Every regulation is a constraint. Every constraint couples your process to a standard. The gap between what you do and what the standard requires is measurable. Close the gap, reduce the risk. Same coupling logic as everywhere else — a missing connection between a requirement and a control is a missing edge in a graph. Find the missing edges, you found the risk.
Regulations are a checklist. Your company is supposed to do certain things. Some of those things you actually do. Some you don’t. The gap between “supposed to” and “actually do” is what gets you fined.
We built a tool that maps requirements to controls. A requirement says “you must delete user data on request.” A control says “we have a cascade deletion system.” If the requirement has a control, you’re covered. If it doesn’t, that’s a gap.
We tested it on GDPR — 14 articles. Found 9 gaps. Ranked them by risk. The top three: no cascade deletion for erasure requests, no 72-hour breach notification workflow, no data protection impact assessment template. Each gap has a specific action item.
Same coupling logic as everywhere else. A regulation is a graph. Requirements connect to controls. A gap is a missing edge — a requirement with no control attached. Low coupling between what’s required and what’s implemented = risk.
Honest limit: this is a demonstration, not a product. We created both the regulation graph and the control inventory — the gaps are nodes we intentionally left unconnected. Real compliance requires NLP to extract requirements from legal text, expert judgment, and continuous monitoring. We do none of those. The value is the graph-based framing.
Regulations are a directed graph. Each article defines requirements. Each requirement connects to controls — the concrete things an organization does to satisfy it. A gap is a requirement with missing control edges: the regulation demands something, and no control covers it.
The analyzer builds this graph from a control inventory, maps controls to requirements, and reports every requirement that has zero or insufficient control coverage. Risk scoring weights gaps by the article's severity and the organization's exposure.
| Article | Subject | Status | Missing Controls |
|---|---|---|---|
| Art 5 | Principles | COVERED | — |
| Art 6 | Lawful Basis | COVERED | — |
| Art 7 | Consent | GAP | granular_consent_ui |
| Art 12 | Transparency | GAP | privacy_dashboard |
| Art 13 | Information | COVERED | — |
| Art 15 | Access Rights | GAP | automated_sar_portal |
| Art 17 | Erasure | GAP | cascade_deletion, backup_purge_process |
| Art 20 | Portability | GAP | machine_readable_export |
| Art 25 | Privacy by Design | COVERED | — |
| Art 28 | Processor | GAP | processor_audit_schedule |
| Art 30 | Records | GAP | ropa_tool |
| Art 32 | Security | COVERED | — |
| Art 33 | Breach Notification | GAP | 72hr_breach_workflow |
| Art 35 | Impact Assessment | GAP | dpia_template |
Gaps ranked by risk score. Highest-risk items have the largest regulatory exposure and the most missing controls.
| # | Article | Risk | Action |
|---|---|---|---|
| 1 | Art 17 — Erasure | HIGH | Build cascade deletion across all datastores; define backup purge process with retention schedule |
| 2 | Art 33 — Breach | HIGH | Implement 72-hour breach notification workflow with authority contact templates |
| 3 | Art 35 — DPIA | HIGH | Create data protection impact assessment template; integrate into project launch process |
| 4 | Art 12 — Transparency | MED | Build privacy dashboard showing data held, processing purposes, retention periods |
| 5 | Art 15 — Access | MED | Deploy automated subject access request portal with identity verification |
| 6 | Art 30 — Records | MED | Deploy records of processing activities tool; assign data owners per activity |
| 7 | Art 28 — Processor | MED | Schedule annual processor audits; add audit rights clause to processor agreements |
| 8 | Art 7 — Consent | LOW | Implement granular consent UI with per-purpose toggles |
| 9 | Art 20 — Portability | LOW | Add machine-readable data export (JSON/CSV) to user account settings |
The model requires manual control inventory input. Someone has to tell it what controls exist — it inspects a list, not a live system. The gap detection is structural: it checks graph connectivity between requirements and controls. It is not semantic. It cannot read regulation text and extract requirements automatically.
This means it catches gaps in coverage (requirement X has no control mapped to it) but not gaps in quality (control Y exists but is poorly implemented). The first is a graph problem. The second is an audit problem. This tool does the graph part.
10P honest assessment: this is a demonstration, not a research result. We created both the regulation graph and the control inventory — the gaps are nodes we intentionally left unconnected. The 369K articles/sec speed is iterating a 14-item Python dictionary, which any language can do in microseconds. Real compliance requires NLP to extract requirements from legal text, expert judgment to map controls, continuous monitoring, and cross-jurisdiction conflict detection. We do none of these. The value here is the graph-based framing and prioritization method, not the implementation.