Does GDPR Actually Apply to You?
GDPR applies to any organisation that processes personal data of people in the European Union — regardless of where your company is based. If you have EU customers, EU website visitors whose data you track, or EU employees, GDPR applies to you. "Personal data" is broad: it includes names, email addresses, IP addresses, cookie identifiers, location data, and any other information that can identify an individual.
The regulation applies to both "data controllers" (organisations that determine why and how data is processed — that's most businesses) and "data processors" (organisations that process data on behalf of controllers — think SaaS tools, cloud hosting providers, and analytics services). Most startups are controllers. If you use AWS, Google Analytics, or a CRM, you're also engaging processors.
Many founders believe that because they're a small company or an early-stage startup, GDPR either doesn't apply or that regulators won't pursue them. Fines have been issued to companies with fewer than 10 employees. Being small is not a defence — but it may influence enforcement priorities and fine amounts.
The 7 GDPR Principles — In Plain English
All GDPR obligations flow from seven core principles. Understanding these helps you make sensible decisions about data handling rather than trying to memorise a 99-article regulation.
Lawfulness, Fairness & Transparency
You must have a valid legal basis for collecting data (consent, contract, legal obligation, legitimate interests, etc.), be honest about how you use it, and not use it in ways that surprise or deceive people.
Purpose Limitation
Collect data for specific, explicit, and legitimate purposes — and don't use it for anything else. If you collect an email for order confirmations, you can't use it for marketing without a separate basis.
Data Minimisation
Only collect the data you actually need. Resist the startup instinct to collect everything in case it's useful later. More data means more risk, more cost, and more compliance surface area.
Accuracy
Keep data accurate and up to date. Give users mechanisms to update their information. Outdated personal data is both a compliance risk and a business liability.
Storage Limitation
Don't keep data longer than you need it. Define retention periods for different data types and delete data automatically when retention periods expire. This is one of the most commonly ignored principles.
Integrity & Confidentiality (Security)
Implement appropriate technical and organisational measures to protect data. This is where cybersecurity and GDPR intersect directly. A data breach caused by poor security is also a GDPR failure.
Accountability
You must be able to demonstrate compliance — not just claim it. This means documentation, policies, records of processing activities, and evidence of the controls you've put in place.
"GDPR isn't a compliance checkbox. It's a framework for building trust with your customers. Startups that treat it as a competitive advantage rather than a burden do far better."
— Riya Mehta, Head of Compliance, CyberCloakThe Fines: What You're Actually Risking
GDPR has two tiers of fines, depending on the nature and severity of the violation:
(whichever is higher)
For: record keeping failures, processor contracts, data security basics
(whichever is higher)
For: core principles violations, consent failures, data subject rights, international transfers
For a startup with €2M annual revenue, a Tier 2 fine could reach €80,000 — business-ending territory. Beyond fines, data breaches trigger mandatory notifications to your Data Protection Authority (72-hour deadline), potential notifications to affected individuals, reputational damage, and loss of customer trust. Investors also increasingly conduct GDPR due diligence before funding rounds.
Your Practical GDPR Compliance Roadmap
Rather than trying to achieve perfect compliance overnight, focus on these high-impact, risk-reducing steps first:
Create a data map (Record of Processing Activities — ROPA). Document what personal data you collect, why you collect it, where it's stored, who has access, how long you keep it, and which third parties you share it with. This is legally required for most organisations and forms the foundation of all other compliance work. A simple spreadsheet is sufficient to start.
Identify your legal basis for each processing activity. For each type of data processing in your ROPA, identify the legal basis: consent, contractual necessity, legal obligation, legitimate interests, etc. Document your reasoning. "Legitimate interests" is flexible but requires a documented balancing test showing your interests don't override individual rights.
Write a clear, honest privacy notice. This must tell users who you are, what data you collect, why, the legal basis, how long you keep it, who you share it with, and how they can exercise their rights. Plain English is not just good practice — it's legally required. Jargon-filled policies that users can't understand are a compliance failure.
Audit your third-party processors and sign Data Processing Agreements (DPAs). Every SaaS tool, cloud provider, and analytics service that handles personal data on your behalf is a "processor" — you must have a DPA in place with each of them. Most major providers (AWS, Google, Stripe, etc.) make these available in their legal terms or on request. Smaller vendors may need to be approached directly.
Implement a process for handling data subject rights requests. Individuals have rights under GDPR: access, rectification, erasure, restriction, portability, and objection. You must be able to respond within one calendar month. Build a simple internal process: who receives requests, how you verify identity, how you retrieve and export/delete data from your systems.
Implement a breach response procedure with the 72-hour rule in mind. If you experience a personal data breach, you must report it to your Data Protection Authority within 72 hours of becoming aware of it — if it's likely to result in risk to individuals' rights. You need a documented process: who decides if it's reportable, who makes the notification, what information to include. Trying to figure this out during a breach is too late.
Review your cookie consent implementation. Pre-ticked consent boxes, "by continuing to browse you consent" notices, and burying opt-outs are all non-compliant. For non-essential cookies (analytics, marketing, personalisation), you need a genuine opt-in mechanism before the cookies fire. This is one of the most enforced areas across Europe.
GDPR Beyond the Basics: What Growing Companies Need to Consider
As your company scales, additional obligations may kick in. If your core business involves large-scale processing of sensitive data (health, financial, political beliefs), or systematic monitoring of individuals (behavioural analytics at scale), you'll need a Data Protection Officer (DPO) and Data Protection Impact Assessments (DPIAs) for high-risk processing activities.
International data transfers — particularly sending data to the US or other non-EEA countries — require specific safeguards: Standard Contractual Clauses (SCCs), adequacy decisions, or Binding Corporate Rules. Using US-based SaaS tools (almost inevitable) means you need to check whether they're covered by the EU-US Data Privacy Framework and have appropriate SCCs in place.
Start with the ROPA, privacy notice, and breach response procedure. These three documents form the backbone of GDPR compliance and will satisfy most investor due diligence, enterprise customer questionnaires, and regulatory inquiries. Build from there as your data processing complexity grows.
Get a GDPR Compliance Roadmap for Your Business
Our GDPR readiness assessment identifies your gaps, prioritises your actions, and gives you a clear implementation plan tailored to your tech stack and business model — in plain English.