Eight Years In, Still Misunderstood
The General Data Protection Regulation has been enforceable since May 2018. In that time, European data protection authorities have issued over 2,000 fines totaling billions of euros. Meta, Amazon, TikTok, and Google have taken the headline-grabbing penalties, but small and mid-size companies have been fined too, often for basic failures like inadequate consent mechanisms, missing data processing agreements, or incomplete responses to data subject requests.
Despite eight years of enforcement, most SaaS companies still treat GDPR as a checkbox they half-completed in 2018 and haven’t revisited since. That’s a problem, because the regulation hasn’t stood still. Enforcement has intensified, guidance has evolved, and the Schrems II decision reshaped international data transfers in ways many companies still haven’t fully addressed.
Who GDPR Applies To
GDPR has two jurisdictional triggers:
Establishment. If your company has any establishment in the EU (an office, a subsidiary, even a single employee), GDPR applies to the processing carried out in the context of that establishment.
Targeting. If your company offers goods or services to individuals in the EU, or monitors the behavior of individuals in the EU, GDPR applies regardless of where your company is located.
That second trigger is what catches most US-based SaaS companies. If your product is available to EU users, if you have EU customers, or if your analytics track the behavior of people in the EU, you’re in scope. Having no EU office doesn’t exempt you.
The Core Principles
GDPR is built on seven principles that govern all processing of personal data:
Lawfulness, Fairness, and Transparency. You need a legal basis for every processing activity, you must process data fairly, and you must be transparent about what you’re doing with it.
Purpose Limitation. Personal data must be collected for specified, explicit, and legitimate purposes. You can’t collect data for one reason and then use it for something else without a compatible legal basis.
Data Minimization. Collect only what you need. If you don’t need someone’s date of birth to provide your service, don’t collect it.
Accuracy. Personal data must be accurate and kept up to date. You need processes for correcting or deleting inaccurate data.
Storage Limitation. Don’t keep personal data longer than necessary. Define retention periods and enforce them.
Integrity and Confidentiality. Implement appropriate security measures to protect personal data against unauthorized access, loss, or destruction.
Accountability. You must be able to demonstrate compliance with all of the above. Documentation isn’t optional.
Legal Bases for Processing
Unlike some privacy laws that rely primarily on opt-out mechanisms, GDPR requires an affirmative legal basis for every processing activity. The six legal bases are:
Consent. The individual has given clear, specific, informed consent. Consent must be freely given, and you must make it as easy to withdraw as it was to give.
Contract. Processing is necessary to perform a contract with the individual or to take steps at their request before entering a contract.
Legal Obligation. Processing is necessary to comply with a legal obligation.
Vital Interests. Processing is necessary to protect someone’s life. Rarely applicable for SaaS companies.
Public Interest. Processing is necessary for a task carried out in the public interest. Also rarely applicable.
Legitimate Interests. Processing is necessary for your legitimate interests or those of a third party, provided those interests aren’t overridden by the individual’s rights. This is the most flexible basis but requires a documented balancing test.
Most SaaS companies rely on a combination of contract (for providing the service), legitimate interests (for analytics, security, and product improvement), and consent (for marketing communications and cookies).
Data Subject Rights
GDPR gives individuals extensive rights over their personal data:
- Right of Access. Individuals can request a copy of all personal data you hold about them.
- Right to Rectification. Individuals can request correction of inaccurate data.
- Right to Erasure. The “right to be forgotten.” Individuals can request deletion in certain circumstances.
- Right to Restrict Processing. Individuals can request that you stop processing their data while a dispute is resolved.
- Right to Data Portability. Individuals can request their data in a structured, machine-readable format.
- Right to Object. Individuals can object to processing based on legitimate interests or for direct marketing purposes.
- Rights Related to Automated Decision-Making. Individuals have the right not to be subject to decisions based solely on automated processing that significantly affect them.
You must respond to data subject requests within one month. You need documented processes for receiving, verifying, and fulfilling these requests across every system that holds personal data.
International Data Transfers
This is where many SaaS companies struggle most. GDPR restricts transfers of personal data outside the EU/EEA unless adequate protections are in place.
Adequacy Decisions. The European Commission has recognized certain countries as providing adequate protection. The EU-US Data Privacy Framework, adopted in July 2023, provides a mechanism for US companies that self-certify, though its long-term stability remains uncertain given the history of Safe Harbor and Privacy Shield being invalidated.
Standard Contractual Clauses (SCCs). The most common mechanism for transfers to countries without adequacy decisions. The current SCCs (adopted June 2021) require a Transfer Impact Assessment documenting the risks of the transfer and any supplementary measures you’ve implemented.
Binding Corporate Rules. An option for multinational companies transferring data within their corporate group. Complex to implement but durable once approved.
If you’re a US-based SaaS company processing EU personal data, you need a clear transfer mechanism in place and documentation to support it.
Controller vs. Processor Obligations
GDPR distinguishes between controllers (who determine the purposes and means of processing) and processors (who process data on behalf of controllers):
As a controller (your own users, employees, marketing contacts), you bear full responsibility for GDPR compliance: legal basis, transparency, data subject rights, data protection impact assessments, and breach notification to supervisory authorities.
As a processor (processing your customers’ data), you must process data only on the controller’s instructions, implement appropriate security measures, assist the controller with data subject requests and breach notification, maintain records of processing activities, and have a Data Processing Agreement (DPA) in place.
Most B2B SaaS companies are controllers for their own data and processors for their customers’ data. Your compliance program needs to address both roles.
Data Protection Officer
You must appoint a Data Protection Officer (DPO) if your core activities involve regular and systematic monitoring of individuals at large scale, or large-scale processing of special category data. Even if a DPO isn’t strictly required, many SaaS companies appoint one voluntarily as a point of accountability for their privacy program.
Breach Notification
GDPR requires notification of personal data breaches to the relevant supervisory authority within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to individuals’ rights and freedoms. If the breach is likely to result in a high risk, you must also notify the affected individuals without undue delay.
72 hours is tight. You need an incident response process that can identify, assess, and report breaches within that window.
Building a Practical GDPR Program
1. Map Your Processing Activities
Document every processing activity involving personal data: what data, whose data, why, legal basis, retention period, who has access, and where it goes. This is your Record of Processing Activities (ROPA), and it’s a legal requirement.
2. Review Your Legal Bases
For each processing activity, confirm you have a valid legal basis. If you’re relying on consent, verify it meets GDPR’s high standard. If you’re relying on legitimate interests, document your balancing test.
3. Address International Transfers
Identify every transfer of personal data outside the EU/EEA. Implement appropriate transfer mechanisms and conduct Transfer Impact Assessments where required.
4. Operationalize Data Subject Rights
Build processes for handling access, deletion, correction, portability, and objection requests. Test them. Make sure you can actually find and act on data across all your systems within 30 days.
5. Update Your Contracts
Ensure your DPAs with customers and vendors include all GDPR-required provisions. Review them when the regulation or guidance changes.
6. Implement Privacy by Design
Integrate privacy considerations into your product development process. Conduct Data Protection Impact Assessments for high-risk processing activities before you launch them.
How GDPR Relates to Other Frameworks
CCPA/CPRA. Similar principles, different mechanics. GDPR is generally more prescriptive, particularly around legal bases and international transfers. A strong GDPR program provides a solid foundation for CCPA compliance, though you’ll need to address California-specific requirements separately.
ISO 27701. The privacy extension to ISO 27001 provides a management system that maps directly to GDPR requirements. If you’re ISO 27001 certified, adding 27701 is an efficient path to demonstrating GDPR compliance operationally.
SOC 2 Privacy Criteria. Including the Privacy Trust Services Criteria in your SOC 2 audit covers some GDPR-adjacent territory, but it’s not a substitute for a dedicated GDPR compliance program.
At Concerto, we help SaaS companies build privacy programs that satisfy GDPR and other privacy regulations without duplicating effort. Whether you need a gap assessment, a full GDPR compliance program, or help integrating privacy into your existing compliance framework, we can help. Schedule a consultation to get started.
