These prompts help legal professionals draft compliant policies fast. Copy, fill in your variables, and get usable policy language that meets regulatory requirements.
These prompts pair well with Jasper AI for Legal-specific tone control, or Copy.ai for fast iteration.
Data Privacy and Protection Policies
You are a privacy lawyer drafting a data breach notification policy for immediate implementation. Company: {company_name}, Industry: {industry_sector}, Employee count: {employee_count}, Primary jurisdiction: {jurisdiction}, Data types handled: {data_types}, Current breach response time: {current_response_hours}, Regulatory requirements: {applicable_regulations}, IT contact: {it_contact_name}, Legal contact: {legal_contact_name}. Write a 400 to 500 word data breach notification policy that includes detection procedures, internal escalation timeline, external notification requirements, and specific contact protocols. Use numbered steps for the response procedure and include regulatory citation requirements for {applicable_regulations}.
When to use it: When you need to implement or update breach response procedures after a security audit or regulatory change.
Pro tip: Always include specific hour timeframes (24, 48, 72) rather than “immediately” to ensure measurable compliance during audits.
You are a compliance officer writing a vendor data processing agreement addendum for a new third-party relationship. Vendor: {vendor_company_name}, Service type: {service_description}, Data categories: {personal_data_types}, Processing location: {data_location}, Contract term: {contract_duration}, Primary regulation: {gdpr_ccpa_other}, Sub-processor allowed: {yes_no}, Data retention period: {retention_months}, Security standards required: {iso_soc_other}. Draft a 300 to 400 word data processing addendum that covers lawful basis, processing restrictions, security requirements, and termination obligations. Structure as numbered clauses with clear processor vs controller responsibilities.
When to use it: When Legal needs to quickly add privacy terms to vendor contracts without starting from scratch.
Pro tip: Reference the main service agreement section numbers to avoid conflicts between documents during contract negotiation.
You are a privacy counsel creating an employee privacy notice for workforce monitoring implementation. Company: {company_name}, Monitoring type: {email_video_keystroke}, Monitoring scope: {full_partial_targeted}, Employee count: {total_employees}, Jurisdiction: {state_country}, Union present: {yes_no}, Implementation date: {start_date}, HR contact: {hr_manager_name}, Opt-out available: {yes_no_limited}. Write a 350 to 450 word employee privacy notice explaining monitoring purposes, data collection methods, retention periods, and employee rights. Use plain language with bullet points for data types and clear action steps for employee questions.
When to use it: When implementing new monitoring technology and HR needs compliant notice language before rollout.
Pro tip: Include specific examples of monitored activities rather than broad categories to reduce employee anxiety and potential pushback.
You are a data protection officer drafting a cookie consent policy update for website compliance. Website: {website_url}, Business type: {b2b_b2c_both}, Traffic geography: {primary_regions}, Analytics tools: {google_adobe_other}, Marketing cookies: {facebook_linkedin_other}, Essential cookies only: {yes_no}, Consent management tool: {tool_name}, Legal basis: {consent_legitimate_interest}. Create a 250 to 350 word cookie policy that explains cookie types, purposes, retention periods, and user control options. Format with clear headers and include specific opt-out instructions for each cookie category.
When to use it: When website updates trigger cookie compliance reviews or regulatory guidance changes.
Pro tip: Test your cookie policy language with non-lawyers to ensure average users understand their choices before publishing.
You are a compliance attorney writing a cross-border data transfer impact assessment for a new international subsidiary. Parent company: {parent_company}, Subsidiary location: {country_name}, Data types transferred: {employee_customer_financial}, Transfer frequency: {daily_weekly_monthly}, Transfer mechanism: {scc_bcr_adequacy}, Local data laws: {local_regulation_name}, Data subject rights: {gdpr_local_hybrid}, Risk level: {high_medium_low}, Mitigation measures: {encryption_pseudonymization_other}. Draft a 500 to 600 word transfer impact assessment that identifies risks, evaluates safeguards, documents legal basis, and provides ongoing monitoring requirements. Structure with executive summary, risk analysis, and compliance recommendations.
When to use it: When expanding operations internationally and you need documented transfer risk analysis for regulators.
Pro tip: Include specific metrics for measuring transfer compliance rather than subjective assessments to support future audits.
Financial Services Compliance
You are a bank compliance officer drafting an anti-money laundering transaction monitoring policy for suspicious activity detection. Bank: {bank_name}, Asset size: {asset_range}, Customer types: {retail_commercial_private}, High-risk jurisdictions: {country_list}, Transaction threshold: {dollar_amount}, Monitoring system: {system_name}, BSA officer: {officer_name}, Filing timeline: {days_to_file}, Review frequency: {daily_weekly}. Write a 400 to 500 word AML monitoring policy covering detection scenarios, escalation procedures, documentation requirements, and SAR filing obligations. Use specific dollar thresholds and include regulatory citation to 31 CFR 1020.320.
When to use it: When updating transaction monitoring procedures after regulatory exam findings or system changes.
Pro tip: Include seasonal business pattern exceptions to reduce false positives during predictable high-transaction periods like holidays.
You are a securities lawyer creating a trading restriction policy for employees with material non-public information access. Firm: {firm_name}, Employee categories: {research_trading_banking}, Restricted securities: {covered_companies}, Blackout periods: {earnings_deals_other}, Pre-clearance required: {yes_no_threshold}, Holding period: {days_months}, Compliance contact: {contact_name}, Violation penalties: {suspension_termination_fine}, Review schedule: {quarterly_annually}. Draft a 450 to 550 word personal trading policy that defines prohibited transactions, pre-clearance procedures, reporting obligations, and enforcement measures. Format with numbered restrictions and clear approval workflows.
When to use it: When onboarding new employees with MNPI access or updating policies after regulatory guidance changes.
Pro tip: Define “immediate family” specifically by relationship degree to avoid confusion about coverage during compliance reviews.
You are a credit union compliance manager writing a fair lending policy for mortgage origination practices. Credit union: {cu_name}, Membership base: {geographic_occupational_other}, Loan products: {conventional_fha_portfolio}, Underwriting system: {automated_manual_hybrid}, HMDA reporting: {yes_no}, CRA assessment: {satisfactory_outstanding_other}, Training frequency: {monthly_quarterly}, Audit schedule: {annual_biennial}, Complaint process: {internal_external_both}. Create a 350 to 450 word fair lending policy addressing prohibited factors, underwriting standards, exception approval, and monitoring procedures. Include specific ECOA and Fair Housing Act compliance requirements with clear staff responsibilities.
When to use it: When implementing new lending products or addressing fair lending examination findings.
Pro tip: Document legitimate business reasons for common underwriting exceptions to demonstrate non-discriminatory intent during regulatory reviews.
You are a fintech compliance counsel drafting a consumer complaint handling policy for digital payment services. Company: {company_name}, Service type: {payments_lending_crypto}, User base size: {user_count}, Complaint volume: {monthly_average}, Response timeline: {business_days}, Escalation triggers: {complaint_types}, Regulatory requirements: {cfpb_state_other}, Staff responsible: {team_names}, Tracking system: {system_name}. Write a 300 to 400 word complaint resolution policy covering intake procedures, investigation timelines, response requirements, and regulatory reporting obligations. Structure with clear escalation criteria and include CFPB Regulation E timeline requirements.
When to use it: When launching consumer-facing financial products or updating complaint procedures after volume increases.
Pro tip: Build buffer time into response deadlines to account for complex investigations while still meeting regulatory requirements.
You are a wealth management compliance officer creating a client suitability assessment policy for investment recommendations. Firm: {firm_name}, Advisor count: {advisor_number}, Client segments: {hnw_retail_institutional}, Product types: {equities_alternatives_insurance}, Risk tolerance tools: {questionnaire_software_interview}, Documentation system: {crm_name}, Supervision frequency: {monthly_quarterly}, Regulatory framework: {finra_sec_state}, Update triggers: {annual_life_events_threshold}. Draft a 450 to 550 word suitability policy outlining client profiling requirements, recommendation standards, documentation obligations, and ongoing monitoring procedures. Include specific Regulation Best Interest compliance measures and clear supervisor approval thresholds.
When to use it: When implementing new investment products or updating suitability procedures after regulatory examinations.
Pro tip: Create specific documentation checklists for complex products to ensure consistent suitability analysis across different advisors.
Healthcare and Life Sciences Compliance
You are a hospital compliance officer writing a HIPAA breach assessment policy for protected health information incidents. Hospital: {hospital_name}, Bed count: {bed_number}, EMR system: {emr_name}, Privacy officer: {officer_name}, Security officer: {security_officer}, IT response team: {team_contacts}, Risk assessment tool: {assessment_method}, Notification timeline: {discovery_to_notification_days}, Legal counsel: {law_firm_contact}. Create a 400 to 500 word HIPAA breach assessment policy covering incident classification, risk analysis methodology, notification requirements, and documentation standards. Include specific 4-factor risk assessment criteria and clear decision trees for breach determination.
When to use it: When updating incident response procedures after OCR guidance changes or following a reportable breach.
Pro tip: Document your risk assessment methodology consistently to demonstrate good faith compliance efforts if OCR reviews your breach determinations.
You are a pharmaceutical regulatory attorney drafting an adverse event reporting policy for drug safety surveillance. Company: {pharma_company}, Product portfolio: {drug_categories}, Markets: {us_eu_global}, Safety database: {database_name}, Regulatory contacts: {fda_ema_contacts}, Reporting timelines: {serious_nonserious_days}, Medical review: {medical_officer_name}, Quality assurance: {qa_process}, Training schedule: {staff_training_frequency}. Write a 500 to 600 word adverse event reporting policy addressing case intake, causality assessment, expedited reporting requirements, and regulatory submission procedures. Structure with specific timeline requirements and include FDA Form 3500A submission criteria.
When to use it: When launching new drug products or updating pharmacovigilance procedures after regulatory inspections.
Pro tip: Establish clear medical reviewer availability during weekends and holidays to meet expedited serious adverse event reporting deadlines.
You are a medical device compliance manager creating a quality management system policy for FDA design controls. Company: {device_company}, Device class: {class_i_ii_iii}, Product type: {device_description}, Design team: {team_size}, Quality system: {iso13485_fda_both}, Design control procedures: {existing_new_updated}, Risk management: {iso14971_fmea_other}, Clinical requirements: {required_not_required}, Submission type: {510k_pma_exempt}. Draft a 450 to 550 word design control policy covering design planning, input requirements, verification and validation, design changes, and design history file maintenance. Include specific 21 CFR 820.30 compliance requirements and clear milestone approval gates.
When to use it: When developing new medical devices or updating design control procedures after FDA inspection observations.
Pro tip: Link design control milestones to project management software to automatically trigger compliance documentation reviews.
You are a clinical research compliance officer writing an informed consent policy for human subjects protection. Institution: {institution_name}, Research type: {clinical_trials_academic_industry}, IRB type: {internal_central_commercial}, Subject population: {adult_pediatric_vulnerable}, Study phases: {preclinical_phase_i_ii_iii}, Consent languages: {primary_languages}, Electronic consent: {yes_no_hybrid}, Documentation system: {ctms_name}, Monitoring frequency: {audit_schedule}. Create a 350 to 450 word informed consent policy addressing consent elements, capacity assessment, documentation requirements, and ongoing consent obligations. Include specific FDA 21 CFR 50.25 required elements and clear procedures for consent modifications.
When to use it: When implementing new clinical trial protocols or updating consent procedures after FDA or IRB findings.
Pro tip: Create consent templates specific to study phase complexity rather than one-size-fits-all approaches to improve subject comprehension.
You are a healthcare privacy counsel drafting a patient portal access policy for electronic health records. Health system: {system_name}, Patient population: {patient_demographics}, Portal platform: {portal_software}, Authentication method: {login_requirements}, Proxy access: {family_caregiver_rules}, Minor access: {age_thresholds}, Restricted information: {mental_health_substance_abuse}, Technical support: {help_desk_contact}, Audit procedures: {access_monitoring}. Write a 300 to 400 word patient portal access policy covering identity verification, access rights, information restrictions, and account security requirements. Structure with clear eligibility criteria and include specific HIPAA right of access compliance measures.
When to use it: When implementing patient portal technology or updating access policies after privacy rule changes.
Pro tip: Clearly define “timely access” with specific business days to meet HIPAA requirements while managing patient expectations.
Employment Law and HR Compliance
You are an employment attorney writing a workplace investigation policy for harassment and discrimination complaints. Company: {company_name}, Employee count: {total_employees}, HR team: {hr_staff_count}, Investigation lead: {investigator_name}, External counsel: {law_firm_name}, Complaint channels: {reporting_methods}, Timeline commitment: {investigation_days}, Documentation system: {hr_system}, Training frequency: {manager_training_schedule}. Draft a 400 to 500 word workplace investigation policy covering complaint intake, investigation procedures, interim measures, finding determinations, and corrective action protocols. Include specific Title VII compliance requirements and clear confidentiality protections for all parties.
When to use it: When updating investigation procedures after legal developments or following EEOC charge filings.
Pro tip: Document business reasons for any employment decisions made during pending investigations to defend against retaliation claims.
You are an HR compliance manager creating a reasonable accommodation policy for disability-related workplace adjustments. Company: {company_name}, Workforce size: {employee_count}, Job categories: {office_manufacturing_retail}, Accommodation budget: {annual_budget}, Interactive process lead: {hr_contact}, Medical documentation: {required_optional}, Decision timeline: {business_days_commitment}, Appeal process: {internal_external}, Training requirements: {supervisor_training}, External resources: {vocational_rehabilitation_job_accommodation_network}. Write a 450 to 550 word reasonable accommodation policy addressing request procedures, interactive process requirements, accommodation evaluation, and implementation protocols. Structure with clear timelines and include specific ADA undue hardship analysis factors.
When to use it: When implementing accommodation request tracking systems or updating policies after ADA guidance changes.
Pro tip: Maintain separate medical files for accommodation documentation to comply with ADA confidentiality requirements during audits.
You are a labor attorney drafting a social media policy for employee personal account usage affecting the workplace. Company: {company_name}, Industry: {industry_type}, Union presence: {yes_no}, Employee demographics: {generational_mix}, Business reputation concerns: {customer_facing_b2b}, Confidentiality requirements: {trade_secrets_client_info}, Monitoring approach: {none_reactive_proactive}, Discipline framework: {progressive_immediate}, Legal jurisdiction: {state_federal_requirements}. Create a 350 to 450 word social media policy covering personal posting guidelines, confidentiality obligations, harassment prevention, and disciplinary consequences. Include specific NLRA Section 7 compliance language protecting concerted activity rights.
When to use it: When addressing social media incidents involving employees or proactively establishing guidelines before issues arise.
Pro tip: Avoid overly broad restrictions on workplace criticism to prevent unfair labor practice charges even in non-union environments.
You are an employment compliance officer writing a wage and hour policy for overtime classification and payment. Company: {company_name}, Employee categories: {exempt_nonexempt_mix}, Industry type: {retail_manufacturing_professional}, Payroll system: {system_name}, Time tracking: {manual_electronic_app}, Overtime approval: {required_automatic}, Meal break requirements: {state_requirements}, Travel time: {compensable_policies}, Pay frequency: {weekly_biweekly_monthly}, Audit schedule: {internal_review_frequency}. Draft a 400 to 500 word wage and hour policy covering overtime calculation, meal and rest periods, time recording requirements, and pay practice procedures. Include specific FLSA exemption criteria and state-specific requirements for {state_requirements}.
When to use it: When reclassifying employee positions or updating pay practices after Department of Labor guidance changes.
Pro tip: Regularly audit actual job duties against exemption classifications rather than relying solely on job descriptions to avoid misclassification claims.
You are a workplace safety attorney creating an injury reporting and investigation policy for occupational safety compliance. Company: {company_name}, Industry: {manufacturing_construction_office}, Employee count: {workforce_size}, Safety officer: {safety_contact}, OSHA recordability: {injuries_requiring_recording}, Workers compensation: {carrier_name}, Medical provider: {occupational_clinic}, Investigation team: {team_members}, Reporting timeline: {immediate_24_hour_requirements}, Return to work: {light_duty_available}. Write a 350 to 450 word injury reporting policy covering incident notification, investigation procedures, OSHA recording requirements, and return-to-work protocols. Structure with immediate action steps and include specific OSHA Form 301 completion requirements.
When to use it: When implementing safety management systems or updating procedures after OSHA citations or workers compensation claims increases.
Pro tip: Train supervisors to secure accident scenes immediately to preserve evidence for investigation while ensuring injured worker care comes first.
Frequently Asked Questions
What makes these ChatGPT prompts effective for legal compliance policy writing?
These prompts include specific variables, regulatory citations, and clear output constraints that produce compliant policy language. They’re designed for immediate use rather than requiring additional legal research or template creation.
How do I ensure AI-generated compliance policies meet current regulatory requirements?
Always review AI output against current regulations and have qualified legal counsel approve policies before implementation. These prompts include regulatory framework references to guide your review process.
Can these compliance policy prompts be customized for different jurisdictions?
Yes, the variable structure allows you to specify jurisdictions, applicable regulations, and local requirements. Always verify local law compliance with qualified counsel in your jurisdiction before finalizing policies.