Data Privacy & Compliance Review — by an AI council
Check how you handle personal data against GDPR / POPIA expectations. Four rival AIs debate it and hand back: A gap list against privacy principles with proportionate fixes.
A gap list against privacy principles with proportionate fixes.
Signed off by an independent Final QA audit — with a “verify before you rely on this” list, never a black box.
Why this team
Privacy reviews die of vagueness — “we take privacy seriously” — so the seats force specifics: the Privacy Counsel maps each data use to a lawful basis, the Compliance Officer checks the machinery that regulators actually inspect (records, requests, retention), and the Security Engineer verifies that the policy on paper matches what the systems do — the gap where most real breaches live. The Risk Officer ranks the exposure by what a complaint or audit would actually find, and the Pragmatist keeps the fixes proportionate to the team’s size, blocking the compliance-theatre checklist nobody maintains.
Each seat runs on a different frontier model — GPT, Claude, Gemini, Grok — so it’s a genuine cross-model review, not one AI in costumes. How a run works →
What the debate sounds like
An illustrative excerpt — A ten-person edtech startup storing student progress data has grown from one school to forty, added a US analytics vendor, and has never answered a deletion request because none has arrived yet.
Children’s educational data changes every default: consent flows through schools and parents, the lawful-basis analysis is stricter, and “legitimate interest” does far less work than the current policy assumes. The forty-school version of this company needs what the one-school version could improvise: a written basis per data use. Most will be fine — the point is knowing which ones are not.
The policy says data is deleted on school offboarding; the architecture says otherwise — analytics events flow to the US vendor and nothing in the described stack deletes on request there. That is the classic paper-practice gap: the deletion request that has never arrived will one day arrive, and the honest current answer is that it cannot be fully honoured. Fixing the vendor data path is engineering work; schedule it before the request, not after.
The cross-border transfer to the US vendor needs its paperwork checked now: what transfer mechanism is in the vendor contract, and does the vendor’s processing agreement actually cover children’s data? Schools increasingly send data-protection questionnaires before renewing — the next procurement round will ask, and “we assumed the vendor handles it” fails that questionnaire.
Questions
Which regulations does the review cover — GDPR, POPIA, others?
State the jurisdictions and frameworks in your brief and the debate runs against those expectations — the underlying principles (lawful basis, minimisation, retention, rights) are shared across GDPR, POPIA and their relatives, and the deliverable flags where your specific framework is stricter. It also says plainly that a qualified privacy professional should validate the result.
We’re small — do we honestly need this yet?
The review scales the answer honestly: for a small team the finding is usually “three real gaps and permission to ignore the rest for now” — the proportionate version, not the enterprise checklist. The trigger to run it is usually growth: new data types, new vendors, new markets, or bigger customers asking harder questionnaires.
What is a “paper-practice gap” and why does the review hunt it?
It is the distance between what your policy claims and what your systems do — deletion promised but not implemented, retention limits nobody automated, a vendor processing more than the contract says. Regulators and litigants both go straight for that gap, because it converts a policy into evidence.
Your material is used only to run your review — never to train public models. Encrypted in transit and at rest. Security & privacy →
Want full control — pick your own minds, set the depth? Open the full council →

