ComplianceOctober 2, 202510 min read

GDPR for SaaS Startups: What Actually Matters

Your first European customer just signed up.

Or you're trying to close a deal and they asked: "Are you GDPR compliant?"

Now you're googling GDPR, reading 40-page guides written by lawyers, and panicking because it sounds like you need to hire a Data Protection Officer and register with 28 different EU authorities.

Deep breath.

Here's what actually matters for a SaaS startup.

TL;DR #

  • GDPR applies if: You have EU customers or target EU market
  • Core requirement: Privacy policy + user data rights (export, delete)
  • Timeline: 4-6 weeks to basic compliance
  • No DPO needed: Unless you're processing sensitive data at scale
  • Cost: A fraction of a SOC2 audit
  • Bottom line: Start with privacy policy and DPAs, build from there

Jump to implementation checklist →

First: Do You Even Need to Care About GDPR? #

GDPR applies if:

  • You have customers/users in the EU
  • OR you're targeting EU market (ads in German, prices in EUR, etc.)

That's it. Doesn't matter where YOUR company is. Doesn't matter if you have an EU office or not.

EU person's data? GDPR applies.

What counts as "EU":
The 27 EU countries plus Iceland, Liechtenstein, and Norway (EEA). UK has basically the same rules (UK GDPR).

Switzerland has their own thing (FADP) but it's similar enough.

If you have zero EU customers and aren't trying to get any: you can stop reading.

If you have even ONE EU customer: keep reading.

The Core Concept That Everyone Overcomplicate #

GDPR boils down to: respect people's data.

That means:

  • Be honest about what data you collect and why
  • Only collect what you actually need
  • Keep it secure
  • Delete it when you're done or when they ask
  • Let people see what you have and fix it if it's wrong

That's it. Everything else is implementation details.

What You Actually Need to Do #

1. Privacy Policy (Not Optional) #

You need a privacy policy that actually explains what you do with data.

Not "we value your privacy" corporate speak. Real answers to:

  • What data do you collect (email, name, payment info, usage analytics, etc.)
  • Why you collect it (to provide service, send invoices, improve product)
  • Who sees it (your team, your hosting provider, your payment processor)
  • How long you keep it
  • How to delete it
  • Who's responsible (your company info, contact email)

You can find templates. Don't copy-paste blindly - make sure it matches what you ACTUALLY do.

If your policy says "we don't share data with third parties" but you use Stripe, Google Analytics, and Intercom... that's a problem.

Where it goes:

  • Link in footer of your website
  • Link when people sign up
  • In your app settings

Fun fact: You need this even if you're US-only. It's just good practice.

2. Lawful Basis (Lawyer-Speak for "Why Can You Process Data") #

GDPR says you need a legal reason to process data. For SaaS, you've got two that matter:

Contract: You need their data to provide the service they signed up for.

  • Email for login
  • Name for billing
  • Usage data to make the product work

This covers 90% of what you do.

Legitimate Interest: You have a good reason and it's not creepy.

  • Analytics to improve product
  • Security logs to prevent fraud
  • Marketing to existing customers

You CAN'T use this for: selling data, sharing with random third parties, doing things users would find surprising.

Consent: Only for optional stuff.

  • Newsletter signup (separate checkbox)
  • Marketing cookies (cookie banner)
  • Sharing data beyond what's needed for service

IMPORTANT: "By using our service you consent to everything" = not valid consent.

Consent needs to be:

  • Separate action (checkbox)
  • Specific (what are they consenting to)
  • Revocable (they can change their mind)

Most SaaS startups don't need much consent. You're running your service under "contract." That's fine.

3. Data Processing Agreement (DPA) #

If you process customer data on behalf of customers (like if your customers are also businesses), you need a DPA.

Example: You're a CRM. Your customers put their customers' info in your system. Their customers are EU residents.

You're a "processor" (do stuff with data on someone else's behalf).
Your customer is a "controller" (decides what happens with data).

The DPA says: "I promise to handle data properly and won't do anything weird with it."

There are standard DPA templates. Get one from a lawyer (not expensive) or adapt a template. Make it available on your website.

Your customers who care about GDPR will ask for it. Having it ready speeds up sales.

4. Vendor Management #

You use AWS. Stripe. Google Analytics. Intercom. Sentry. 15 other SaaS tools.

All of these see your users' data.

GDPR says: you're responsible for your vendors.

What to do:

  • List every service that sees user data
  • Check if they're GDPR-compliant (most major services are)
  • For major ones (hosting, database), make sure they'll sign a DPA

AWS, GCP, Azure all have standard DPAs. You click "I agree" in the console. Done.

Stripe, SendGrid, Intercom - all have GDPR stuff documented.

Random sketchy analytics tool from someone's side project? Maybe reconsider.

Data transfers out of EU:
If your servers are in US (most startups), you're doing "international data transfer."

This used to be a huge deal (Privacy Shield drama). Now:

  • Use Standard Contractual Clauses (SCCs) - built into AWS/GCP/etc. agreements
  • Or host in EU (more expensive, probably overkill for most startups)

If you use major cloud providers and they're GDPR-compliant: you're probably fine.

5. User Rights (The "Can Users..." Questions) #

Can users see their data?
Yes, they can request it. You have 30 days to send it.

Build an export feature. JSON file with their data. Done.

Can users fix incorrect data?
Yes. Let them edit their profile/settings.

You probably already have this.

Can users delete their data?
Yes. Within 30 days (usually).

Build account deletion. When they delete:

  • Actually delete their data
  • OR explain why you're keeping some (legal/tax requirements for invoices, etc.)

Don't just "soft delete" and keep everything forever. That's not deletion.

Can users stop you processing their data?
Sometimes. If it's necessary for the service: no.

If it's optional (like marketing emails): yes, and you already have an unsubscribe link (right?).

If you use marketing/tracking cookies (Google Analytics, Facebook Pixel, etc.): you need consent.

That's what the cookie banner is for.

Cookies that DON'T need consent:

  • Technically necessary (session cookies, load balancers)
  • Security (CSRF tokens)
  • User preferences (dark mode setting)

Cookies that DO need consent:

  • Analytics (Google Analytics, Mixpanel)
  • Marketing (Facebook Pixel, ad retargeting)
  • Third-party social media embeds

How to do cookie banner:

  • Explain what cookies you use
  • Let people reject non-essential ones
  • Don't load tracking scripts until they consent
  • Remember their choice

There are services that handle this (OneTrust, Cookiebot, etc.). Or build your own if you're feeling ambitious.

Hot take: If you're a small B2B SaaS, consider ditching Google Analytics entirely. Use something privacy-friendly like Plausible or Fathom. No cookie banner needed.

7. Security (Yes, This Is Part of GDPR) #

GDPR requires "appropriate technical and organizational measures" for security.

Translation: don't be sloppy with data.

What counts as "appropriate":

  • Encryption in transit (HTTPS)
  • Encryption at rest (database encryption)
  • Access controls (not everyone can see everything)
  • Regular backups
  • Some kind of monitoring/logging

This is stuff you should be doing anyway.

There's no specific requirement like "must use AES-256" - it's risk-based. Bigger risk = more security.

Storing health records? Need more security.
Storing email addresses for newsletter? Less stringent.

8. Breach Notification #

If you get breached: you have 72 hours to notify authorities.

"Breached" = someone accessed data they shouldn't have.

Lost laptop with customer data? Breach.
Production database exposed to internet? Breach.
Employee downloaded customer list and left? Breach.

What to do if breached:

  1. Stop the breach
  2. Figure out what was accessed
  3. Notify relevant EU authority (usually one in your main EU market)
  4. Notify affected users if it's high risk (passwords, financial data, etc.)

This is why you need logging. You can't report what you don't know.

How to notify:
Most EU countries have a web form. You describe what happened, how many people affected, what you're doing about it.

It's not fun, but it's also not the end of the world if you handle it properly.

What You DON'T Need (Usually) #

Data Protection Officer (DPO) #

Required if:

  • You're a government/public authority
  • You do large-scale monitoring (you're an ad tech company)
  • You process sensitive data as your core business (health records, etc.)

If you're a normal B2B SaaS startup: probably don't need one.

You still need someone responsible for GDPR internally. But you don't need to hire a dedicated DPO and register them with authorities.

EU Representative #

Required if:

  • You're outside EU
  • You offer goods/services to EU
  • You have NO establishment in EU

BUT: there's an exception for "occasional" processing that doesn't include sensitive data.

Most small SaaS startups fall under this exception. You're fine.

If you're doing serious business in EU (millions in revenue), you'll eventually need an EU rep. But not when you're just starting.

Data Protection Impact Assessment (DPIA) #

Required for "high risk" processing:

  • Large-scale profiling for automated decisions (credit scores, hiring algorithms)
  • Large-scale processing of sensitive data (health, biometrics)
  • Public monitoring (surveillance cameras)

If you're a normal SaaS: probably don't need one.

Registration with Every EU Data Protection Authority #

Not a thing. You don't need to register in 27 countries.

You only interact with authorities if:

  • You get breached (notify the relevant one)
  • Someone complains about you (they'll contact you)
  • You need an EU representative (register them)

The Enforcement Reality #

Everyone's terrified of GDPR fines. "Up to 4% of global revenue!"

Reality: Most fines go to big companies doing egregious stuff.

Google got fined billions for Android data practices.
British Airways got fined for a massive breach affecting 400K people.

Your 5-person startup with 50 EU customers that accidentally kept deleted accounts for 45 days instead of 30? Not getting a multimillion dollar fine.

You might get:

  • A warning to fix it
  • A small fine (thousands, not millions)
  • Asked to compensate users (rarely)

Don't be reckless. But also don't panic.

EU authorities want compliance, not to destroy startups. Be reasonable, document what you do, fix issues when they come up.

Practical Checklist #

This Week:

  • Write/update privacy policy
  • Add account deletion feature (or document timeline)
  • Add data export feature
  • List all vendors that process user data

This Month:

  • Get DPA template ready for customers
  • Set up cookie consent if needed
  • Document your data retention policy
  • Create breach response plan (who to notify, how)

Ongoing:

  • Review privacy policy when you add new features
  • Check new vendors for GDPR compliance
  • Respond to user data requests within 30 days
  • Keep logs of what you're doing (helps during audits)

When You Actually Need a Lawyer #

Get legal advice if:

  • You're processing sensitive data (health, financial, kids, biometrics)
  • You're doing automated decision making (AI scoring, hiring algorithms)
  • You're targeting EU specifically (office, EU entity, significant revenue)
  • You got a complaint or investigation notice
  • You're going through Series A+ (investors will want this buttoned up)

For most small SaaS: you don't need a lawyer yet. Templates and common sense will get you 90% there.

GDPR + SOC2 = Actually Not Much Overlap #

SOC2 is about your security controls.
GDPR is about respecting user privacy.

Some overlap (encryption, access controls, logging) but they're different things.

You can be GDPR compliant without SOC2.
You can have SOC2 without being GDPR compliant (if no EU customers).

If you need both: do SOC2 first. It's more structured. GDPR requirements will mostly be covered as part of SOC2 security controls.

Real Talk #

GDPR sounds scarier than it is.

It's mostly: don't be shady with data, let people control their info, keep it secure.

You should be doing this anyway because it's the right thing to do.

GDPR just formalized it and added penalties for being terrible.

Start with privacy policy and user rights (delete/export). That handles 80% of it.

Everything else you can add as you grow.

Want help figuring out GDPR + SOC2 together? That's exactly what I help startups with. Most of my clients need both eventually.

But you don't need both today. Start with privacy policy and go from there.

Related Reading:


About the Author #

I'm Nikita, a DevSecOps and cloud security consultant specializing in Kubernetes security and compliance automation for Series A-C SaaS companies. With 7+ years of security engineering experience including CISO roles, I help startups achieve SOC2 certification in 6 weeks and build security pipelines that developers actually like.

Work with me: View Services | Schedule Call | Read More Posts

Nikita Mosievskiy

Security Engineer & AI Researcher