lawdit GDPR

A governance-focused GDPR discovery prototype that scans selected sources, redacts evidence, routes owners, supports human review, and records audit events.

lawdit GDPR

Why this article exists

This project started from a plain risk: a one-time PII scan can find sensitive data and still leave nobody accountable for the decision. I used the prototype to model the whole governance loop around scattered personal-data evidence, from discovery to redacted review to audit.

Problem

Organizations often know personal data is spread across documents, tables, archives, email exports, images, and shared drives. The hard part is proving what was found, who owns the review, which action is allowed, and whether the workflow improved.

What shipped

Python backend, scanner pipeline, review workflow, audit events, evaluation metrics, OpenAPI contract, Vite/React console, Fumadocs user guide, and controlled public demo flow.

Evidence

The README exposes the live demo, user guide, API contract, repository map, validation commands, and project boundaries around deletion, legal advice, and production tenant integrations.

Inspect path

Inspect the README first, then `contracts/openapi.yaml`, the product docs, backend review/audit modules, and tests around evidence assembly and review decisions.

Boundary

Deletion is simulated, the project is not legal advice, and it does not claim production tenant-wide Microsoft 365 inventory or deletion integration.

What changed

The useful boundary became clearer: sensitive-data AI is only credible when review state, redaction, owner routing, and audit events stay visible.

Next question

Which review event should become impossible to skip before a sensitive-data system earns trust?

Open public repository

https://github.com/89325516/datasentinel-gdpr