GDPR for SaaS Founders: the 12 Things You Actually Need to Do

GDPR is not 1,000 pages of cryptic regulation that requires a €50K lawyer to interpret. For most SaaS founders, GDPR compliance is 12 concrete tasks, most of which take a few hours each. Skip them and you risk fines up to 4% of global revenue and immediate platform bans (Stripe, Google Ads, Apple all require GDPR compliance from EU customers).

This post lists the 12 things you actually need to do, in priority order. None of them require legal expertise. All of them can ship in a 2-week sprint.

1. Privacy Policy

A document explaining what data you collect, why, how long you keep it, who you share it with, and how users can exercise their rights.

What it must contain

• Identity of the data controller (your company)
• Categories of personal data collected (email, name, IP, usage events, etc.)
• Purpose for collection (account, billing, analytics, etc.)
• Legal basis for processing (consent, contract, legitimate interest, etc.)
• Data retention periods
• Third parties data is shared with (Stripe, SendGrid, etc.)
• User rights (access, erasure, portability, etc.) and how to exercise them
• Contact details for data protection inquiries

Tools: Termly, Iubenda, or hand-written from a template. Cost: €0-€20/month.

2. Data Map

An internal document listing every category of personal data you collect, where it is stored, who has access, and how long you retain it. Article 30 of GDPR requires this for any company processing personal data.

Format

A spreadsheet or Notion page with columns: data category | source | storage location | access (which team/role) | retention period | basis for processing | third parties.

What goes in

• User account data (email, name, password hash)
• Billing data (Stripe customer ID, payment method)
• Usage data (events, sessions, IP addresses)
• Support communications (tickets, emails)
• Marketing data (newsletter subscribers, lead form submissions)

The exercise of building the data map often reveals data you forgot you collected. Worth doing for that reason alone.

3. Data Processing Agreements (DPAs)

Any third-party service that processes EU personal data on your behalf needs a DPA signed. Required by Article 28.

Who needs a DPA

• Stripe / payment processors
• Email senders (SendGrid, Postmark, Resend)
• Analytics (Google Analytics, Mixpanel, PostHog)
• Customer support (Intercom, Help Scout)
• CRM (HubSpot, Salesforce)
• Error tracking (Sentry)
• Hosting (AWS, Vercel, etc.)

All major SaaS vendors provide standard DPAs. Usually a few clicks in the vendor's dashboard. Document the date signed in your data map.

4. Cookie Banner

If you use any cookies that are not strictly necessary (analytics, ads, marketing), you must get user consent before setting them. The banner must offer "Reject all" with equal prominence to "Accept all" — anything else is a dark pattern and illegal in most EU jurisdictions.

What good cookie banner looks like

• Appears on first visit, before any non-essential cookies are set
• "Accept all" and "Reject all" buttons of equal visual weight
• "Customize" option for granular consent
• Easy to change consent later (link in footer or banner)
• Records consent (with timestamp) for audit purposes

Tools: Cookiebot, OneTrust, or self-hosted (Klaro, Cookie Consent). Free tiers available.

5. Right to Erasure Endpoint

Users have the right to request deletion of their personal data. You must respond within 30 days. Manual processing is fine at small scale; build a self-serve endpoint at scale.

What "delete" means

• Delete from your primary database
• Delete from backups (or document retention period and delete after)
• Request deletion from third-party processors (Stripe, SendGrid, etc.)
• Anonymize aggregate analytics data (cannot delete, but should de-identify)

What you can keep

Data you are legally required to retain (tax records, transaction logs for fraud prevention). Document the legal basis in your privacy policy.

6. Right to Access Endpoint

Users can request a copy of all personal data you hold about them. Respond within 30 days. Format: machine-readable (JSON, CSV) preferred.

At small scale, manual export is fine. At scale, build a self-serve "Export my data" feature in the user account settings.

7. Lawful Basis Documentation

For each category of data processing, you must have a lawful basis: consent, contract, legitimate interest, legal obligation, vital interest, or public task.

Typical SaaS lawful bases

• Contract: processing required to provide the service (account creation, billing).
• Legitimate interest: security monitoring, fraud prevention, basic analytics.
• Consent: marketing emails, optional analytics, tracking cookies.
• Legal obligation: tax records, accounting data.

Document the lawful basis for each processing activity in your data map.

8. Breach Notification Process

72 hours from discovery to notify the supervisory authority. If high risk to users, also notify users without undue delay.

Pre-incident preparation

• Identify your supervisory authority (the data protection regulator in your country of EU establishment, or where most affected users are)
• Know the notification process (usually an online form)
• Have an incident response runbook
• Identify who has authority to decide on user notification
• Have legal counsel on retainer for breach scenarios

Drafting the process mid-incident burns the 72-hour window.

9. Data Transfer Mechanism (if applicable)

Transferring EU personal data outside the EU/EEA requires an additional legal mechanism. Standard Contractual Clauses (SCCs) are the most common for US vendors.

Major US vendors (AWS, Google, Microsoft) include SCCs in their standard DPA. Smaller vendors may not — verify before using.

UK has a separate but similar regime (IDTA) since Brexit. Check both if you have UK users.

10. Data Minimization

GDPR requires collecting only the personal data necessary for the purpose. "We might want it later" is not a valid reason.

Audit your signup form

Do you really need phone number for a free trial? Date of birth for a B2B tool? Address for an analytics product? Each unnecessary field is a compliance risk and a conversion drop.

Minimum viable signup: email + password. Everything else should justify itself.

11. DPO Assessment

You need a Data Protection Officer (DPO) if you process personal data systematically at scale OR process special categories (health, biometric, political opinion, sexual orientation, criminal records).

Most SaaS startups do NOT need a DPO. The threshold is high — typically 250+ employees OR processing special data at scale.

If you do need one: can be internal employee or external contractor. Must report directly to top management and have GDPR expertise.

12. Documentation & Records

Keep records of your processing activities (Article 30), DPAs, consent logs, breach notifications, and user request responses. Required for audit purposes.

Notion or a shared Drive folder is fine. Just have it organized and findable. If a supervisory authority requests records, you have 30 days to provide them.

The 12 Items Summary

Total first-time implementation: 30-50 hours. Spread over 2 weeks for a small team.

What GDPR Is Not

• Not a ban on collecting data. You can collect what you need with a lawful basis.
• Not impossible to comply with. The above checklist covers 90% of obligations for most SaaS.
• Not US-specific. US-based companies with EU users must comply equally.
• Not 4% fine = automatic outcome. Fines scale with severity and intent. First-time, good-faith errors typically get warnings or modest fines.
• Not enforced everywhere equally. Some EU countries have aggressive regulators (France, Germany). Others have lighter touch. Plan for the strictest.

What Happens If You Skip GDPR

• User complaint to supervisory authority: investigation, fine.
• Stripe / Apple / Google rejection: they require GDPR compliance to keep your account active.
• B2B customer requirement: enterprise customers ask for your DPA before signing. No GDPR = no enterprise sales.
• Reputation: a public breach without notification process is brand damage that survives the fine.

The cost of compliance (30-50 hours of work) is small compared to the cost of non-compliance (any of the above).