Regulations are a directed graph. Each article defines requirements. Each requirement connects to controls — the concrete things an organization does to satisfy it. A gap is a requirement with missing control edges: the regulation demands something, and no control covers it.
The analyzer builds this graph from a control inventory, maps controls to requirements, and reports every requirement that has zero or insufficient control coverage. Risk scoring weights gaps by the article's severity and the organization's exposure.
| Article | Subject | Status | Missing Controls |
|---|---|---|---|
| Art 5 | Principles | COVERED | — |
| Art 6 | Lawful Basis | COVERED | — |
| Art 7 | Consent | GAP | granular_consent_ui |
| Art 12 | Transparency | GAP | privacy_dashboard |
| Art 13 | Information | COVERED | — |
| Art 15 | Access Rights | GAP | automated_sar_portal |
| Art 17 | Erasure | GAP | cascade_deletion, backup_purge_process |
| Art 20 | Portability | GAP | machine_readable_export |
| Art 25 | Privacy by Design | COVERED | — |
| Art 28 | Processor | GAP | processor_audit_schedule |
| Art 30 | Records | GAP | ropa_tool |
| Art 32 | Security | COVERED | — |
| Art 33 | Breach Notification | GAP | 72hr_breach_workflow |
| Art 35 | Impact Assessment | GAP | dpia_template |
Gaps ranked by risk score. Highest-risk items have the largest regulatory exposure and the most missing controls.
| # | Article | Risk | Action |
|---|---|---|---|
| 1 | Art 17 — Erasure | HIGH | Build cascade deletion across all datastores; define backup purge process with retention schedule |
| 2 | Art 33 — Breach | HIGH | Implement 72-hour breach notification workflow with authority contact templates |
| 3 | Art 35 — DPIA | HIGH | Create data protection impact assessment template; integrate into project launch process |
| 4 | Art 12 — Transparency | MED | Build privacy dashboard showing data held, processing purposes, retention periods |
| 5 | Art 15 — Access | MED | Deploy automated subject access request portal with identity verification |
| 6 | Art 30 — Records | MED | Deploy records of processing activities tool; assign data owners per activity |
| 7 | Art 28 — Processor | MED | Schedule annual processor audits; add audit rights clause to processor agreements |
| 8 | Art 7 — Consent | LOW | Implement granular consent UI with per-purpose toggles |
| 9 | Art 20 — Portability | LOW | Add machine-readable data export (JSON/CSV) to user account settings |
The model requires manual control inventory input. Someone has to tell it what controls exist — it inspects a list, not a live system. The gap detection is structural: it checks graph connectivity between requirements and controls. It is not semantic. It cannot read regulation text and extract requirements automatically.
This means it catches gaps in coverage (requirement X has no control mapped to it) but not gaps in quality (control Y exists but is poorly implemented). The first is a graph problem. The second is an audit problem. This tool does the graph part.
MM10P honest assessment: this is a demonstration, not a research result. We created both the regulation graph and the control inventory — the gaps are nodes we intentionally left unconnected. The 369K articles/sec speed is iterating a 14-item Python dictionary, which any language can do in microseconds. Real compliance requires NLP to extract requirements from legal text, expert judgment to map controls, continuous monitoring, and cross-jurisdiction conflict detection. We do none of these. The value here is the graph-based framing and prioritization method, not the implementation.