Ship Lean WorkflowAEO

How to Build a Claude Code Workflow for GDPR/DSGVO Audits.

A repo-first Claude Code workflow that drafts GDPR/DSGVO audit checklists, surfaces gaps, and ships a report. The model finds the patterns. A qualified attorney still signs off.

aeo/page-factory

$ source signal

reddit/rss -> brief -> page

$ qa gate

direct answer, artifact, receipts

Direct Answer

A Claude Code workflow for GDPR or DSGVO audits drafts the checklist, scans the repo and config for known patterns, surfaces the obvious gaps, and produces a structured report. A qualified attorney signs off on the legal interpretation. The model finds the patterns it can find. The human owns the call on what they mean.

This is not legal advice and does not replace an attorney. The workflow is a research and drafting tool. The goal is to cut attorney review hours, not the attorney’s role. Use it to bring a tighter draft to the legal conversation. Use it to run the recurring checks between formal audits. Use it to keep a public record of what was checked, when, and by whom.

Use This When And When To Skip It

Use thisSkip this
You have a qualified attorney in the loop alreadyYou have never had a privacy review
Your product has EU traffic or handles EU resident dataNo EU traffic, no EU users, no EU data, and no recurring privacy-review need
You want recurring checks between formal auditsYou only need a one-time review
You will treat the model output as a draft, not a verdictYou want the model to tell you you are compliant

Tradeoff: the workflow saves attorney hours. It does not produce compliance. Compliance is a human judgment, and the judgment belongs to a qualified professional.

The System

Trigger     -> quarterly checkpoint, or any major change to data handling
Inputs      -> repo, third-party services list, current privacy policy, audit scope
Claude step -> scan for known patterns, draft checklist, produce report
Output      -> structured report: green/yellow/red per checklist item, with code references
Approval    -> qualified attorney reviews the report, owns the legal interpretation
Action      -> code or policy changes get tickets; the model does not edit production
Audit log   -> every run, every report, every attorney sign-off is filed by date
Feedback    -> next quarter's run reads the previous report; deltas are flagged

The split is the safety. The model produces a draft. The attorney signs off. Production never changes without a ticket reviewed by a human.

Steal This Workflow

This is the shape of a repo-first audit workflow. Eight steps, one attorney gate.

1. Define the audit scope as a one-page file in the repo. What is in scope (the marketing site, the app backend, the analytics layer). What is out of scope (third-party processors, the payment provider’s compliance). Scope is the difference between a useful report and a generic checklist.

2. List third-party services in a file. Every script in head, every API the backend calls, every analytics tool, every email provider. The list is the surface area.

3. Open Claude Code in the repo with the scope and the service list. Ask it to read the codebase and the privacy policy, then produce a checklist with one row per relevant article or principle. Each row has the article, the requirement, the check it should run, and a placeholder for the result.

4. Run the scan prompts one section at a time. Cookies and consent. Data minimization. Right to access and deletion. Data transfer. Logging and retention. One prompt per section. The model returns code references where it finds something.

5. Generate the report. A structured markdown file: scope, services list, checklist results green/yellow/red, code references, recommendations. The report is the draft for the attorney.

6. Send the report to the attorney for sign-off. The attorney reads it, marks each row as accepted, modified, or rejected, and signs the final version. The signed report is the artifact.

7. Turn red items into tickets, not patches. The model does not edit production code or policy text. Each red item becomes a ticket the team owns. The fix gets reviewed and shipped through normal change control.

8. Schedule the next run. Quarterly is reasonable for most products. Use the n8n AI agent workflow pattern to trigger the next checkpoint and ping you with the previous report so the diff is visible. The same approval gate from the n8n AI agent tutorial applies: a person decides what becomes a ticket.

Do not auto-deploy any audit output. Ever.

What This Looked Like For This Page

This topic came from the weekly AEO run, not from a Claude Code plugin Chris built.

The run pulled 936 raw Reddit RSS entries, scored 314 candidates, generated 25 AEO briefs, and marked 9 as publish_now. This one passed because:

GateWhy it passed
Source languageThe thread used “built a Claude Code plugin for GDPR/DSGVO audits because attorney reviews were eating my budget” in the exact language a builder facing this problem would search
ArtifactThe answer maps to a repo-first workflow with a scope file, service list, sectioned scan prompts, and an attorney gate
Cluster fitIt links into Claude Code, n8n, the workflow planner, and the JSON auditor without forcing

The page is research-inspired by the thread. Chris did not build this plugin. The workflow shape generalizes.

What Most People Get Wrong

The mistake is treating the model output as compliance instead of as a draft for the attorney.

Three failure modes:

  1. They skip the scope file. The model produces a generic GDPR checklist that does not match the product. The fix is the one-page scope file in the repo. Without it, every report reads the same.

  2. They let the model edit production. A pull request lands at 2am that “fixes the cookie banner.” The model has changed the consent logic in a way nobody reviewed. The fix is the strict rule: the model never edits production. Red items become tickets.

  3. They run the audit once. GDPR and DSGVO compliance is not a state, it is a posture. New third-party services, new endpoints, new logs all change the surface area. Schedule the quarterly run on day one or the workflow dies.

The model does not give you compliance. It gives you a faster path to the attorney conversation.

How I Would Build This In Ship Lean

The Ship Lean version uses Claude Code for the scan, n8n for the schedule, and a separate filing system for the signed reports.

Claude Code in the repo. The scope, the service list, and the privacy policy live as files the model reads on every run. The model does not re-negotiate scope every quarter.

Plan the workflow before you build it. Use the Claude Code n8n workflow planner to map the scope, scan prompts, report, attorney gate, and ticket creation.

n8n owns the schedule and the routing. The quarterly trigger pings you with the previous report. The n8n AI agent workflow pattern handles the trigger and the gate. The same shape from the n8n AI agent tutorial keeps a human in the loop before anything customer-facing changes.

Audit any imported JSON. Workflows shared from forums or generated by models need a pass through the n8n workflow JSON auditor. This step catches credentials in code nodes and webhooks pointing at hosts you do not own.

The stack stays small. Repo, Claude Code, n8n, one filing location for signed reports. The AI stack for solo founders post goes into what to keep and what to cut.

Use the same SEO workflow on your trust pages. A privacy page, a security page, and a data-handling page are the trust assets buyers actually check. The Claude SEO workflow post shows how to wire Claude as a workflow step instead of a chat tab so these pages stay current.

Next Step

If you are paying for an attorney audit every quarter and the recurring checks are eating the budget, draft the scope file this week. Write the service list. Open Claude Code in the repo and ask for the section-by-section checklist.

The Claude Code n8n workflow planner gives you the scope, scan, report, gate, and ticket nodes in one map. Bring the map to the attorney conversation, not a vibe.

Source Signal

Research-inspired by a Reddit thread describing a Claude Code plugin for GDPR/DSGVO audits built because attorney reviews were expensive. Treat the thread as one operator’s note, not as Chris’s project. Original: r/ClaudeAI: “Built a Claude Code plugin for GDPR/DSGVO audits”.

This is not legal advice. Talk to a qualified attorney before acting on any audit output.

FAQ

Can Claude Code replace an attorney for GDPR/DSGVO audits? No. The workflow drafts the checklist and surfaces patterns. A qualified attorney signs off.

What can this workflow actually find? Obvious patterns: cookies before consent, third-party scripts in head, missing policy links, data export endpoints with no auth, logs capturing PII.

What is the input the model needs? Repo, list of third-party services, current privacy policy, one-page audit scope.

Is this safe to run on a client codebase? Only with explicit written permission and a data-handling agreement.

When should I skip this entirely? Skip it if you have no EU users, no EU data, and no recurring privacy-review need. If you have never had a privacy review, start with a qualified professional first.