Most startups treat privacy compliance like they treat accounting software — something to worry about when there's enough revenue to justify it. This is the wrong mental model, and it costs founders real money.
The truth is that GDPR compliance is cheapest and easiest at the start. When you have five employees and a hundred users, you can build the right habits in a week. When you have fifty employees and fifty thousand users, the same task takes months, costs tens of thousands in consulting fees, and creates real legal exposure during the process.
This is not a guide to GDPR in general — there's already plenty of that. This is a specific 90-day action plan for founders who are building something now and want to get the compliance foundations right before scale makes it hard.
Why Founders Can't Afford to Wait
Before the checklist, let's establish why this matters beyond the theoretical fine risk.
Series A due diligence. Privacy compliance is now a standard item on the legal due diligence checklist for institutional investors. If you can't produce a privacy policy, a record of processing activities, and evidence that you have DPAs with your data processors, you will get questions you aren't prepared to answer. The deal doesn't die, but the process gets slower and more expensive.
Enterprise sales. B2B enterprise customers — especially any with EU operations — will send you a vendor security questionnaire before signing. These questionnaires now routinely include data protection sections: Do you have a privacy policy? Do you have a DPO? Do you have a data processing addendum you can sign? Founders who haven't done the work lose deals they'd otherwise win.
EU market access. If you're processing personal data of EU residents — even from the US — GDPR applies to you. The regulation doesn't require the business to be based in the EU. It requires the users to be in the EU. Any startup with EU users is subject to GDPR.
Acquisition diligence. When you eventually exit, the acquirer's legal team will review your data protection practices. Founders who built compliance in early have a clean story. Founders who didn't have liabilities to negotiate away — often at a direct discount to the purchase price.
Days 1–30: The Non-Negotiables
These are the things that create immediate legal exposure if you don't have them. Do these first.
1. Write a Real Privacy Policy
Not a template you copied from another site. A real one that describes what your specific product does with personal data.
Your privacy policy must cover: what personal data you collect and why, the legal basis for each type of processing, how long you retain data, which third parties receive the data, how users can exercise their rights, and who to contact with data protection queries.
The legal basis section is where most startup policies fail. "We process your data to provide our service" is not a legal basis. Under GDPR, your legal bases are: consent, contract, legitimate interests, legal obligation, vital interests, or public task. For a typical SaaS, most processing is on the basis of contract (to deliver the service) or legitimate interests (analytics, fraud prevention, marketing to existing customers). Map each processing activity to the right basis.
Publish it at /privacy-policy and link to it from your footer, signup forms, and anywhere you collect data.
2. Deploy a Cookie Consent Banner
If your site uses any cookies beyond strictly necessary ones — and if you use Google Analytics, Hotjar, Intercom, Facebook Pixel, or virtually any third-party tool, you do — you need a consent banner before those cookies fire.
This is not optional and is not a technicality. The ePrivacy Directive (which GDPR builds on) requires prior consent for non-essential cookies. "Prior" means before the cookies load, not after.
A compliant consent banner must: present a genuine choice (accept/reject, not just "OK"), not pre-tick optional cookie categories, not make rejecting harder than accepting, and record and store the consent decision.
Run a free scan at https://app.custodia-privacy.com/scan to see exactly which cookies your site is currently setting and whether your consent mechanism covers them.
3. Get Email Consent Right
If you're collecting email addresses to send newsletters, product updates, or marketing content, you need valid consent for that specific use.
A checkbox on your signup form that says "I agree to the Terms of Service" does not cover marketing emails. You need a separate, unchecked checkbox that specifically describes what you'll send.
The exception is transactional email — password resets, receipts, onboarding emails that are genuinely necessary to deliver the service. Those don't need a separate consent tick. Marketing content sent to people who signed up for the product does.
4. Sign DPAs with Your Data Processors
A data processing agreement (DPA) is a contract between you (the data controller) and any third party that processes personal data on your behalf (a data processor). Under GDPR Article 28, you are legally required to have these in place.
The good news: most major vendors make this easy. Go through your toolstack now and sign DPAs with:
- AWS / Google Cloud / Azure — your cloud provider. AWS's DPA is in their Service Terms. Google Cloud has one in the console. Azure has one in the portal.
- Stripe — handles payment data. Their DPA is in the Stripe Data Processing Addendum, available in your dashboard.
- Mailchimp / Brevo / ConvertKit — handles email subscriber data. Each has a DPA in their compliance section.
- Intercom / HubSpot / Zendesk — handles customer contact data and conversation history.
- Google Analytics / Mixpanel / PostHog — handles behavioural analytics data.
- Slack — if you use it to communicate about customer issues, it may contain personal data.
Go through your entire toolstack and sign every DPA available. Keep a record of which vendors you've signed with and when.
5. Add a Data Subject Rights Email
GDPR gives individuals rights: access, rectification, erasure, portability, objection. You must be able to receive and respond to these requests.
At minimum, publish a privacy@yourdomain.com email address in your privacy policy. Set up a simple inbox and assign someone to monitor it. GDPR gives you one month to respond to requests.
You don't need a sophisticated system at this stage. You need a working email address and a commitment to respond.
Days 31–60: Building the Infrastructure
With the non-negotiables in place, the second month is about building the infrastructure that lets you manage compliance at scale.
6. Map Your Data Flows
A data map (or Records of Processing Activities under Article 30) is a document that describes every category of personal data your startup processes, why you process it, where it's stored, who has access, and how long you keep it.
This sounds bureaucratic, but it's genuinely useful. Most founders who go through the exercise discover data they'd forgotten about — an old import file sitting in S3, a Zapier automation passing customer emails to a Google Sheet, a team member's personal Gmail being used for outbound.
Your data map should cover at minimum:
- Website visitors (analytics, cookies)
- Email subscribers (newsletter, onboarding sequences)
- Paying customers (account data, billing data)
- Trial users (product usage data)
- Any data you receive from third parties (integrations, referrals)
Maintain this as a living Google Sheet or Notion doc. Update it when you add new tools or start processing new types of data.
7. Set Up DSAR Intake
Data Subject Access Requests are requests from individuals to exercise their rights. When you have a small user base, they're rare. But when you have thousands of users, you'll get them regularly.
Set up a simple DSAR process now:
- A dedicated intake form or email address (privacy@yourdomain.com works)
- A template acknowledgement response (confirming receipt within 72 hours)
- A process for verifying the identity of the requester (so you don't send someone else's data)
- A process for extracting the data from your systems
For most early-stage startups, this can be a manual process. As you scale, you'll automate parts of it. But the habit of responding within 30 days needs to be established early.
8. Write a Breach Response Plan
A personal data breach that's likely to result in a risk to individuals must be reported to the relevant supervisory authority within 72 hours of discovery. Breaches that are high risk must also be communicated to the affected individuals without undue delay.
You need a written plan for what to do when (not if) a breach occurs. The plan should specify:
- Who is responsible for declaring a breach
- How to assess severity (risk to individuals)
- Who to notify internally
- The process for notifying the supervisory authority (for EU users, this is the lead DPA based on your EU establishment or the DPA in the member state where users are affected)
- What information to include in the notification
Keep this plan in a document that's accessible even if your main systems are down.
9. Train Your Team on Data Protection Basics
Every person in your company who handles personal data — which in an early-stage startup is probably everyone — needs to understand the basics of data protection.
This doesn't need to be a formal training programme. At this stage, it means:
- A short written guide covering what personal data is, why GDPR applies, what the company's obligations are, and what team members must do (and must not do) with customer data
- Clear rules about where customer data can and cannot be shared (no customer lists on personal Dropbox accounts, no PII in public Slack channels)
- An understanding of what to do if they receive a data subject request or discover a potential breach
Document that the training happened. This is part of your accountability record under GDPR.
Days 61–90: Maturing Your Programme
The final month is about reviewing, documenting, and building the governance habits that will serve you as you scale.
10. Conduct a DPIA If You Need One
A Data Protection Impact Assessment (DPIA) is a structured risk assessment for processing activities that are likely to result in high risk to individuals. Under GDPR Article 35, certain activities require a DPIA before you start the processing.
DPIA triggers include: large-scale processing of sensitive data, systematic profiling with legal or similarly significant effects, large-scale systematic monitoring of a publicly accessible area, and others specified in your lead DPA's guidance.
Most early-stage B2B SaaS products won't need a DPIA immediately. But if your product involves health data, financial data, location data, biometrics, or systematic behavioural profiling, you almost certainly need one.
If you're unsure, err on the side of doing a lightweight DPIA. It's a documentation exercise, not a legal requirement to get outside approval. The requirement is to assess the risks and demonstrate that you've addressed them.
11. Formalise Your Records of Processing Activities (ROPA)
Article 30 of GDPR requires controllers to maintain records of processing activities. Strictly speaking, this exemption applies to organisations with fewer than 250 employees unless the processing is not occasional, relates to special category data, or could result in a risk to individuals.
Most startups don't technically need a full ROPA at first. But building one in months 2–3 means you're not scrambling to produce it when an enterprise prospect or due diligence lawyer asks for it.
Your ROPA should include: the name and contact details of the controller, the purposes of processing, a description of the categories of data subjects and personal data, categories of recipients, third country transfers and safeguards, retention periods, and general technical security measures.
Keep it in a format you can export and share — PDF or well-structured spreadsheet.
12. Assess Whether You Need a DPO
A Data Protection Officer (DPO) is required for certain types of organisations: public authorities, organisations whose core activities require large-scale systematic monitoring of individuals, and organisations whose core activities involve large-scale processing of special category data.
Most early-stage startups don't need a formal DPO. But you do need someone who is responsible for data protection. Designate a person — even if it's the founder — who owns privacy decisions, responds to data subject requests, liaises with supervisory authorities if needed, and maintains the compliance programme.
As you scale towards Series A, consider appointing a part-time external DPO or data protection advisor. They can review your programme, provide legal opinions on borderline processing decisions, and give you a named contact to put in your privacy policy.
13. Establish a Privacy Review Cadence
GDPR compliance is not a one-time project. It requires ongoing maintenance. Build a quarterly review into your company calendar:
- Review the data map for any new processing activities
- Check for new vendors that need DPAs
- Confirm that consent banners still cover all cookies (tools change, cookies get added)
- Review any DSARs received and ensure responses were timely
- Check that retention policies are being applied
- Update the privacy policy if anything has changed
This quarterly review takes two to three hours for an early-stage startup. The habits you build now determine whether you have a defensible compliance programme when you eventually need to demonstrate it.
The 90-Day Outcome
By the end of 90 days, you should have:
- A real privacy policy published and linked
- A compliant cookie consent banner deployed
- Email consent properly structured
- DPAs signed with all major data processors
- A data map covering your core processing activities
- A DSAR intake process and response templates
- A written breach response plan
- Basic team training documented
- A DPIA if your processing triggers one
- A Records of Processing Activities document
- A designated privacy owner
- A quarterly review cadence in the calendar
None of this requires a legal team. It requires a few focused days of work spread over three months. It's the kind of infrastructure that costs almost nothing to build early and a great deal to retrofit later.
Run a free scan of your website at https://app.custodia-privacy.com/scan to see what personal data your site is currently collecting and whether your consent mechanisms are correctly configured. It takes 60 seconds and gives you a concrete starting point for the work above.
This post provides general information about GDPR compliance for early-stage startups. It does not constitute legal advice. Your specific obligations depend on your business model, the types of data you process, and the jurisdictions in which you operate. Consult a qualified data protection lawyer for advice specific to your situation.
Top comments (0)