IntermediateClaudeChatGPTCopilot

GDPR Financial Data Compliance Checker

What does this prompt do?

Data protection officers, compliance managers, and legal teams at financial institutions use this prompt to systematically check a specific data processing activity against GDPR β€” identifying the gaps that would be flagged in a supervisory authority inspection or internal DPIA, and generating a prioritized action list that can be assigned to remediation owners before a compliance deadline.

Prompts

You are a data protection officer specializing in GDPR compliance for financial services. I will describe a financial data processing activity, and your task is to review it against GDPR requirements, identify specific compliance gaps, and produce a prioritized remediation checklist.

Data processing activity details:
- Activity description: [DATA PROCESSING ACTIVITY DESCRIPTION]
- Categories of personal data processed: [PERSONAL DATA CATEGORIES]
- Purpose of processing: [PROCESSING PURPOSE]
- Data subjects: [DATA SUBJECT TYPES]
- Countries where data is stored or transferred: [DATA LOCATIONS AND TRANSFER COUNTRIES]
- Current legal basis claimed: [CURRENT LEGAL BASIS]
- Retention period applied: [CURRENT RETENTION PERIOD]
- Third parties with access to the data: [THIRD-PARTY PROCESSORS OR CONTROLLERS]

Review the described processing activity against each of the following GDPR compliance dimensions:

**1. Lawful Basis Assessment**
Evaluate whether the stated legal basis is appropriate for the described processing purpose. For financial services activities, assess whether the claimed basis (consent, contract performance, legal obligation, legitimate interests, vital interests, or public task) is the most appropriate and defensible. Flag any basis that would not withstand regulatory scrutiny, and recommend the correct basis with supporting rationale.

**2. Data Minimization and Purpose Limitation**
Assess whether the personal data categories collected are limited to what is strictly necessary for the stated purpose. Identify any data elements that appear excessive, irrelevant, or incompatible with the original collection purpose. Note any secondary use risks.

**3. Retention Compliance**
Evaluate the current retention period against GDPR Article 5(1)(e) storage limitation principle, applicable financial services regulatory retention requirements (AML, MiFID II, PSD2, EMIR), and the stated purpose. Flag over-retention or under-retention, and specify the compliant retention schedule for each data category.

**4. Cross-Border Transfer Compliance**
For any transfers to countries outside the EEA, assess the applicable transfer mechanism: adequacy decision, Standard Contractual Clauses, Binding Corporate Rules, or derogations. Identify any transfers without a valid mechanism.

**5. Data Subject Rights Readiness**
Assess whether the described processing activity creates practical challenges for honoring data subject rights: access, rectification, erasure, restriction, portability, and objection. Flag any processing characteristics that make rights fulfillment technically difficult.

**6. Remediation Checklist**
Produce a numbered remediation checklist organized by priority: Critical (regulatory breach risk), High (significant compliance gap), Medium (best practice deviation). Each item should include: the gap description, the specific GDPR article or recital it relates to, and the recommended action.

Prompt Variables

Replace each placeholder with your specific information:

[DATA PROCESSING ACTIVITY DESCRIPTION]
[PERSONAL DATA CATEGORIES]
[PROCESSING PURPOSE]
[DATA SUBJECT TYPES]
[DATA LOCATIONS AND TRANSFER COUNTRIES]
[CURRENT LEGAL BASIS]
[CURRENT RETENTION PERIOD]
[THIRD-PARTY PROCESSORS OR CONTROLLERS]

What You'll Get

A structured GDPR compliance assessment covering six dimensions: lawful basis adequacy, data minimization compliance, retention schedule evaluation, cross-border transfer mechanism adequacy, data subject rights readiness, and a prioritized remediation checklist with GDPR article references, gap descriptions, and recommended actions organized by Critical, High, and Medium priority.

πŸ’‘ Pro Tip

Financial services processing activities often face a tension between GDPR's storage limitation principle and sector-specific regulatory retention mandates. Always specify both the GDPR legal basis and any applicable financial regulation retention requirements β€” the AI will identify which regulatory obligation takes precedence and how to document the conflict correctly in your Records of Processing Activities.

Compatible AI Tools

Claude

Best for comprehensive GDPR assessments of complex financial data processing activities involving multiple legal bases and cross-border transfers. Claude can distinguish between GDPR requirements and sector-specific obligations such as MiFID II or PSD2 data retention rules, and will flag conflicts where regulatory retention obligations override the GDPR storage limitation principle.

ChatGPT

Effective for GDPR gap assessments when provided with sufficient context about the processing activity. Ask GPT-4o to format the remediation checklist in a numbered table with the GDPR article reference, gap description, and recommended action in separate columns for easy import into a compliance tracking system.

Copilot

Useful for DPOs and compliance teams using Microsoft Purview Information Protection. Copilot can cross-reference the assessment against your existing Records of Processing Activities stored in SharePoint and flag discrepancies between the described activity and the current ROPA entry.

Gemini

Good for teams using Google Workspace. Gemini can generate the remediation checklist directly into Google Sheets with priority columns, ownership fields, and due date tracking β€” creating a live compliance action tracker from the assessment output.

Related Prompts

Regulatory Change Impact Analyzer

Chief Compliance Officers, regulatory affairs teams, and business line compliance officers use this prompt when a new rule is finalized or proposed β€” converting regulatory text into an actionable, cross-functional impact assessment that drives implementation planning, resource allocation, and board-level reporting before the compliance deadline.

KYC Document Checklist Generator

Compliance officers and onboarding teams use this prompt to rapidly generate a complete, jurisdiction-specific KYC document checklist when opening new accounts for individuals, SMBs, or corporations β€” reducing the risk of missing required documentation and ensuring regulatory alignment before the first transaction.

Related Resources

← Back to AI Prompts