When should a startup start preparing for GDPR?

From day one. GDPR is mostly about how you treat user data and document your practices, not expensive tooling. Startups that build privacy habits early find compliance straightforward when an enterprise deal requires it. Those that retrofit everything after the fact find it painful and expensive.

Does GDPR apply if my company is not in the EU?

If you process personal data of people in the EU, GDPR applies regardless of where your company is based. The regulation follows the data subject, not the controller. Most consumer SaaS will eventually fall under it whether or not the founder targeted Europe explicitly.

What is a DPA in GDPR?

A Data Processing Agreement. Required between a data controller (the company deciding why and how data is used) and any processor (a vendor handling data on the controller's behalf). Most enterprise customers will require one before signing. You need DPAs in two directions: with your vendors, and with your customers.

What are the most important GDPR practices for an early-stage startup?

Three things carry most of the weight at ground zero, and none of them are technical. Documented foundations (a Privacy Notice and Records of Processing Activities), subject rights as a habit (a runbook for honoring access, deletion, and portability requests), and vendor accountability (DPAs in both directions, plus a maintained subprocessor list).

Product Guide

You Don't Need a DPO Yet. Start Anyway.

Q: How long do you have to report a GDPR data breach?

72 hours from becoming aware of the breach to notifying the supervisory authority. That window is short enough that you cannot figure out what a response looks like during a breach. The plan has to exist before.

Generative Labs

A prospect's procurement team asks "are you GDPR compliant? Can you sign our DPA?" and you freeze. You're not, and you don't even know what a DPA is. You just got your MVP launched. But you just realized every European customer you build toward will ask the same question, and every enterprise procurement team that ever touches your contract will too.

Here's the good news: you don't need full GDPR compliance today. Here's the better news: you can start building toward it right now, and like SOC 2, it's not what you think.

What GDPR actually is

Most founders hear "GDPR" and picture lawyers, cookie banners, and months of compliance review. That picture is wrong, or at least incomplete.

GDPR is a regulation that asks one question: do you treat the personal data of people in the EU with care? Regulators, auditors, and your customers' procurement teams review your practices, your evidence that you follow them, and the documents that describe them. The key word is practices. Most of the work is operational, not legal.

This reframe matters. You don't need a privacy lawyer in the room before you've signed a customer. You need to make thoughtful decisions about how you handle user data, write them down, and operate consistently. That's work you can start today, at any stage, at nearly zero cost.

Does this apply to me?

GDPR follows the data subject, not the company. If you process personal data of people in the EU, even if your company is in the US, even if you don't target European users, the regulation applies. Most consumer SaaS will eventually fall under it whether or not the founder planned to. The same goes for B2B startups whose customers have a single EU-based employee.

The work scales with your reality. Pre-revenue with no EU users, the habits you build now make later compliance trivial. First EU users or first enterprise customer, you need a Privacy Notice, a Records of Processing Activities document, and Data Processing Agreements ready to sign. Material EU revenue, you invest in formal review and start considering structural questions like a DPIA or a DPO.

You can't escape it by hiding from Europe. Better to build the habits early.

Start with practices, not products

You can write a Privacy Notice, an internal data inventory, and a basic data handling policy before you've signed a single customer. These documents aren't bureaucracy. They're decisions about how you operate, written down. The act of writing them forces the same kind of thinking that a product brief does: what data do we collect? Why? Who has access? What happens when someone asks us to delete it? You think you know the answers until you try to write them in a sentence. Then you discover you haven't decided yet.

Three documents to start with:

Privacy Notice. The public-facing document users see, usually linked from your footer and signup flow. What data you collect, why, who you share it with, how long you keep it, what rights people have, how to contact you about it. Plain language, not legalese. Most startups copy a template and forget about it. The better move is to write it from your actual data inventory so it's true.
Records of Processing Activities (ROPA). Internal. The inventory: what categories of data you process, the purpose for each, where it lives, who you share it with, and how long you keep it. Required for some companies and useful for everyone. The first version is a single spreadsheet.
Data Handling Policy. Internal. How your team treats user data day to day. Who can access what, what's logged, when data gets deleted, what happens to data when an employee leaves. This pairs with the access controls you should already have for SOC 2.

Writing these now costs you an afternoon. Retroactively documenting them when a customer's procurement team is waiting on a contract costs days you don't have.

Pick the practices that matter most

Forget the full GDPR text for now. At ground zero, three practices carry most of the weight, and none of them are technical. They're documents and habits. Get these right and you've built the spine the rest of the work hangs on.

Documented foundations. A small set of GDPR-aware policies and records, signed off by leadership and reviewed annually. The auditor isn't grading the prose. They're checking that the document exists, was approved, reflects your actual operation, and gets followed.

This is also the skeleton of everything else. Once the documents exist, you have an inventory of the work ahead: every policy points at a procedure to operationalize and a stream of evidence to maintain. The base set most ground-zero startups need:

Privacy Notice. The public-facing one. Plain language. Updated when data practices change.
Records of Processing Activities (ROPA). The internal data map. Updated whenever a new system, vendor, or use case enters the picture.
Data Handling Policy. Internal rules for how the team works with user data.
Data Retention and Deletion Policy. How long each category of data is kept, how it gets disposed of, who's responsible. Forever isn't a retention policy.
Subject Rights Policy and Runbook. How requests to access, correct, delete, or port data get handled. The procedure, who owns it, what the SLA is.
Vendor and Subprocessor Policy. How you vet new vendors, how you maintain the public list of subprocessors, how you handle the DPA process.
Breach Response Policy. Who decides, who calls, who documents, what gets notified within 72 hours.
DPIA Policy. When and how you assess high-risk processing. You may not need to do one for a year, but having the policy means you'll know when to.
Cookie and Tracking Policy. What you set, what you ask consent for, how the consent banner is wired (this is where most teams get the cookie experience wrong).
International Transfer Policy. How you handle data leaving the EU (Standard Contractual Clauses, adequacy decisions, transfer impact assessments). If your stack is hosted in the US, this one applies to you.

Don't write all 10 in week one. Start with the Privacy Notice, ROPA, Data Handling Policy, and Breach Response Policy. Add the rest as the operational pieces come into focus. By the time you sign your first European enterprise customer, the full set should exist, signed, and dated.

A useful pattern: each policy points at a procedure (the "how we actually do this") and an evidence stream (where the audit proof comes from). Writing the policy surfaces the procedure that needs to exist. Writing the procedure surfaces the evidence you need to be capturing. The list above is the spine of the next several months of work.

Subject rights as a habit. Same procedure, every time, for every request. You will eventually get one: please tell me what data you have on me, please delete my account, please give me a copy of my data, please correct this information. The first time it happens shouldn't be the first time you've thought about it.

This is the most-tested practice in any GDPR review: show me how you handled the last three subject requests. If the procedure isn't written and the evidence trail isn't there, you fail it even if your privacy notice is perfect.

What the runbook has to cover:

Verification. How you confirm the requester is who they say they are. Account holders log in. Non-account requests need an alternative verification path. Don't share data without verifying. Don't ask for excessive verification (that's its own violation).
Routing. Who receives the request, who handles it, what tools they use. A shared inbox, a Linear ticket queue, a privacy@ alias. Pick one and document it.
Response window. The regulation gives you a month. The practical expectation is days. Internally, set a 5 to 7 day response SLA and stick to it.
Action by request type.
- Access. What data do you produce, from which systems, in what format.
- Correction. Who can update what, what gets logged.
- Erasure. What gets deleted, what gets retained for legal reasons (and which legal reasons), what happens to backups.
- Portability. What machine-readable format you provide.
- Objection. What processing stops, what you can still do under another lawful basis.
Documentation. Date received, who handled it, what was produced, when it was closed. The evidence trail.
Edge cases. What happens when the request involves data you've already shared with subprocessors. What happens when a deletion request conflicts with a legal retention obligation. What happens when the same person requests three things at once.

Most teams treat subject requests as legal-team work, then realize at scale that legal can't be the bottleneck for a recurring operational task. Build the runbook now. Train someone non-legal to own it.

Vendor accountability. Your subprocessors are your responsibility. If Stripe, AWS, SendGrid, or your analytics provider mishandles data you sent them, that's your incident under GDPR, not theirs alone. The practice has three parts:

Pre-contract due diligence. A documented process before signing with any vendor that touches user data. A one-page checklist: security posture, SOC 2 report or equivalent, GDPR alignment, data residency, breach history, signed DPA. The control isn't the checklist itself: it's that you used it consistently. Most reputable vendors publish a public DPA and a trust page.
DPAs in both directions. You sign one with each vendor (you're the controller, they're the processor). You provide one to each enterprise customer (they're often the controller and you're the processor). Both versions need to be ready before someone asks. Templates exist; lawyers have to review the first time, then the same template covers most contracts after.
A public subprocessor list. Maintain a current list of every third party that processes your customers' personal data. Customers will check it. Procurement teams will demand it. Updates should trigger customer notification. The list is also the evidence that you actually know who has access to what. Most startups don't, and the list-building exercise is genuinely useful internally.

This is also where your GDPR practice and your SOC 2 practice converge. The vendor work overlaps almost entirely. If you've already built the SOC 2 vendor list and DPAs, the GDPR side is mostly relabeling and adding a couple of fields.

Treat user data like you're being audited

This is the real shift, and it's behavioral, not legal.

Stop collecting data you don't need. Stop storing it longer than required. Stop giving every team member access to PII because it's easier. Don't ship a feature that requires consent without designing how the consent flow actually works. When a new use case wants to use existing data, ask "is that the purpose we collected it for?" before you ship.

The best time to build these habits is before you've built the bad ones. Retrofitting culture is harder than retrofitting code. A team of five that handles user data deliberately from day one carries those habits to fifty. A team of five that operates casually spends months unlearning it later.

The same principle applies to SOC 2 and engineering fundamentals. The habits you build early compound. The ones you skip come due later, with interest.

Plan for breaches before they happen

GDPR gives you 72 hours from becoming aware of a breach to notifying the supervisory authority. That window is short enough that you cannot figure out what a response looks like during a breach. The plan has to exist before.

What the plan has to cover:

Detection. Who notices first. What signals trigger an investigation.
Assessment. Who decides whether something qualifies as a "personal data breach" under the regulation. Not every incident does; the criteria matter.
Containment. Who acts to stop the bleeding. What systems get isolated. What credentials get rotated.
Internal escalation. Who gets called when. Engineering, legal counsel, leadership, and the data protection officer if you have one.
External notification. The supervisory authority within 72 hours if the breach is reportable. Affected users without undue delay if their rights are at high risk.
Documentation. What you knew, when you knew it, what you did, what you communicated, what the postmortem said.

One page. Not optional. Run a tabletop exercise once a year, an hour over coffee where someone reads a fictional incident aloud and the team walks through the playbook. You'll find the gaps before a real breach finds them for you.

Document as you go

The killer in GDPR review isn't writing policies. It's reconstructing evidence of practices you've been following but never documented. If you decide today how you handle subject requests, write it down today. If you change vendors, update the subprocessor list and the ROPA the same week. If you ship a new feature that processes data differently, update the Privacy Notice before launch, not after.

A regulator doesn't want to see that you started doing things right last month. They want to see a consistent pattern over time.

This doesn't mean building a compliance wiki. It means: when you decide how something should work, write it down. A lightweight "how we do X" doc for each critical process is enough. Future you, staring down a customer's privacy questionnaire, will be grateful.

Train your team

Even at three people, make privacy awareness part of onboarding. It doesn't need to be a course. A one-page doc: here's how we handle user data, here's what counts as personal data, here's what to do if a user asks about their data, here's what to escalate.

When the auditor or customer asks "how do you ensure personnel understand their privacy responsibilities," you have an answer. More importantly, your team actually understands their responsibilities. The document isn't performative. It's practical.

Choose infrastructure that grows with you

This is an architecture decision disguised as a compliance decision.

Pick cloud providers and tooling that already have GDPR features built in: encryption at rest, EU residency options, audit logs, GDPR-aligned DPAs, and explicit support for subject rights workflows. Don't build on infrastructure you'll have to rip out when a major customer asks for EU data residency.

A startup that chose a managed database with EU regions, a cloud provider with documented GDPR alignment, and a customer support tool with built-in deletion workflows has covered a lot of the technical surface before they've thought about compliance. A startup that built on an unmanaged stack with credentials in environment variables and analytics events going to an unvetted vendor has a migration project ahead of them.

The tools don't need to be expensive. They need to be the right tools.

Know when to formalize

There are points along the GDPR spectrum where ad-hoc stops being enough.

First Privacy Notice draft. Before launch. Not before perfection, before launch.
First DPAs. Before your first enterprise customer asks. Have a vendor template and a customer template ready.
Cookie consent. Before you ship analytics or marketing tracking that touches EU users.
First DPIA. When you start processing data in a way that's high-risk under the regulation: large-scale automated decision-making, sensitive categories of data, processing that touches children, certain biometric or location use cases. Most early-stage startups don't need one for a year. Some need one on day one.
DPO. A formal Data Protection Officer is required if you do large-scale systematic monitoring of data subjects, large-scale processing of sensitive categories, or if you're a public authority. Most startups don't need one for a long time. Some need one immediately. Knowing the threshold means you can recognize the moment.
Privacy counsel review. When the contracts get bespoke, when an enterprise customer's redlines are non-trivial, when you start cross-border arrangements that aren't covered by Standard Contractual Clauses. Not for every email, just for the ones that matter.

The pattern: build habits from ground zero. When the formal moments arrive, you'll have the foundation that makes them straightforward.

The compounding effect

Privacy isn't a gate you crash through when a deal requires it. It's a posture you build over time. Every record you keep today, every default you set toward data minimization, every policy you write is one fewer fire drill later.

Different journey. Stronger company.

The founders who start at ground zero don't necessarily spend less total time on privacy. They spend less painful time. The work is spread across months of small decisions instead of compressed into a frantic sprint before a contract closes.

And the company is better for it, not just the product. The same habits that satisfy a regulator are the same habits that build a product European users actually trust. Privacy posture and company maturity move together.

Follow the thinking.

We write when we learn something worth sharing. No schedule, no spam.