Automate GDPR policy scanning with n8n (no manual review needed)

Built with n8n
1

Compliance teams and legal departments review a lot of privacy policies. Vendor onboarding, third-party audits, policy updates — each one is 10-20 pages of dense legal text. Reading through to check whether all required GDPR elements are present takes 30-45 minutes per document when done manually. And it’s easy to miss things, especially when you’re reviewing a dozen vendor policies in a week.

Built a workflow that scans any privacy policy PDF and returns a compliance score with a full gap analysis in about 15 seconds.

image
image1171×399 69.7 KB

What it does

Privacy policy PDF dropped in Google Drive → extracts all GDPR-relevant elements → runs compliance checks → calculates score → logs to tracker → fires Slack alert if issues found

Takes about 12-15 seconds per document.

What gets checked

Data controller information:

  • Company name, address, contact email

DPO (Data Protection Officer):

  • Name and contact email — flags as a gap if missing

Data collected:

  • Categories of data, specific types per category, purpose of collection

Legal bases for processing:

  • Consent, legitimate interests, contract, legal obligation, etc.

  • Flags as a gap if none are specified

Data retention:

  • Retention periods per data type

Third parties:

  • Name, purpose, and location for each third-party data recipient

  • Count logged to tracker

User rights — 6 required under GDPR:

  • Right to access

  • Right to rectification

  • Right to erasure (right to be forgotten)

  • Right to data portability

  • Right to object

  • Right to withdraw consent

Each right checked as present or absent. Rights score calculated as a percentage of the 6 covered.

Additional checks:

  • Consent mechanism described

  • International transfer safeguards (SCCs, adequacy decisions, etc.)

  • Breach notification policy present

Compliance gaps:

  • Missing DPO contact

  • No legal basis specified

  • No breach notification policy

  • International transfers without safeguards

  • Missing user rights (listed individually)

Scoring

The Code node calculates a compliance score starting at 100 and deducting 10 points per gap identified.

Status assigned:

  • 80-100 → Compliant

  • 50-79 → Needs Attention

  • Below 50 → Non-Compliant

Only non-Compliant documents trigger a Slack alert. Compliant scans are logged silently.

What lands in Slack (issues only)


🔒 GDPR Compliance Scan Complete

Company: Acme Analytics Ltd.

Policy Updated: January 2024

📊 Compliance Score: 60%

⚠️ Status: Needs Attention

👤 User Rights Score: 67%

✅ Covered: access, rectification, erasure, portability

❌ Missing: objection, withdrawConsent

🔍 Compliance Gaps (4):

Missing DPO contact information

No breach notification policy

Missing user rights: objection, withdrawConsent

International transfers without safeguards

🏢 Third Parties: 8

👨‍💼 Has DPO: No

🌍 International Transfers: Yes

📄 View Policy Document

Compliant policies are logged to Sheets with no Slack notification.

What lands in Google Sheets

Each row: Company, Last Updated, Compliance Score, Status, User Rights Score, Missing Rights, Gaps Found (count), Third Parties (count), Has DPO, International Transfers, Scanned Date

Filter by Status to see every non-compliant vendor at once. Sort by Compliance Score to prioritize remediation.

Setup

You’ll need:

  • Google Drive (folder for privacy policy documents)

  • Google Sheets (free)

  • n8n instance (self-hosted — uses PDF Vector community node)

  • PDF Vector account (free tier: 100 credits/month)

  • Slack (for compliance alerts)

About 15 minutes to configure.

Download

Workflow JSON:

gdpr-compliance-scanner.json

Full workflow collection:

khanhduyvt0101/workflows

Setup Guide

Step 1: Get your PDF Vector API key

Sign up at pdfvector.com — free plan works for testing. Go to API Keys and generate a key.

Step 2: Create your Google Drive folder

Create a folder called “Privacy Policies.” Copy the folder ID from the URL.

Step 3: Create your Google Sheet

Headers in Row 1:


Company | Last Updated | Compliance Score | Status | User Rights Score | Missing Rights | Gaps Found | Third Parties | Has DPO | International Transfers | Scanned Date

Step 4: Import the workflow

Download JSON from GitHub → n8n → Import from File.

Step 5: Configure the nodes

Google Drive Trigger:

  • Connect Google Drive account (OAuth2)

  • Paste your folder ID

  • Event: File Created

Download Document:

  • Same Google Drive credential

PDF Vector - Analyze Policy:

  • Add new credential (Bearer Token)

  • Paste your API key

Analyze Compliance:

  • No config needed — scoring and gap detection run automatically

  • To adjust score deduction per gap, change the * 10 multiplier in the Code node

Log Compliance Scan:

  • Connect Google Sheets

  • Paste your Sheet ID

Alert Compliance Team:

  • Connect Slack

  • Select your compliance or legal channel

  • Only fires when status is not “Compliant”

Step 6: Test it

Drop any company’s privacy policy PDF into your Drive folder. Check Slack and your Sheet after about 20 seconds.

Accuracy

Tested on GDPR-jurisdiction privacy policies from SaaS companies, e-commerce sites, and enterprise vendors.

  • Company name, last updated date: ~97%

  • Legal bases: ~92% — reliable when explicitly labeled; misses implied bases in narrative text

  • User rights coverage: ~94% — works well when rights are listed in a dedicated section

  • DPO contact detection: ~95%

  • Third-party identification: ~88% — depends on how explicitly vendors are named vs described generically

  • Compliance gap detection: ~85% — catches explicitly missing elements reliably; can’t assess vague or misleading policy language

Important caveat: this workflow identifies structural gaps — missing elements, missing rights, missing safeguard mentions. It does not assess whether a policy’s actual data practices are lawful or whether the stated practices match reality. For full legal review, treat this as a first-pass triage tool, not a legal opinion.

Cost

Each policy uses 3-4 PDF Vector credits. Free tier covers roughly 25-30 policies per month.

Customizing it

Adjust the scoring threshold:

In the Code node, change the score < 50 and score < 80 values to match your organization’s risk tolerance.

Add CCPA checks:

Extend the extraction prompt to also check for California CCPA requirements — right to know, right to delete, opt-out of sale. The schema can be extended with additional boolean fields.

Scheduled vendor reviews:

Build a companion workflow that reads your Sheets tracker weekly and flags any vendor whose policy hasn’t been rescanned in 90+ days.

Auto-request updated policy:

After the Slack alert node, add a Gmail node to automatically send a templated email to the vendor requesting an updated privacy policy when the score is below threshold.

Legal disclaimer

This workflow is a compliance screening tool, not legal advice. It identifies structural gaps in privacy policy documents based on common GDPR requirements. Organizations should consult qualified legal counsel for formal GDPR compliance assessments.

PDF Vector n8n integration

Full workflow collection

Questions? Drop a comment.

1 Like
2

this is solid — nice touch with the gap scoring. curious how you handle policies that bury gdpr language in narrative text rather than dedicated sections? that’s usually where the extraction breaks down for us