GDPR (General Data Protection Regulation)

What is GDPR?

The General Data Protection Regulation, or GDPR, is the EU's flagship data privacy law, and arguably the most influential data protection regulation globally. Effective since May 2018, GDPR establishes strict rules about how organizations handle personal data belonging to people in the EU and EEA.

The critical thing for startups to understand: GDPR applies based on whose data you process, not where your company is located. If your SaaS product has a single user in Germany, GDPR applies to you. If your marketing website collects email addresses from visitors in France, GDPR applies. Geographical location of your headquarters is irrelevant.

GDPR is built on seven core principles:

1. Lawfulness, fairness, and transparency. You need a legal basis for processing personal data (consent, legitimate interest, contractual necessity, etc.) and must be transparent about what you do with it.
2. Purpose limitation. Collect data for specified, explicit purposes and don't repurpose it without additional justification.
3. Data minimization. Collect only the data you actually need. No "collect everything, figure out the use later."
4. Accuracy. Keep personal data accurate and up to date.
5. Storage limitation. Don't keep data longer than necessary for its stated purpose.
6. Integrity and confidentiality. Protect personal data with appropriate security measures. This is where GDPR directly connects to your cybersecurity program.
7. Accountability. Demonstrate compliance. It's not enough to be compliant; you must prove it.

Why GDPR matters for startups

1. Fines are substantial. GDPR violations can result in fines of up to 4% of global annual revenue or 20 million euros, whichever is higher. While the largest fines have targeted tech giants, enforcement against smaller companies is increasing. In 2024, EU data protection authorities issued over 2 billion euros in total fines.
2. It's a market access requirement. If you sell to European customers (or plan to), GDPR compliance is table stakes. Enterprise customers in Europe will ask about your GDPR posture during procurement. Not being GDPR-ready effectively locks you out of the EU market.
3. Breach notification is mandatory. GDPR requires notification to the relevant supervisory authority within 72 hours of discovering a personal data breach. If the breach poses a high risk to individuals, you must also notify the affected data subjects. This tight timeline requires a prepared incident response process.
4. Data subject rights create operational requirements. EU individuals have rights including access to their data, deletion ("right to be forgotten"), data portability, and the right to object to processing. Your systems need to support these operations, which requires knowing where personal data lives across your infrastructure.
5. It influenced global privacy law. GDPR set the template for privacy laws worldwide: California's CCPA/CPRA, Brazil's LGPD, and others follow similar principles. Building for GDPR compliance positions you well for other privacy regulations.

GDPR and cybersecurity

GDPR's Article 32 requires "appropriate technical and organizational measures" to protect personal data. While GDPR doesn't prescribe specific security tools, it expects controls proportionate to the risk, including:

• Encryption of personal data in transit and at rest.
• Access controls ensuring only authorized personnel can access personal data.
• Regular security testing (vulnerability scanning, pen testing).
• Incident detection and response capabilities to meet the 72-hour notification requirement.
• Resilience and recovery to maintain availability of personal data.

This is where your cybersecurity program directly supports GDPR compliance. The same vulnerability management, access controls, and incident response that satisfy SOC 2 also address GDPR's security requirements.