// Glossary · compliance

GDPR

Also: General Data Protection Regulation

EU regulation on personal data. Requires lawful basis for processing, data subject rights, breach notification, and DPO appointment for larger processors.

The General Data Protection Regulation is the EU framework governing the processing of personal data of EU residents, enforced since May 2018. It applies extraterritorially: a US-based SaaS with a single EU customer is in scope. The regulation requires a documented lawful basis for processing (consent, contract, legitimate interest, legal obligation, vital interest, or public task), respect for data subject rights (access, rectification, erasure, portability, restriction, objection), breach notification within 72 hours, and appointment of a Data Protection Officer for organizations doing large-scale monitoring or processing of special category data. Fines run up to 4% of global annual revenue or 20 million euros, whichever is higher.

For funded SaaS selling into Europe, GDPR is not optional and the questionnaire arrives in every enterprise security review. The practical compliance work includes mapping data flows (what personal data, from whom, to whom, stored where, for how long), publishing a privacy policy that describes processing in plain language, executing DPAs with every subprocessor, implementing data subject request workflows, and maintaining a record of processing activities. The overlap with SOC 2 controls is substantial, which is why funded teams often pursue both together to share audit evidence and reduce duplicate effort.

GDPR also reshapes AI feature design. Any AI feature processing personal data needs a documented lawful basis, a privacy impact assessment for high-risk processing, and explicit transparency about model training and automated decision-making. The AI Ops Department handles evidence collection and DPA management for funded teams without dedicated privacy counsel. For teams running customer-facing AI, getting the GDPR layer right before launch is meaningfully cheaper than retrofitting it after the first complaint to a supervisory authority lands in the founder inbox.

// Examples
  • A Series A SaaS maps data flows across 14 subprocessors, executes DPAs with all of them in 6 weeks, and unblocks 4 stalled EU enterprise deals.
  • A fintech team appoints a fractional DPO for $24K per year instead of hiring a full-time privacy role, satisfying GDPR Article 37 at a fraction of the cost.
  • A vertical AI company runs a Privacy Impact Assessment on its model training data, identifies two risk areas, and ships mitigations before EU launch.
// Common questions
Do I need to comply with GDPR if I am US-based?
Yes, if you have any EU customers, process EU resident personal data, or monitor EU residents (which most SaaS analytics do). The regulation applies extraterritorially. The size of your business does not exempt you. Even a single EU customer triggers full compliance obligations.
What is a lawful basis and which one should I use?
A lawful basis is the legal justification for processing personal data. Six exist: consent, contract necessity, legitimate interest, legal obligation, vital interest, public task. Most B2B SaaS uses contract necessity for customer data and legitimate interest for B2B prospect data. Consent applies to marketing emails and cookies. You must document the basis per processing activity.
When do I need a Data Protection Officer?
When you do large-scale systematic monitoring (analytics platforms, behavioral tracking) or large-scale processing of special category data (health, biometric, political opinions). Funded teams under 50 rarely meet the threshold but commonly appoint a fractional DPO to satisfy enterprise buyer expectations regardless.
What is the breach notification timeline?
72 hours from the moment you become aware of a personal data breach, you must notify the relevant supervisory authority. If the breach is high-risk to data subjects, you must also notify the affected individuals without undue delay. Missing the 72-hour window is a separate violation from the breach itself.
// Related terms
// Ready to ship?

EOI runs fractional AI departments for funded teams under 50. Sales, Content, Ops, Support. Live in 14 days on a monthly retainer.

Apply for a sprint See all departments