kartinov / gdpr-toolkit
GDPR toolkit for Laravel
Requires
- php: ^8.2
- illuminate/support: ^10.0|^11.0|^12.0|^13.0
Requires (Dev)
- laravel/pint: ^1.0
- orchestra/testbench: ^9.17
- pestphp/pest: ^2.8
- pestphp/pest-plugin-laravel: ^2.0
- phpunit/phpunit: ^10.5
README
A lightweight package to help Laravel developers address GDPR requirements by scanning your database for personally identifiable information and generating a draft Record of Processing Activities (RoPA).
📖 New to GDPR? Read our plain-English GDPR Basics for Developers guide to learn how privacy-by-design impacts your migrations, logging, and database relationships.
Installation
Require the package via Composer:
composer require kartinov/gdpr-toolkit
Publish the configuration file:
php artisan vendor:publish --provider="Kartinov\GdprToolkit\GdprToolkitServiceProvider"
Configuration
Open the published config/gdpr-toolkit.php and adjust the settings to match your application.
Usage
Scanning
Run the scan to generate a draft RoPA:
php artisan gdpr:scan
This inspects your Eloquent models and database tables, detects personally identifiable information via column-name heuristics and foreign key relationships, and writes the result to:
storage/app/gdpr-ropa.json
Output format
{
"generated_at": "2026-07-04T09:18:08+00:00",
"total_tables_with_personal_data": 2,
"data_map": {
"User": {
"fields": [
"name",
"email"
],
"shipping_addresses": [
"address",
"city",
"state",
"zip",
"country",
"phone"
]
}
}
}
Each subject model maps to:
fields— personal data columns on the subject's own table{related_table}— personal data columns on tables linked by foreign key
Marking models with HasPersonalData
Attach the HasPersonalData trait to any Eloquent model and declare its personal data fields:
use Kartinov\GdprToolkit\Traits\HasPersonalData; class User extends Authenticatable { use HasPersonalData; protected array $personalData = [ 'name', 'email', 'phone', 'address', ]; }
The trait provides one method:
$user->exportPersonalData(); // Returns array of field => value
Exporting personal data (Article 15 / 20)
Generate a complete personal data export for a specific subject:
php artisan gdpr:export App\\Models\\User 1 php artisan gdpr:export App\\Models\\User john@example.com --output=storage/app/user_1_gdpr_export.json
- First argument: fully qualified model class (e.g.
App\Models\User) - Second argument: identifier — ID or email
--output(optional): custom output path, defaults tostorage/app/gdpr-export.json
The export includes the subject's own personal fields plus all related table records linked by foreign key.
Important Disclaimer
This toolkit is a developer aid, not a legal service. The RoPA it generates is a technical draft — it does not guarantee GDPR compliance. Always have your records reviewed by a qualified legal professional before relying on them for regulatory purposes.
License
This package is open-sourced software licensed under the MIT license.
See the LICENSE file for details.