Using Large Language Models to Identify GDPR Key Tasks in Business Processes

This is a master's thesis study that explores how to use large language models to automatically identify key tasks related to GDPR compliance in business processes, providing new ideas for the automation of data protection compliance.

• Original Author/Maintainer: MertenD
• Source Platform: GitHub
• Original Title: gripl-master-thesis
• Original Link: https://github.com/MertenD/gripl-master-thesis
• Source Publication/Update Time: 2026-06-03T08:44:38Z

---

Since the General Data Protection Regulation (GDPR) came into effect in 2018, it has imposed strict requirements on how enterprises handle personal data. However, many organizations face a core challenge in practice: how to systematically identify which links in their business processes involve GDPR compliance obligations. Traditional methods rely on manual audits, which are both time-consuming and prone to omissions. This study explores the use of large language models (LLMs) to automate this process, representing an innovative application of AI in the field of regulatory technology (RegTech).

The business processes of modern enterprises often involve a large number of data processing activities, from customer registration and order processing to after-sales service—almost every link may involve personal data. Manually sorting through these processes is not only labor-intensive but also requires professional knowledge to determine which activities fall within the scope of GDPR regulation.

GDPR includes numerous clauses covering multiple dimensions such as the legal basis for data processing, data subject rights, the principle of data minimization, and storage period restrictions. Accurately identifying which business process links touch on these requirements requires dual professional knowledge in law and technology.

Business processes are not static; they evolve continuously with business development. Manually maintaining compliance lists is difficult to keep up with this pace of change, which can easily lead to compliance blind spots.

Large language models, through pre-training on massive amounts of text, have strong semantic understanding capabilities. They can:

1. Understand natural language texts describing business processes
2. Identify personal data processing activities involved
3. Determine whether these activities comply with various GDPR requirements
4. Output structured compliance analysis results

The study may adopt the following technical path:

Data Preparation Phase

Collect and organize business process documents, including flowcharts, operation manuals, system descriptions, etc. These documents form the input for LLM analysis.

Prompt Engineering

Design specialized prompt templates to guide LLMs in identifying GDPR-related tasks. Prompts may include:

• Explanations of key GDPR clauses
• Examples of personal data types to focus on
• Specification requirements for output formats

Model Evaluation and Validation

Compare the identification results of LLMs with manual expert annotations, and calculate metrics such as accuracy and recall. Cross-validation may be used to ensure the reliability of the results.