
"command": "npx",
"args": ["-y", "meok-gdpr-compliance-ai-mcp"]
}
}
}
pip
pip install meok-gdpr-compliance-ai-mcp
Related Servers
| Server | Purpose |
|---|---|
| eu-ai-act-compliance | EU AI Act risk classification and Annex IV documentation |
| iso-27001-ai | Information security management (93 Annex A controls) |
| iso-42001-ai | AI management system — Annex A controls and Annex B risk |
| nis2-compliance | NIS2 entity classification and Article 21 measures |
| csoai-governance-crosswalk | 12 compliance frameworks mapped through 52 articles |
Pricing
- Free tier: 10 calls/day per tool
- Pro: £79/mo — unlimited calls + cryptographically signed compliance attestations
License
MIT © MEOK AI Labs
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file gdpr_compliance_ai_mcp-1.0.6.tar.gz.
File metadata
- Download URL: gdpr_compliance_ai_mcp-1.0.6.tar.gz
- Upload date:
- Size: 33.5 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.9.6
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
e1c4da80a552a7699ea95bf4ac90cd1ef65a5b5633180beebe903f7ea7a11fe2
|
|
| MD5 |
f661124ed85885c325c666337cf865c8
|
|
| BLAKE2b-256 |
fe65e6a9c760f8f32875f21b18cd96c84c52bce6564bb39f8247604e80c43660
|
File details
Details for the file gdpr_compliance_ai_mcp-1.0.6-py3-none-any.whl.
File metadata
- Download URL: gdpr_compliance_ai_mcp-1.0.6-py3-none-any.whl
- Upload date:
- Size: 22.5 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.9.6
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
0ea531704d2ce5a49a899d418cd7137ca80a70f04df4f5f9a54a1cecd49f4f7b
|
|
| MD5 |
024b7d7841ad9f8b1ddcc622e40381db
|
|
| BLAKE2b-256 |
c35253d7e0350c38bad743397e373769402c6535a106630bfb7925c6d90208cf
|
