AI Compliance Checker — GDPR, HIPAA & SOC 2

1. 1

   Determine Which Compliance Frameworks Apply to You

   The first — and often skipped — step is figuring out which frameworks you actually need to comply with. Many startups over-invest in frameworks they don't need while missing the ones they do. AI can help you navigate this based on your actual product and customer base.

   Claude ChatGPT

   Help me determine which compliance frameworks apply to my product and in what priority order.
   
   **My Product:**
   - Product description: [What does your product do in 2-3 sentences?]
   - Product type: [SaaS / Mobile app / API / On-premise software / Hardware device / Other]
   - Stage: [Pre-launch / Early stage (<100 customers) / Growth (100-10K customers) / Scale (10K+ customers)]
   
   **My Customers:**
   - Primary customer type: [Consumers (B2C) / Businesses (B2B) / Healthcare organizations / Government / Mixed]
   - Customer geography: [US only / EU included / UK / Canada / Global]
   - Industries my customers are in: [list the primary industries — healthcare, finance, education, government, etc.]
   
   **Data I Handle:**
   - [ ] Personal data of EU/UK residents (triggers GDPR)
   - [ ] Personal data of California residents (may trigger CCPA)
   - [ ] Protected Health Information — patient data, medical records, insurance info (triggers HIPAA)
   - [ ] Payment card data — credit/debit card processing (triggers PCI DSS)
   - [ ] Financial account data (may trigger SOX, GLBA, PSD2)
   - [ ] Children's data (users under 13) (triggers COPPA in US, specific GDPR provisions in EU)
   - [ ] Federal government data (may trigger FedRAMP)
   - [ ] Other sensitive data: [describe]
   
   **My Sales Context:**
   - Are customers or prospects asking for compliance certifications? [Yes / No — if yes, which ones?]
   - Am I selling to enterprise customers? [Yes / No — enterprise often requires SOC 2]
   - Am I selling to healthcare organizations? [Yes / No — HIPAA BAA often required]
   - Am I selling to financial institutions? [Yes / No]
   
   Please:
   1. List the compliance frameworks that apply to me, with a clear explanation of WHY each applies
   2. Flag any frameworks I might be required to comply with that aren't on my radar
   3. Prioritize them: which are legally required vs. commercially expected vs. just good practice?
   4. Identify any quick-win compliance actions I should take immediately regardless of full framework implementation
   5. Tell me which framework to tackle first given my stage and customer profile

   Copy

   Tip: HIPAA applies if you handle 'Protected Health Information' (PHI) — this is broader than many people think. It's not just medical records. If your app helps track medications, connects to electronic health records, or handles any data that could be linked to a person's health status, HIPAA is likely in scope. And HIPAA compliance is required not just of covered entities (hospitals, insurers) but of their business associates — meaning any SaaS product handling PHI on behalf of a covered entity needs a signed Business Associate Agreement (BAA) and must comply with HIPAA Security Rule.

2. 2

   Run a GDPR Compliance Gap Analysis

   GDPR applies to any organization processing personal data of EU or UK residents — regardless of where the organization is based. This step uses AI to generate a gap analysis checklist specific to your product and identify what you need to implement.

   Claude Perplexity

   Run a GDPR compliance gap analysis for my product. I'll describe my current state, and I want you to identify specific gaps and what I need to implement.
   
   **My Product and Data Processing:**
   [Describe your product, what personal data you collect from EU users, and how you use it]
   
   **Current State Assessment — Answer Yes, No, or Partial for each:**
   
   Lawful Basis and Consent:
   - [ ] I have identified a lawful basis for each type of personal data processing (consent / contract / legitimate interest / legal obligation / vital interests / public task)
   - [ ] If relying on consent: I have a proper consent mechanism (not pre-ticked boxes, specific, informed, freely given, revocable)
   - [ ] I have a Record of Processing Activities (RoPA) documenting all processing activities
   
   Transparency:
   - [ ] My privacy policy covers all GDPR-required disclosures
   - [ ] I inform users at the time of data collection what data is collected and why
   - [ ] I disclose all third-party processors I use
   
   Data Subject Rights:
   - [ ] Users can access their personal data (Subject Access Request process exists)
   - [ ] Users can correct inaccurate data
   - [ ] Users can request deletion of their data ('right to be forgotten')
   - [ ] Users can request data portability (export in machine-readable format)
   - [ ] Users can object to processing
   - [ ] I have a process to respond to data subject requests within 30 days
   
   Data Security:
   - [ ] I have appropriate technical security measures (encryption at rest + in transit, access controls, etc.)
   - [ ] I have a documented data breach response procedure
   - [ ] I can detect and report a data breach to the relevant supervisory authority within 72 hours
   - [ ] I have a process to notify affected individuals of high-risk breaches
   
   Data Minimization and Retention:
   - [ ] I only collect data I actually need (data minimization principle)
   - [ ] I have defined retention periods for each data category and actually delete data after those periods
   
   Third Parties:
   - [ ] I have Data Processing Agreements (DPAs) with all third-party processors (AWS, Stripe, Google Analytics, etc.)
   - [ ] Any transfers of EU data to non-EU countries comply with transfer mechanisms (Standard Contractual Clauses, adequacy decisions, etc.)
   
   For each gap:
   1. Explain what's required and why
   2. Rate the risk level: Critical (can result in fines) / Important / Best Practice
   3. Tell me what I need to implement to close this gap
   4. Estimate the implementation effort: Low (a few hours) / Medium (days) / High (weeks+)
   
   Prioritize the gaps by risk level so I know where to start.

   Copy

   Tip: The GDPR fine structure is tiered: up to €10M or 2% of global annual turnover for less serious violations, and up to €20M or 4% of global annual turnover for the most serious (like violating the basic principles of processing or data subject rights). In practice, regulators tend to focus enforcement on large companies with systematic violations — but small companies have been fined, especially for security breaches. The 72-hour breach notification requirement is the most operationally urgent to implement because it requires a process that can move fast when needed.

3. 3

   Build a HIPAA or SOC 2 Compliance Roadmap

   HIPAA and SOC 2 are the two frameworks most commonly required by enterprise customers. Use AI to build a practical implementation roadmap — not a theoretical checklist but a prioritized, effort-estimated action plan.

   Claude ChatGPT

   Help me build a compliance implementation roadmap for [HIPAA / SOC 2 Type II / both].
   
   **My Current State:**
   - Company size: [number of employees]
   - Engineering team size: [number]
   - Current infrastructure: [AWS / GCP / Azure / other — and key services used]
   - Current security posture: [We have basically nothing / We have some basics like MFA and encryption / We have a documented security program]
   - Timeline goal: [I need to be compliant/certified in X months]
   - Budget available for compliance tools and external help: [$X]
   
   [Choose HIPAA or SOC 2 or both below]
   
   **For HIPAA:**
   We handle PHI for: [describe the health data and which covered entities you work with]
   We currently have a signed BAA with our subprocessors: [Yes/No]
   
   **For SOC 2:**
   Trust Service Criteria I need: [Security (required for all) / Availability / Confidentiality / Processing Integrity / Privacy]
   Audit firm I'm working with or considering: [name or 'not selected yet']
   Type I or Type II: [Type I = point-in-time assessment / Type II = 6-12 month observation period]
   
   Please build a compliance roadmap with:
   
   **Phase 1 — Foundation (Weeks 1-4): Critical controls**
   What must be in place immediately? List specific technical and administrative controls.
   
   **Phase 2 — Core Program (Months 1-3): Build the security program**
   Policies, procedures, and technical controls to document and implement.
   
   **Phase 3 — Evidence Collection (Months 3-6): Audit preparation**
   For SOC 2: The evidence you need to collect over the observation period.
   For HIPAA: Documentation required for a HIPAA audit or OCR investigation.
   
   **Phase 4 — Assessment/Audit Readiness**
   What the auditor will look at and how to prepare.
   
   For each phase:
   - List specific tasks with estimated effort (hours/days)
   - Identify which tasks require specialized tooling (and suggest tools)
   - Flag tasks that require external help (lawyer, auditor, pen testing firm)
   - Identify quick wins: controls that provide high compliance value for low implementation effort
   
   Also: What are the 5 most common gaps that cause companies to fail or get findings in [HIPAA / SOC 2] assessments?

   Copy

   Tip: For SOC 2, the most common mistake startups make is waiting until they have a customer demanding it before starting the process. SOC 2 Type II requires a 6-12 month observation period where auditors verify your controls were operating consistently — you can't retroactively create that history. Start building the program when you think enterprise customers might ask in the next 12 months, not when they're already asking. For HIPAA, the Business Associate Agreement (BAA) is often the first blocker — sign BAAs with your cloud provider, database provider, and any other service that touches PHI before you onboard a covered entity customer.

4. 4

   Draft Compliance Policies and Documentation

   Both auditors and regulators want to see documented policies, not just implemented controls. AI can draft the core policy documents that compliance frameworks require — information security policy, incident response plan, access control policy, and others — based on your specific infrastructure and practices.

   Claude

   Help me draft core compliance policy documents. I'll specify my environment and practices; generate documents that are accurate to my situation, not generic templates.
   
   **My Environment:**
   - Cloud infrastructure: [AWS / GCP / Azure — which services: EC2/S3/RDS or equivalent]
   - Authentication: [We use SSO via Okta/Google Workspace / Email + password + MFA / Other]
   - Code management: [GitHub / GitLab / Bitbucket — private repos]
   - Employee count: [number]
   - Remote/office: [Fully remote / Hybrid / Office-based]
   - Data classification: [What types of sensitive data do we handle?]
   
   **Document 1: Information Security Policy**
   
   Draft a company information security policy covering:
   - Purpose and scope
   - Information classification (public / internal / confidential / restricted)
   - Access control principles (least privilege, need-to-know, role-based access)
   - Password and authentication requirements
   - Device security requirements (laptops, mobile devices)
   - Remote work security
   - Data handling requirements by classification
   - Acceptable use policy
   - Incident reporting obligations
   - Employee responsibilities
   - Consequences of policy violation
   
   **Document 2: Incident Response Plan**
   
   Draft an incident response plan covering:
   - Incident classification (P1/P2/P3/P4 by severity)
   - Detection and initial triage process
   - Escalation path and contact list (with [PLACEHOLDER] for names)
   - Containment and eradication steps
   - Evidence preservation
   - Communication plan (internal / customers / regulators / public)
   - For GDPR: 72-hour supervisory authority notification process
   - Post-incident review and lessons learned
   - Practice drill schedule
   
   **Document 3: Access Control and Offboarding Policy**
   
   Draft an access control policy covering:
   - Access provisioning process for new employees
   - Role-based access principles
   - Access review frequency (quarterly review)
   - Offboarding checklist — account termination within [24/48/72 hours]
   - Privileged access management (admin accounts)
   - Third-party vendor access management
   
   For each document:
   - Use [PLACEHOLDER] for specific names, contact info, and tool names I need to fill in
   - Keep it practical and achievable for a company of my size
   - Include a version number and 'last reviewed' date field
   - Flag any section where I need legal review before finalizing

   Copy

   Tip: Compliance policies are only useful if employees actually know about and follow them. After drafting, do two things: (1) add a simple acknowledgment step where employees sign that they've read and understood each policy — this is required by SOC 2 and HIPAA, and (2) build the most important requirements into technical controls rather than relying on people following written rules. 'We require MFA' as policy language means nothing if MFA isn't technically enforced. Where possible, make compliance the path of least resistance.

5. 5

   Research Current Compliance Requirements and Enforcement Trends

   Compliance regulations evolve, enforcement priorities shift, and new guidance gets issued. Use Perplexity to stay current — what are regulators actually enforcing right now, what recent cases should you know about, and have any rules changed in your area.

   Perplexity

   I need current information about compliance enforcement and regulatory updates in [GDPR / HIPAA / SOC 2 / CCPA — pick the relevant ones for your situation].
   
   **Research Questions:**
   
   **GDPR Enforcement (if applicable):**
   1. What have been the most significant GDPR enforcement actions in the last 12-18 months? What violations were cited?
   2. Which supervisory authorities (EU member state regulators) have been most active in enforcement?
   3. What industries or practices have been the focus of recent enforcement?
   4. Are there any recent GDPR guidance documents or court decisions that have clarified requirements I should know about?
   5. What is the current enforcement posture regarding [specific area relevant to me: cookie consent / AI-generated data / cross-border data transfers / etc.]?
   
   **HIPAA Enforcement (if applicable):**
   6. What HIPAA enforcement actions has OCR (Office for Civil Rights) taken in the last year? What were the violations?
   7. Are there any current OCR audit priorities I should be aware of?
   8. Have there been any recent HIPAA rule changes or new guidance affecting [health apps / telehealth / cloud services / etc.]?
   
   **SOC 2 Changes:**
   9. Are there any updates to the AICPA Trust Services Criteria that affect SOC 2 requirements?
   10. What emerging areas are auditors increasingly scrutinizing in SOC 2 audits?
   
   **Emerging Compliance Obligations:**
   11. Are there any new state privacy laws that came into effect recently or are coming soon that I should be tracking?
   12. Are there any AI-specific compliance requirements or guidance coming from regulators (EU AI Act, FTC guidance, etc.)?
   
   For each finding, please cite the source and date so I can verify and track changes.

   Copy

   Tip: Regulatory enforcement trends tell you what to prioritize. If EU regulators are currently running a sweep on cookie consent compliance, that's a higher-urgency item than a theoretical risk area. Following enforcement actions also teaches you what 'compliant' actually looks like in practice — regulators often publish detailed findings that effectively serve as implementation guidance. Subscribe to the IAPP (International Association of Privacy Professionals) daily digest for free regulatory news if privacy compliance is ongoing for you.

Recommended Tools for This Scenario

ChatGPT

Freemium

The AI assistant that started the generative AI revolution

• GPT-4o multimodal model with text, vision, and audio
• DALL-E 3 image generation
• Code Interpreter for data analysis and visualization

Get Started →

Claude

Freemium

Anthropic's AI assistant built for thoughtful analysis and safe, nuanced conversations

• 200K token context window for massive document processing
• Artifacts — interactive side-panel for code, docs, and visualizations
• Projects with persistent context and custom instructions

Get Started →

Perplexity

Freemium

AI-powered search engine that answers questions with cited sources

• Real-time web search with inline source citations
• Pro Search multi-step deep research automation
• Multiple model options (Sonar, GPT-4o, Claude)

Get Started →