Skip to content
GDPR by Law

16 June 2026

gdprsaaschecklist

The GDPR Compliance Checklist for SaaS Founders (Build Order Included)

Fourteen tasks, ordered by risk-per-hour: what to build first, what to document, and what can wait until you have customers asking. Written for founders doing compliance without a lawyer.

Most GDPR checklists are alphabetical lists of everything the regulation mentions. This one is ordered by risk per hour of work — what regulators actually fine, weighted by how long each task takes a small SaaS team. Work top to bottom.

Tier 1: The afternoon that removes most of your risk

1. Publish a real privacy policy. Identity, what you collect, why, legal basis per purpose, who receives it, retention periods, user rights, complaint authority. Concrete beats comprehensive: Sweden fined Klarna over vague wording, and “as long as necessary” retention clauses are a known regulator pet peeve. A generator like iubenda or Termly produces a solid baseline in an hour.

2. Fix your cookie banner. Reject at the first layer, prior blocking, no dark patterns. This is the most-swept, most-fined surface on the public web — the full implementation guide is here.

3. Write the breach runbook. One page: who decides whether to report, which regulator portal, what starts the 72-hour clock, where the internal breach register lives. Booking.com paid €475k purely for being 22 days late. You cannot write this document during an incident.

4. Sign DPAs with your processors. Hosting, analytics, email, support, payments. Most are self-serve pages you accept once. Record vendor → data → country → transfer mechanism in one sheet. (E-commerce version of this task here.)

Tier 2: The engineering sprint

5. Build data export. One endpoint returning the user’s data as JSON satisfies access (Art. 15) and portability (Art. 20) at once. Include human-readable field descriptions — Spotify’s SEK 58M fine was for exports users couldn’t understand.

6. Build account deletion. Cover production, backups (document their expiry cycle), and propagate to processors. Keep legally required records (invoices: 6–10 years depending on country) and say so in the policy instead of pretending to delete them.

7. Set up a rights inbox. privacy@yourdomain, monitored, with a 30-day response tracker. Ignored access requests are the single biggest complaint category in Spain, Ireland, and France.

8. Encrypt at rest and enforce MFA on admin access. Art. 32 baseline, Poland’s headline fines are exactly these gaps — and encryption is also your CCPA class-action shield.

Tier 3: The paperwork layer

9. Write your ROPA (record of processing activities). The vendor sheet from task 4 plus your own product’s purposes and retention gets you most of the way. First document every regulator requests.

10. Check your DPO obligation. EU baseline: large-scale monitoring or special-category data. Germany triggers at just 20 employees handling data; Spain has a sector list. External DPO services run ~€200/month if you’re caught.

11. Map your transfers. Which vendors process outside the EU, under what mechanism (DPF certification or SCCs). Context and the Meta case: read the €1.2B post-mortem.

12. Localise where you sell. A German Impressum, French-language policy for France, the UK’s ICO registration fee (£40+/year — the most-missed obligation in this list).

Tier 4: Conditional, but check now

13. Children. If under-16s plausibly use your product, age gates and high-privacy defaults; digital consent age varies 13–16 by country (Ireland’s children’s code is the strictest playbook).

14. Automated decisions. If you auto-reject, auto-price, or score users, disclose the logic and add a human-review route (Art. 22 — and the SCHUFA ruling read it broadly).

What you can genuinely defer

DPIAs (until you process at high risk), certifications like ISO 27001 (until enterprise deals demand it), an EU representative (until you have no EU establishment but meaningful EU traffic), and consultant-grade gap analyses. None of these appear in first-enforcement patterns against small companies.

The honest summary

Tier 1 is one afternoon and removes the majority of realistic fine scenarios. Tier 2 is a normal sprint and turns rights requests from panic into routine. Everything after that is documentation you produce once and update quarterly. The companies that get hurt are not the ones missing a DPIA — they’re the ones with no banner, no breach plan, and an unmonitored privacy inbox.