GDPR Compliance for SaaS: A Practical Guide (2026)
If your software processes data about people in the EU or UK, the GDPR applies — regardless of where your company is based. This guide walks through what compliance actually requires of a SaaS business: the data you hold, your lawful basis for holding it, the rights you have to honour, the security you must be able to prove, and the paperwork — DPAs, records, breach procedures — that turns "we take privacy seriously" into something you can defend to an auditor or an enterprise buyer.
Does GDPR apply to my SaaS?
Almost certainly. The GDPR's territorial scope (Article 3) reaches any organisation that offers goods or services to, or monitors the behaviour of, people who are in the EU — even if the company has no European office. A US or Australian SaaS with EU users is fully in scope, and the UK GDPR extends the same regime to the UK. The cost of getting it wrong is real: the most serious infringements carry fines of up to €20 million or 4% of global annual turnover, whichever is higher (Article 83).
Before anything else, work out your role. A controller decides why and how personal data is processed; a processor handles it on a controller's instructions. For your own account and billing data you are the controller. For the data your customers load into your product, you are usually their processor. Most SaaS businesses are both at once, and the distinction decides which obligations and contracts attach to each dataset.
The 10-point GDPR checklist for SaaS
Everything below expands on these. If you can honestly tick all ten, you are in good shape. If you are a solo founder or small team, the leaner startup GDPR checklist covers what is non-negotiable versus what you can keep lightweight while you are small:
- You have mapped every category of personal data you process and why (Article 30)
- Each processing purpose has a documented lawful basis (Article 6)
- Your privacy notice is clear, accurate, and accessible (Articles 12–14)
- Users can access, export, correct, and delete their data (Articles 15–20)
- Consent for analytics/marketing is opt-in and logged (Article 7)
- You apply appropriate security: encryption in transit, access control, hashed secrets (Article 32)
- You have a signed DPA with every sub-processor, and offer one to your customers (Article 28)
- International transfers are covered by SCCs or an adequacy decision (Articles 44–49)
- You can detect, assess, and report a breach within 72 hours (Articles 33–34)
- You build new features with data protection by design and by default (Article 25)
1. Know what personal data you process (Article 30)
You cannot protect what you have not mapped. GDPR expects you to keep a record of processing activities — what data you hold, why, on what basis, and for how long. A typical SaaS record looks like this:
| Data category | Example | Typical lawful basis | Retention |
|---|---|---|---|
| Account data | Name, email, password hash | Contract | Life of account + short grace |
| Billing data | Invoices, card token (via processor) | Legal obligation | As required by tax law |
| Usage / telemetry | API call logs, feature events | Legitimate interests | Rolling window |
| Network data | IP addresses, device identifiers | Legitimate interests | Short, then aggregated |
| Marketing | Newsletter subscription | Consent | Until withdrawn |
Keep this current. It is the single most useful artefact when a customer's security team, or a regulator, asks what you do with personal data.
2. Have a lawful basis for every purpose (Article 6)
Every processing purpose needs one of six lawful bases. For B2B SaaS, three do most of the work: contract (you need the data to deliver the service the user signed up for), legitimate interests (a balancing test covers things like fraud prevention, security, and product telemetry), and legal obligation (retaining invoices for tax). Reserve consent for things the user genuinely chooses — analytics cookies and marketing email — because consent must be freely given, specific, and as easy to withdraw as to give (Article 7). Do not default to consent for everything; a basis you cannot actually rely on is worse than none.
3. Honour data-subject rights (Articles 15–22)
GDPR gives individuals enforceable rights, and you generally have one month to respond. The practical engineering work is making each one a routine operation rather than a fire drill:
| Right | Article | What you must be able to do |
|---|---|---|
| Access | 15 | Tell a user what data you hold and provide a copy |
| Rectification | 16 | Let them correct inaccurate data |
| Erasure | 17 | Delete their data on request ("right to be forgotten") |
| Restriction | 18 | Pause processing while a dispute is resolved |
| Portability | 20 | Export their data in a structured, machine-readable format |
| Object | 21 | Stop processing based on legitimate interests or for marketing |
Build access and portability as a one-click export that returns structured JSON, and erasure as a deletion workflow with a short grace period and a final confirmation. If you build these as product features early, they cost a few endpoints; if you bolt them on after a request lands, they cost a scramble. Erasure has enough sharp edges — backups, audit logs, retention exemptions — to deserve its own treatment: see handling GDPR deletion requests.
4. Secure the data (Article 32)
Article 32 requires "appropriate technical and organisational measures" proportionate to the risk. It does not prescribe a checklist, but auditors and enterprise buyers expect to see the basics: encryption of data in transit (TLS everywhere), strong access control and least privilege, hashing of secrets and credentials rather than reversible storage, encrypted and tested backups, monitoring and audit logging, and a way to revoke access quickly. Document what you do and why — the accountability principle (Article 5(2)) means being compliant is not enough; you must be able to demonstrate it. For the full breakdown of what Article 32 asks for and how to map it, see GDPR Article 32: security of processing.
5. Get your DPAs in order (Article 28)
Whenever a processor handles personal data for you, Article 28 requires a written data processing agreement. In practice that means you need a DPA with every sub-processor in your stack — payment, transactional email, hosting, analytics, error tracking — and you must maintain a current list of them. Going the other way, your business customers are controllers who will ask you to sign a DPA and disclose your sub-processors before they trust you with EU personal data. Have one ready; being unable to produce a DPA stalls enterprise deals.
6. Handle international transfers (Articles 44–49)
If personal data leaves the EU for a country without an adequacy decision, you need a transfer safeguard — most commonly the EU Standard Contractual Clauses. This catches more SaaS businesses than they expect, because a single US-hosted sub-processor can constitute a transfer. Map where your data physically flows, and record which mechanism covers each destination. For the detail — residency vs transfer, SCCs, and the post-Schrems II impact assessment — see GDPR data residency and international transfers.
7. Be ready for a breach (Articles 33–34)
A personal-data breach likely to risk people's rights must be reported to your supervisory authority within 72 hours of you becoming aware of it (Article 33); where the risk is high, you must also tell the affected individuals (Article 34). Seventy-two hours is not long to assess scope under pressure, so prepare in advance: a severity-classification rubric, a notification decision tree, contact details for your lead authority, and a pre-drafted notification template. The goal is that an incident triggers a rehearsed procedure, not an improvisation.
Build vs. buy: the licensing-data slice
A licensing or entitlement system sits squarely inside GDPR scope — it processes account data, device identifiers from activations, IP addresses from API calls, and usage telemetry. Every right and obligation above applies to it. You can build that compliance yourself: the export endpoint, the deletion workflow with its grace period, the consent log, the audit trail, the sub-processor DPAs, and the breach runbook. Or you can inherit it from infrastructure that already implements it.
That is the design intent behind ValidonX. Licensing data lives in isolated per-tenant databases; every user can export their full profile as structured JSON and request deletion through a workflow that anonymises audit logs and closes tenant databases after a grace period; consent decisions are recorded with version, timestamp, and choice; data is encrypted in transit, secrets are hashed rather than stored reversibly, and backups are encrypted; and Enterprise customers receive a DPA documenting sub-processors and data flows. You get the licensing slice of your GDPR posture as a default rather than a project. (For the architecture that makes the data isolation possible, see how ValidonX multi-tenancy works.)
None of this is legal advice — your obligations depend on your specific data and jurisdiction, and a DPO or privacy counsel should sign off your programme. But the structure above is the work, and most of it is the same for every SaaS. Do it deliberately, document it, and the next security questionnaire becomes a copy-paste instead of a crisis.
Frequently asked questions
Does GDPR apply to my SaaS if my company isn't in the EU?
Yes, if you offer goods or services to — or monitor the behaviour of — people who are in the EU or UK, the GDPR applies regardless of where your company is based (Article 3). A US or Australian SaaS with EU users is in scope.
Am I a data controller or a data processor under GDPR?
You are usually a controller for your own account and billing data, because you decide why and how it is processed. You are typically a processor for the data your customers put into your product, because you handle it on their instructions. Many SaaS businesses are both at once, and the distinction decides which obligations and contracts apply to each dataset.
Do I need a Data Processing Agreement (DPA)?
Yes. Article 28 requires a written data processing agreement with every processor you use — payment, email, hosting, analytics, error tracking — and your own business customers will expect a DPA from you before they send you EU personal data.
How quickly do I have to report a data breach under GDPR?
A personal-data breach that is likely to result in a risk to people’s rights and freedoms must be reported to your supervisory authority within 72 hours of becoming aware of it (Article 33). Where the risk is high, you must also notify the affected individuals without undue delay (Article 34).
What are the penalties for GDPR non-compliance?
The most serious infringements can attract fines of up to €20 million or 4% of total worldwide annual turnover, whichever is higher (Article 83). UK GDPR mirrors this at £17.5 million or 4%.
Can I store EU customer data outside the EU?
Yes, but a transfer to a country without an EU adequacy decision needs an appropriate safeguard such as Standard Contractual Clauses (Articles 44–49). Document where your data flows and which transfer mechanism covers each destination, including your sub-processors.
Want the licensing slice handled for you? Start free — issue and validate your first license in minutes, with GDPR controls built in, no credit card.