Compliance & Regulatory Automation

Last verified: 14 February 2026 | Applies to: Pro, Max, Team, Enterprise (Legal plugin required for full workflow)

In 30 seconds

Compliance work is repetitive, high-stakes, and expensive to outsource. Claude with the Legal plugin can review your policies against regulatory frameworks (GDPR, SOC 2, HIPAA, ISO 27001), flag gaps, generate remediation plans, and produce audit-ready evidence documents. It does not replace your compliance officer or external auditor — but it cuts the grunt work from weeks to hours and catches gaps humans miss on the third read-through.

Prerequisites

• Claude Desktop with Cowork enabled (Pro or above)
• The Legal plugin installed from claude.com/plugins or the Cowork interface
• Your existing policies, procedures, or controls documentation (PDF, Word, or plain text)
• Knowledge of which regulatory framework(s) apply to your business

What it does

Claude handles three categories of compliance work:

Category	What Claude does	Time saved
Gap analysis	Compares your policies against a framework’s requirements and flags missing or insufficient controls	Days → hours
Evidence generation	Produces formatted compliance documents, control descriptions, and risk assessments	Hours → minutes per document
Ongoing monitoring	Reviews updated policies for continued compliance, flags new gaps introduced by changes	Continuous

How to set it up

Gap analysis: GDPR

Upload your privacy policy, data processing procedures, and any existing GDPR documentation. Then run the analysis.

I'm uploading our company's privacy policy, data processing agreement template, and internal data handling procedures. Review these against the full GDPR requirements. For each GDPR article, assess whether our documentation adequately addresses the requirement. Use this format:

- Article number and name
- Requirement summary
- Status: COMPLIANT / PARTIAL / GAP
- Evidence: which of our documents addresses this (with specific section references)
- If PARTIAL or GAP: what's missing and what we need to do

Focus on the requirements most likely to be examined in a supervisory authority audit.

Claude produces a structured gap analysis that typically runs 15-30 pages depending on how many documents you provide. The output is specific — it does not just say “you need a data retention policy.” It says “Article 5(1)(e) requires a defined retention period for each data category. Your privacy policy mentions ‘reasonable period’ but does not specify retention schedules per data type. Remediation: create a data retention schedule covering all personal data categories processed.”

Gap analysis: SOC 2

Review our security policies against SOC 2 Type II Trust Services Criteria. I'm uploading our:
1. Information security policy
2. Access control procedures
3. Incident response plan
4. Change management process
5. Vendor management policy

For each Trust Services Criterion (CC1 through CC9, plus the availability, processing integrity, confidentiality, and privacy criteria), assess our coverage. Flag any criteria where our documentation is missing, vague, or wouldn't satisfy an auditor.

Gap analysis: HIPAA

We're a health tech company that processes protected health information (PHI). Review our HIPAA compliance documentation against the Security Rule, Privacy Rule, and Breach Notification Rule. I'm uploading our:
1. HIPAA security policy
2. Privacy practices notice
3. BAA template
4. Breach response procedures

For each standard and implementation specification, rate us as: ADDRESSED / PARTIALLY ADDRESSED / NOT ADDRESSED. For anything not fully addressed, provide the specific regulatory citation and a plain-language description of what we need to add.

Generate audit evidence

Once you have identified gaps, Claude can generate the remediation documents.

Based on the GDPR gap analysis, generate the following documents:
1. A data retention schedule covering all personal data categories we process (use the categories from our privacy policy)
2. A data subject rights procedure — step-by-step process for handling access, deletion, portability, and rectification requests, with response timelines per GDPR requirements
3. A data protection impact assessment (DPIA) template we can use for new projects

Each document should be formatted for audit review: include document owner, version number, effective date, review date, and approval signature block.

Ongoing policy review

When you update policies, run them past Claude before finalising.

We've updated our information security policy. Compare the new version (attached) against the previous version and our SOC 2 gap analysis from last month. Flag:
1. Any SOC 2 requirements that were previously covered but are now weakened or missing in the new version
2. Any new content that addresses previously identified gaps
3. Any internal inconsistencies in the updated document

How operators actually use it

What operators say

“We spent $35,000 on a SOC 2 readiness assessment from a consultancy. Six months later, I ran our updated policies through Claude and it found three gaps the consultants missed — including a missing sub-processor notification procedure that would have been flagged in the actual audit.”

“GDPR compliance used to be a quarterly fire drill. Now I run our policies through Claude after every material change. The gap analysis takes 20 minutes instead of a two-day review cycle. Our DPO still signs off, but she’s reviewing Claude’s analysis rather than doing the entire assessment manually.”

Before this workflow: Compliance reviews happen infrequently (quarterly or annually), cost thousands in consultant fees, and still miss things because humans skim long documents.

After this workflow: You run gap analyses after every policy change, generate remediation documents in minutes, and go into audits with structured evidence that maps directly to regulatory requirements. Your compliance posture improves because you review more often, not less.

Building a compliance library

For organisations managing multiple frameworks, use Cowork to build a structured compliance library:

Create a compliance evidence folder structure for our organisation. We need to maintain evidence against GDPR, SOC 2 Type II, and our internal ISO 27001 controls. Create:
1. A master controls matrix that maps our controls across all three frameworks (many controls satisfy multiple frameworks)
2. A folder structure for evidence documents, organised by control family
3. A review schedule showing when each control needs re-assessment

Save everything in the compliance/ folder.

What to watch out for

Caution

• Claude is not a qualified auditor. Use Claude for preparation and analysis, not as a substitute for professional compliance advice. External auditors assess your actual practices, not just your documentation — Claude only sees what you upload.
• Regulatory knowledge has a cut-off. Claude’s training data has a knowledge cut-off. If a regulation has been amended recently, verify Claude’s interpretation against the current text. This is especially relevant for fast-moving areas like AI regulation and data sovereignty laws.
• Do not upload sensitive personal data. When reviewing policies that reference specific individuals, customer data, or security configurations, redact sensitive details before uploading. Use placeholder names and anonymised examples.
• Jurisdiction matters. GDPR implementation varies by EU member state. HIPAA applies to US covered entities. SOC 2 is a US-centric framework. Always specify your jurisdiction and let Claude know which supervisory authority or regulatory body applies.
• The Legal plugin is required for the full workflow. You can do basic policy review in Chat without the plugin, but the structured gap analysis, slash commands, and evidence generation work best with the Legal plugin in Cowork.
• Enterprise plans offer better security controls. If your compliance requirements include data handling restrictions, the Enterprise plan’s SSO, audit logs, and data retention controls may be necessary. See the security compliance guide.

Related

• Contract Review — review vendor contracts and DPAs against regulatory requirements
• Audit & Compliance — enterprise-grade audit logging and compliance features
• Security & Compliance — data handling, encryption, and enterprise security controls
• Legal role guide — full setup for legal and compliance operators

---

Something wrong or outdated? Let us know →

Get weekly workflows — subscribe to the newsletter.