AI Prompts for Compliance: GDPR, SOC 2, and Regulatory Framework Analysis

Assess GDPR applicability for:
- Entity: [e.g., US-based SaaS company]
- HQ: [COUNTRY], EU operations: [YES/NO]
- EU users: [APPROXIMATE NUMBER]
- Data collected: [LIST TYPES]
- Processing activities: [DESCRIBE]

Analyze: territorial scope (Art. 3), material scope (Art. 2),
our role (controller/processor/both), need for EU
representative (Art. 27), need for DPO (Art. 37).

Practical next steps based on the assessment.

Review this privacy policy for GDPR compliance.
Applicable regulations: [GDPR + any additional frameworks]

Check each Article 13/14 requirement:
- Controller identity and DPO contact
- Purposes and legal basis for each processing activity
- Legitimate interests (if relying on Art. 6(1)(f))
- Recipients, international transfers, retention periods
- Data subject rights (access, rectification, erasure,
  restriction, portability, objection)
- Right to withdraw consent and right to complain
- Automated decision-making/profiling (Art. 22)

For each: PRESENT / MISSING / INCOMPLETE with specific
language quoted if present, and suggested text for gaps.

Also assess readability, accuracy, and consistency.

[PASTE POLICY]

Generate a DPIA framework for:
Activity: [DESCRIBE — e.g., AI-powered customer chatbot
processing queries and purchase history]
Data subjects: [WHO], Data types: [WHAT], Scale: [VOLUME]

Structure:
1. DESCRIPTION — nature, scope, context, purpose, data flows
2. NECESSITY — is processing necessary? could purpose be
   achieved with less data? legal basis? retention limits?
3. RISKS — for each: description, likelihood, severity,
   impact on data subjects' rights
4. MITIGATION — for each risk: measure, residual risk,
   responsibility, timeline
5. CONSULTATION — Art. 36 required? DPO consulted? Data
   subjects' views?
6. DECISION — proceed / modify / abandon, review schedule

Develop a DSAR process for [ORGANIZATION TYPE]:

1. INTAKE: identity verification, acknowledgment template,
   timeline management (1-month deadline), extension criteria
2. SEARCH: systems to check, methodology, unstructured data,
   third-party processor coordination
3. RESPONSE: cover all Art. 15 requirements, structured data
   format, accompanying rights information
4. EXCEPTIONS: manifestly unfounded requests, third-party
   data, legal privilege, trade secrets
5. DOCUMENTATION: audit trail, retention, metrics

SOC 2 Type II readiness assessment for:
Organization: [COMPANY TYPE], Hosting: [CLOUD PROVIDER]
Employees: [NUMBER], Trust Criteria in scope: [LIST]

Assess each Common Criteria (CC1-CC9):
- Control environment, communication, risk assessment,
  monitoring, control activities, access controls, system
  operations, change management, risk mitigation

For each: required evidence, common gaps for [COMPANY TYPE],
priority (must-fix / should-address / nice-to-have),
estimated implementation effort.

Generate a [POLICY NAME — e.g., Information Security Policy /
Access Control Policy / Incident Response Policy] outline.

Organization: [TYPE], Size: [EMPLOYEES], Stack: [KEY SYSTEMS]

Structure: purpose, scope, definitions, policy statements
(specific enough to be auditor-testable), roles and
responsibilities, procedures, compliance and enforcement,
related policies, revision history.

NOTE: Customize to reflect actual practices. Auditors verify
documented controls match implemented controls.

Evidence collection checklist for SOC 2 Type II audit
covering [DATE RANGE]. Criteria in scope: [LIST].

For each control area: required evidence (what it
demonstrates, format, time period), collection instructions
(where to get it, how to export, privacy redactions), and
common rejection reasons.

Organize by: entity-level, IT general controls, application-
level, vendor controls. Include a backward timeline from
evidence request deadline.

Create a remediation plan for these SOC 2 gaps:
[LIST — e.g., no access review process, no documented
incident response, informal change management, no vendor
risk program, untested backups]

For each: SOC 2 criteria affected, risk if unresolved, audit
impact, remediation steps, evidence to generate, minimum
operating period before Type II audit, resources needed,
priority, and target completion date.

Present as a project plan with milestones and owners.

Create a regulatory risk matrix for:
Organization: [TYPE AND INDUSTRY]
Jurisdictions: [WHERE YOU OPERATE]
Activities: [DESCRIBE]

For each applicable regulation: citation, regulatory body,
applicability basis, enforcement likelihood (1-5), penalty
severity (1-5), overall risk score, trend, current compliance
level, known gaps, and priority actions.

Matrix format, then narrative prioritization.

Note: formal risk assessments should include input from counsel
familiar with current enforcement in your industry.

Gap analysis for [FRAMEWORK — e.g., GDPR / HIPAA / PCI DSS /
ISO 27001 / NIST CSF]:

Current state: [DESCRIBE posture]
Recent changes: [NEW PRODUCTS, MARKETS, ORG CHANGES]

For each requirement: citation, what compliance looks like,
current state, gap description, severity (critical / major /
minor), root cause (policy / process / technology / awareness),
remediation actions, evidence requirements.

Summary: total assessed, met/partial/not met, compliance %,
top 10 priorities, timeline and budget estimate.

Third-party risk assessment template for [VENDOR TYPE]:

What data they access: [TYPES]
What systems they connect to: [DESCRIBE]
Applicable regulations: [LIST]
Criticality: [LOW/MEDIUM/HIGH/CRITICAL]

Assessment areas with 5-10 questions each:
1. Security posture (certs, policies, encryption, incident
   response)
2. Data handling (locations, sub-processors, retention,
   breach notification)
3. Business continuity (DR, SLAs, financial stability)
4. Regulatory compliance (status, audit reports, enforcement)
5. Contractual protections (DPA, liability, audit rights)

Scoring methodology and approval threshold.

Map controls across: [e.g., SOC 2 + GDPR + ISO 27001]

For each control domain (access control, encryption, incident
response, etc.): specific requirement from each framework,
common control satisfying all, where requirements diverge,
most stringent requirement to implement, and evidence
satisfying each framework's audit.

Matrix format. Goal: implement once, comply with many.

Note: validate mappings with professionals certified in each
framework.

Assess compliance program maturity (5 levels: Ad Hoc,
Developing, Defined, Managed, Optimizing) across:

1. Governance  2. Risk assessment  3. Policies  4. Training
5. Monitoring  6. Incident management  7. Third-party mgmt
8. Regulatory change mgmt  9. Documentation  10. Automation

Current state: [DESCRIBE]

For each: current level with justification, realistic target
for [ORG TYPE], actions to advance one level, resources,
timeline, quick wins.

Design a regulatory change management process for
[INDUSTRY] in [JURISDICTIONS]:

1. MONITORING — sources, frequency, tools, responsible role
2. ASSESSMENT — impact determination criteria, template, who
   is involved, assessment timeline
3. IMPLEMENTATION — policy updates, technical changes,
   training, communication plan
4. DOCUMENTATION — audit trail, reporting
5. VERIFICATION — confirm implementation, testing, post-
   implementation review

Provide templates: notification form, impact worksheet,
tracking spreadsheet, leadership report.

Develop a compliance training program for [ORG TYPE AND SIZE]
subject to [REGULATIONS].

For each role category (executive, manager, general staff,
IT, developer, customer-facing, new hire):
- Required training topics and regulatory mandates
- Training frequency and delivery method
- Assessment requirements
- Completion tracking for audit evidence

Priority modules based on regulatory risk. Include metrics
and KPIs for measuring program effectiveness.

Create [FORMAT — e.g., a 10-question quiz / a one-page
reference card / a lunch-and-learn outline] on [TOPIC —
e.g., data handling best practices / phishing awareness /
GDPR data subject rights].

Audience: [ROLE TYPE] at a [COMPANY TYPE].
Tone: practical and engaging, not lecturing.
Include real-world scenarios relevant to their daily work.

The content should be audit-evidenceable — something we can
show an auditor as part of our training program documentation.