GDPR: operational impact on startups
Records of processing, DPO, impact assessment, breach notification: the practical GDPR obligations every startup must address.
The General Data Protection Regulation (GDPR) has applied since 25 May 2018 to all personal data processing within the European Union. It applies to all businesses, regardless of size.
The GDPR has a dual impact on startups: it strengthens the protection of data subjects, and it requires the implementation of internal compliance procedures.
The sanctions for non-compliance are significant: up to €10 million or 2% of global turnover for technical breaches (Privacy by Design, Privacy by Default, failure to conduct an impact assessment), and up to €20 million or 4% of global turnover for infringements of data subjects’ rights.
The GDPR strengthens the rights of individuals whose personal data is collected. The applicable principles include lawful, fair and transparent processing, collection for specified and legitimate purposes, data minimisation, accuracy and deletion of outdated data, storage limitation, data security, Privacy by Design (integrating protection from the outset), and Privacy by Default (processing only the data that is necessary).
These principles require specific technical measures: consent via unchecked tick boxes, anonymisation, pseudonymisation, encryption, access logs, and security processes.
Data subjects must be fully informed and can exercise their rights of access, rectification, erasure and objection within one month. These rights must be reflected in your contractual documents (terms and conditions in particular). For the provisions to include, see the article on GDPR contract compliance.
Prior registration with the CNIL is no longer required. Each data controller must ensure GDPR compliance for all its processing activities.
A record of processing activities must be maintained. Companies with fewer than 250 employees are only required to record sensitive or regular processing, but all companies are strongly advised to maintain a comprehensive record.
Any processing of sensitive data (health, political opinions, ethnic origin, religious beliefs, sexual orientation) or involving profiling must be subject to a Data Protection Impact Assessment (DPIA).
Companies are also expected to appoint a Data Protection Officer (DPO) to coordinate internal processing and relations with the supervisory authority. This is mandatory where the company processes personal data on a regular and systematic basis, or processes sensitive data.
Among the procedures to implement: responding to data subject requests, data portability, breach notification to the CNIL, documentary compliance monitoring, employee confidentiality obligations, access restrictions, audit logs, data purging, and explicit client consent.
It is also essential to ensure that your agreements with processors include a clear allocation of roles and responsibilities regarding personal data. On this point, see the article on subprocessing in SaaS. For an overview, see the SaaS contracting guide.
GDPR compliance is not a one-off project but an ongoing process. Startups must address it from launch, even with limited resources. If you need to audit your compliance or structure your internal procedures, book a call.
The Data Act limits what SaaS vendors can charge when you switch providers. Permitted fees, prohibited charges, and the 2027 deadline explained.
Stuck in a SaaS contract your company no longer needs? The EU Data Act gives you a legal right to switch providers. Eligibility, process, and pitfalls.
Let's build together to grow your business
I have been supporting software and SaaS companies for over 10 years, helping them structure their business, protect their intellectual property and strengthen their contracts.
