GDPR for SaaS startups.
The minimum that actually moves deals.

The advice in this guide is wrong for a 5,000-person bank. It is mostly right for a Series A SaaS company that has its first EU customer asking pointed questions in a security review and isn't sure which ones are real.

The thesis: you can do enough GDPR engineering work in two sprints to move enterprise deals through procurement. Doing more than that, before you have customers paying for it, is premature.

• check_circle
  Encryption at rest and in transit

  TLS 1.2+, AES-256 at rest. Cloud-default in 2026; just confirm and document.
• check_circle
  Access control with audit log

  RBAC, least privilege, MFA on admin paths, periodic access review on a real cadence (quarterly is fine).
• check_circle
  A working delete pipeline

  When a customer asks "delete my user's data," the answer is a script you run, not a project you scope. Test it.
• check_circle
  A documented sub-processor list

  Who you share data with (analytics, error tracking, hosting). Public page, updated when it changes. Article 28 territory.
• check_circle
  A breach notification path

  Who detects, who decides it's reportable, who notifies the customer. 72-hour clock. Most teams skip this until the day it matters.
• check_circle
  A DPA you'll actually sign

  Standard Contractual Clauses or your own DPA template, ready to send. Not engineering work, but procurement won't close without it.

Procurement doesn't ask for these on day one, and most early-stage teams over-invest here:

• check_circle
  A formal DPIA program

  You need DPIAs for high-risk processing (Article 35). Most SaaS products at your stage do not do high-risk processing. Write one when you actually need one.
• check_circle
  An EU representative (Article 27)

  Required if you have no EU establishment and process EU data on a non-occasional basis. Easy to fix when needed; not blocking your first deal.
• check_circle
  ISO 27001 / SOC 2 certification

  Not a GDPR requirement. Useful for procurement leverage at Series B+, expensive to chase too early.
• check_circle
  A full Records of Processing Activities document

  Article 30 requires it; tooling makes it cheap. Don't hand-write the document.

1. 01
   Sprint 1 — Lock the perimeter

   Confirm encryption (in transit + at rest, including S3 buckets and database backups). Audit IAM roles, kill stale access, enable MFA on admin paths. Document the result. ~1 sprint for two engineers.
2. 02
   Sprint 2 — DSR + delete pipeline

   Build the data export endpoint and the delete pipeline. Test that delete propagates to backups, search indexes, replicas, and analytics warehouses. Write a runbook your support team can run.
3. 03
   Concurrent — Sales artifacts

   Sub-processor list, DPA template, security overview one-pager. These get the deals through procurement; the engineering above gets you through the technical review that follows.

If you have a coding agent (Claude Code, Cursor, Codex), most of the engineering work above can be implemented from a single prompt: "implement the access-control-security bundle." RuleMesh's MCP server returns the requirements, the cloud control mappings, and the evidence schema; the agent writes the code; the evidence flows back to your tracker.

Free MCP install, no credit card. The Jira app for tracking the work is on a waitlist while Atlassian Marketplace approval finalizes — the headless MCP loop works either way.

• GDPR for developers — what to actually build →
• GDPR checklist for SaaS engineering teams →
• EU Representative under Article 27 — when you actually need one →
• Cloud control mappings →